Archives

data protection law

UK class action style claim filed over Marriott data breach

A class action style suit has been filed in the UK against hotel group Marriott International over a massive data breach that exposed the information of some 500 million guests around the world, including around 30 million residents of the European Union, between July 2014 and September 2018.

The representative legal action against Marriott has been filed by UK resident, Martin Bryant, on behalf of millions of hotel guests domiciled in England & Wales who made reservations at hotel brands globally within the Starwood Hotels group, which is now part of Marriott International.

Hackers gained access to the systems of the Starwood Hotels group, starting in 2014, where they were able to help themselves to information such as guests’ names; email and postal addresses; telephone numbers; gender and credit card data. Marriott International acquired the Starwood Hotels group in 2016 — but the breach went undiscovered until 2018.

Bryant is being represented by international law firm, Hausfeld, which specialises in group actions.

Commenting in a statement, Hausfeld partner, Michael Bywell, said: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own. I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly,” added Bryant in another supporting statement.

We’ve reached out to Marriott International for comment on the legal action.

A claim website for the action invites other eligible UK individuals to register their interest — and “hold Marriott to account for not securing your personal data”, as it puts it.

Here are the details of who is eligible to register their interest:

The ‘class’ of claimants on whose behalf the claim is brought includes all individuals who at any date prior to 10 September 2018 made a reservation online at a hotel operating under any of the following brands: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotel & Resorts, Four Points by Sheraton, Design Hotels. In addition, any other brand owned and/or operated by Marriott International Inc or Starwood Hotels and Resorts Worldwide LLC. The individuals must have been resident in England and Wales at some point during the relevant period prior to 10 September 2018 and are resident in England and Wales at the date the claim was issued. They must also have been at least 18 years old at the date the claim was issued.

The claim is being brought as a representative action under Rule 19.6 of the Civil Procedure Rules, per a press release, which also notes that everyone with the same interest as Bryant is included in the claimant class unless they opt out.

Those eligible to participate face no fees or costs, nor do affected guests face any financial risk from the litigation — which is being fully funded by Harbour Litigation Funding, a global litigation funder.

The suit is the latest sign that litigation funders are willing to take a punt on representative actions in the UK as a route to obtaining substantial damages for data issues. Another class action style suit was announced last week, alongside a class action in the Netherlands — targeting tracking cookies operated by data broker giants, Oracle and Salesforce.

Both lawsuits follow a landmark decision by a UK appeals court last year which allowed a class action-style suit against Google’s use between 2011 and 2012 of tracking cookies to override iPhone users’ privacy settings in Apple’s Safari browser to proceed, overturning an earlier court decision to toss the case.

The other unifying factor is the existence of Europe’s General Data Protection Regulation (GDPR) framework which has opened the door to major fines for data protection violations. So even if EU regulators continue to lack uniform vigour in enforcing data protection law, there’s a chance the region’s courts will do the job for them if more litigation funders see value in bringing cases to them to pursue class damages for privacy violations.

The dates of the Marriott data breach means it falls under GDPR — which came into force in May 2018.

The UK’s data watchdog, the ICO, proposed a $123M fine for the security failing in July last year — saying then that the hotel operator had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

However it has yet to hand down a final decision. Asked when the Marriott decision will be finalized, an ICO spokeswoman told us the “regulatory process” has been extended until September 30. No additional detail was offered to explain the delay.

Here’s the regulator’s statement in full:

Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.

Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent

The use of third party cookies for ad tracking and targeting by data broker giants Oracle and Salesforce is the focus of class action style litigation announced today in the UK and the Netherlands.

The suits will argue that mass surveillance of Internet users to carry out real-time bidding ad auctions cannot possibly be compatible with strict EU laws around consent to process personal data.

The litigants believe the collective claims could exceed €10BN, should they eventually prevail in their arguments — though such legal actions can take several years to work their way through the courts.

In the UK, the case may also face some legal hurdles given the lack of an established model for pursuing collective damages in cases relating to data rights. Though there are signs that’s changing.

Non-profit foundation, The Privacy Collective, has filed one case today with the District Court of Amsterdam, accusing the two data broker giants of breaching the EU’s General Data Protection Regulation (GDPR) in their processing and sharing of people’s information via third party tracking cookies and other adtech methods.

The Dutch case, which is being led by law-firm bureau Brandeis, is the biggest-ever class action in The Netherlands related to violation of the GDPR — with the claimant foundation representing the interests of all Dutch citizens whose personal data has been used without their consent and knowledge by Oracle and Salesforce. 

A similar case is due to be filed later this month at the High Court in London England, which will make reference to the GDPR and the UK’s PECR (Privacy of Electronic Communications Regulation) — the latter governing the use of personal data for marketing communications. The case there is being led by law firm Cadwalader

Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information.

