GDPR Fallout for U.S. Companies – What’s Next: Employee-Related GDPR Violations

Elizabeth Denham.

If your company is doing business in Europe, put that name on top of the list of people you’ll not want to hear from in their official capacity.

Just ask British Airways (BA) or Marriott International.¹ Both experienced data breaches that put millions of their customers at risk. In July, they both received notice from Ms. Denham that they’ll be fined the record amounts of £183 million (US$230 million) and £100 million (US$125 million), respectively, in the United Kingdom under the European Union’s General Data Protection Regulation (GDPR).

Elizabeth Denham heads up the Information Commissioner’s Office (ICO) of the United Kingdom. Yes, the recipients of her notice of intent may appeal the decision. And no, observers don’t expect the ICO to reduce these first GDPR penalties against major international corporations to the proverbial slap on the wrist.

To the contrary; GDPR applies to all companies, including in the U.S., that store or process data of EU citizens and residents. The EU’s privacy commissioners (not only in the U.K.) who are tasked with enforcing GDPR mean business. And they are just getting started.

Under the regulation, which went into effect in May 2018, the EU’s privacy watchdogs have the power to fine violators up to €20 million or 4 percent of a company’s worldwide annual turnover. Remarkably, BA didn’t get a discount from the ICO for good post-data breach behavior (read: for transparency and timeliness), which had been praised by experts.

The Impact of GDPR

So far, the record has been mixed. One year after it went into effect, GDPR is credited with moving companies to significantly improve their notification process, which has roughly doubled the numbers of self-reports. For the U.K. alone, Stephen Eckersley, Head of Enforcement at the ICO, predicted² 36,000 data breach reports in 2019, up from between 18,000 and 20,000 in 2018.

These numbers, as well as the EU Data Protection Board’s official report³ from February, indicate that more companies comply with the GDPR requirement to report data breaches within 72 hours, instead of leaving victims in the dark.

Does the regulation actually generate a measurable preventative effect? The same numbers don’t boost confidence that it does – until we remind ourselves that the EU countries continue synchronizing⁴ and honing their GDPR enforcement approach.

So what’s coming next for GDPR violators? We can expect the U.K., Germany or France to move with more record-breaking enforcement actions soon. Following the British ICO’s announcements, the question is not so much if #GDPRogues will be able to shave off a million or two from the penalty.

No, the question now becomes: Who will be next to receive a record-setting letter from Ms. Denham, or Frau Block (the busy data protection commissioner in the German state of North Rhine-Westphalia) or Madame Falque-Pierrotin? Let’s make an educated guess.

GDPR Enforcement Gaining Momentum

Following the enforcement actions against Google, BA and Marriott, violators will be facing off with empowered and patient bureaucrats who just love this new revenue source. They can – and will – make lack of compliance with EU regulations an expensive endeavor. Google⁵ already got slapped with a $57 million GDPR fine⁶ by the French data protection authority back in January (and, like BA now, has appealed the decision).

Google has big coffers. What about other transnationals? U.S. companies with subsidiaries in the U.K. who run afoul of GDPR, for example, cannot hope to get saved by the bell (e.g., Britain’s impending Brexit).

With tax revenues already diminished by companies leaving for the continental EU, the U.K. has made clear its intent to hold on to GDPR⁷, including its stiff penalties, which go straight to the U.K.’s Treasury.

In a podcast last year, “GDPR in the US: After the British Airways Hack,” my conversation partner Steve Durbin of the Information Security Forum (ISF) and I predicted that travel and hospitality companies were ripe for the picking.

This wager was a safe bet in a way, because the travel industry presented the lowest-hanging fruit for the ICO, given the industry-endemic low data protection standards⁸ in handling sensitive information of international travelers, including EU citizens and residents.

Tick, Tock for HR

In the BA incident, self-reported by the company in September 2018, attackers exploited a third-party vulnerability⁹ in the airline’s digital supply chain. This time around, I’ll go out on a limb and make another prognostication: The next headline-worthy penalty most likely will hit a global corporation for not sufficiently protecting its EU employee data. That’s in addition to Facebook, which already faces the possibility of getting slapped with a billion-dollar fine¹⁰ in the coming months.

Why would the privacy watchdogs home in on employee-related GDPR violations next?

It’s the next logical step. In asserting their reach, the EU authorities can drive home the point that GDPR doesn’t just cover the payment and booking data of consumers, like in the BA and Marriott cases, or platform usage, as with Facebook and Google.

Expect noncompliant cross-border handling of employee data to become the next focal point of GDPR enforcement. Transnational organizations with a significant headcount in the EU become vulnerable every time their U.S., Asia or Mideast-based headquarters or a European subsidiary touches workforce-related personal data with apps that are not GDPR-compliant.

The Next Step in GDPR Enforcement?

One recent GDPR investigation¹¹ in particular, commissioned by the Dutch government, may well be a harbinger of bigger things to come. It focused on Microsoft Office’s telemetry mechanism.

Investigators reported that the company’s U.S.-based mothership was engaging in a “large-scale and covert collection of personal data” in Europe through Office’s built-in telemetry capabilities.

Functional and diagnostics data of apps used by Dutch employees were only a small part of data exfiltrated to the U.S. The Microsoft GDPR breach documented in the Netherlands also included email subject lines and content processed with Microsoft’s translation and spell-checking tools.

The German state of Hessia has since followed suit and banned Windows 10 and Office 365 from use in schools because of GDPR noncompliance.¹² The Dutch and German findings underline that noncompliant software tools that touch employee or student data covered by GDPR will put the providers of such tools, as well as employers, in the crosshairs of EU data protection authorities.

This brings us to the primary tool used by employees and contractors to access resources online, including almost all relevant HR data: the locally installed browser. Researchers agree that close to 80 percent of data breaches are browser-related.

GDPR Penalties for “Free” Browsers?

The “free” browsers still used in many global companies indiscriminately fetch and process executable code from the web on the local computer. This already makes them the primary attack vector¹³ for web-borne exploits, such as ransomware or spyware, which can compromise the corporate IT with disastrous consequences (as in BA’s case).

The Dutch government report can be read as a sign that browsers will soon come under the same intense scrutiny from EU privacy watchdogs as Microsoft’s Office package. The reason goes way beyond the traditional browser’s inherent security vulnerabilities, which have been known for years.

Critical from the GDPR perspective, this now proves that the old-style browser is also basically an anti-privacy tool.

By design, even with “Privacy” or “Incognito” mode enabled, locally installed browsers constantly share privacy-relevant usage and user data with their makers and third parties – in other words, with websites a person visits and with advertisers on those sites.

Browser add-ons and extensions with backchannels to the developers compound the risk of security and privacy violations. The data leaks built into Microsoft Office seem almost minor in comparison.

Free Browser + EU Employees = GDPR Fines?

What does this mean for the browser under GDPR? Employers could be fined for browser-related privacy violations, for example, as a result of HR accessing sensitive employee information through a regular browser.

The 2018 data breach at Australia-based HR services provider PageUp, which counted many U.S.-based companies and universities among its clients, highlighted this risk. The HR field seems particularly vulnerable to attacks and data leaks – a point that is not lost on the EU’s privacy commissioners.

The use of locally installed “free” browsers as the primary means to access online resources at work exposes employers not only to GDPR compliance risk, but also to GDPR enforcement action whenever their EU employees use that same browser for personal web browsing, because employee privacy violations induced or facilitated by the work browser may not be covered by the personal web use contract common in many EU workplaces.*

Getting Ready with a GDPR-Compliant Browser

How to head off such a development? Compliance and IT leaders in U.S. companies with employees or contractors in Europe can protect relevant workflows¹⁴ with a GDPR-compliant cloud browser that fulfills the requirements of GDPR and the European Union’s Data Protection Directive (Directive 95/46/EC).

A compliance-ready browser protects company data and employee privacy through web isolation. By relegating all web activities to a secure container in the cloud, no web-borne exploit can touch the corporate network or BYOD device. With web use policies and credential management built in, a GDPR-ready browser also enables compliance teams to centrally manage all web usage data covered by GDPR in a compliant, secure and audit-ready framework.

To be clear, so far, no company has been called out under GDPR for continued use of a traditional browser – yet. The Microsoft Office investigation in the Netherlands may well have set the stage for that logical next step.

A clearer image will emerge over the coming months, with EU authorities working through their current backlog of GDPR investigations. Our company is monitoring GDPR developments closely.

The record fines for BA and Marriott are just the beginning. GDPR penalties against transnational companies for compliance and employee privacy violations caused by “free” browsers could be just around the corner.

A version of this post appeared originally on the Authentic8 blog. It is republished here with permission.

* This assessment does not constitute and should not be read as legal advice. For legal advice regarding GDPR, U.S. companies with customers, employees or contractors in Europe should contact a professional law firm with GDPR expertise.

¹ Mathew J. Schwartz: Marriott Faces $125 Million GDPR Fine Over Mega-Breach (GovInfoSecurity 7/9/2019)

² Josephine Wolff: How Is the GDPR Doing? (Slate 3/20/2019)

³ European Data Protection Board (EDPB): First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities (EDPB 2/2019)

⁴ Ibid

⁵ Jon Porter: Google accused of GDPR privacy violations by seven countries (The Verge 11/27/2018)

⁶ Adam Satariano: Google Is Fined $57 Million Under Europe’s Data Privacy Law (The New York Times 1/21/2019)

⁷ Various Authors: GDPR and Brexit (GDPR Associates 2019)

⁸ Robert McGarvey: Sign Off That Hotel WiFi Right Now! (McGarvey’s Words 7/10/2019)

⁹ John Leyden: British Airways hack: Infosec experts finger third-party scripts on payment pages (The Register 9/11/2018)

¹⁰ Charlie Osborne: Facebook could face $1.63bn fine under GDPR over latest data breach (ZDNet 10/2/2018)

¹¹ Catalin Cimpanu: Dutch government report says Microsoft Office telemetry collection breaks GDPR (ZDNet 11/14/2018)

¹² Ravie Lakshmanan: German schools ban Microsoft Office 365 amid privacy concerns (Updated) (The Next Web 7/14/2019)

¹³ John Klassen: A Persistent Threat in Financial Services (Corporate Compliance Insights 1/2/2019)

¹⁴ Ibid