It’s those requirements the litigation is focused on, with the cases set to argue that the tech giants’ third party tracking cookies, BlueKai and Krux — trackers that are hosted on scores of popular websites, such as Amazon, Booking.com, Dropbox, Reddit and Spotify to name a few — along with a number of other tracking techniques are being used to misuse Europeans’ data on a massive scale.

Per Oracle marketing materials, its Data Cloud and BlueKai Marketplace provider partners with access to some 2BN global consumer profiles. (Meanwhile, as we reported in June, BlueKai suffered a data breach that exposed billions of those records to the open web.)

While Salesforce claims its marketing cloud ‘interacts’ with more than 3BN browsers and devices monthly.

Both companies have grown their tracking and targeting capabilities via acquisition for years; Oracle bagging BlueKai in 2014 — and Salesforce snaffling Krux in 2016.

 

Discussing the lawsuit in a telephone call with TechCrunch, Dr Rebecca Rumbul, class representative and claimant in England & Wales, said: “There is, I think, no way that any normal person can really give informed consent to the way in which their data is going to be processed by the cookies that have been placed by Oracle and Salesforce.

“When you start digging into it there are numerous, fairly pernicious ways in which these cookies can and probably do operate — such as cookie syncing, and the aggregation of personal data — so there’s really, really serious privacy concerns there.”

The real-time-bidding (RTB) process that the pair’s tracking cookies and techniques feed, enabling the background, high velocity trading of profiles of individual web users as they browse in order to run dynamic ad auctions and serve behavioral ads targeting their interests, has, in recent years, been subject to a number of GDPR complaints, including in the UK.

These complaints argue that RTB’s handling of people’s information is a breach of the regulation because it’s inherently insecure to broadcast data to so many other entities — while, conversely, GDPR bakes in a requirement for privacy by design and default.

The UK Information Commissioner’s Office has, meanwhile, accepted for well over a year that adtech has a lawfulness problem. But the regulator has so far sat on its hands, instead of enforcing the law — leaving the complainants dangling. (Last year, Ireland’s DPC opened a formal investigation of Google’s adtech, following a similar complaint, but has yet to issue a single GDPR decision in a cross-border complaint — leading to concerns of an enforcement bottleneck.)

The two lawsuits targeting RTB aren’t focused on the security allegation, per Rumbul, but are mostly concerned with consent and data access rights.

She confirms they opted to litigate rather than trying to try a regulatory complaint route as a way of exercising their rights given the “David vs Goliath” nature of bringing claims against the tech giants in question.

“If I was just one tiny person trying to complaint to Oracle and trying to use the UK Information Commissioner to achieve that… they simply do not have the resources to direct at one complaint from one person against a company like Oracle — in terms of this kind of scale,” Rumbul told TechCrunch.

“In terms of being able to demonstrate harm, that’s quite a lot of work and what you get back in recompense would probably be quite small. It certainly wouldn’t compensate me for the time I would spend on it… Whereas doing it as a representative class action I can represent everyone in the UK that has been affected by this.

“The sums of money then work — in terms of the depths of Oracle’s pockets, the costs of litigation, which are enormous, and the fact that, hopefully, doing it this way, in a very large-scale, very public forum it’s not just about getting money back at the end of it; it’s about trying to achieve more standardized change in the industry.”

“If Salesforce and Oracle are not successful in fighting this then hopefully that send out ripples across the adtech industry as a whole — encouraging those that are using these quite pernicious cookies to change their behaviours,” she added.

The litigation is being funded by Innsworth, a litigation funder which is also funding Walter Merricks’ class action for 46 million consumers against Mastercard in London courts. And the GDPR appears to be helping to change the class action landscape in the UK — as it allows individuals to take private legal action. The framework can also support third parties to bring claims for redress on behalf of individuals. While changes to domestic consumer rights law also appear to be driving class actions.

Commenting in a statement, Ian Garrard, managing director of Innsworth Advisors, said: “The development of class action regimes in the UK and the availability of collective redress in the EU/EEA mean Innsworth can put money to work enabling access to justice for millions of individuals whose personal data has been misused.”

A separate and still ongoing lawsuit in the UK, which is seeking damages from Google on behalf of Safari users whose privacy settings it historically ignored, also looks to have bolstered the prospects of class action style legal actions related to data issues.

While the courts initially tossed the suit last year, the appeals court overturned that ruling — rejecting Google’s argument that UK and EU law requires “proof of causation and consequential damage” in order to bring a claim related to loss of control of data.

The judge said the claimant did not need to prove “pecuniary loss or distress” to recover damages, and also allowed the class to proceed without all the members having the same interest.

Discussing that case, Rumbul suggests a pending final judgement there (likely next year) may have a bearing on whether the lawsuit she’s involved with can be taken forward in the UK.

“I’m very much hoping that the UK judiciary are open to seeing these kind of cases come forward because without these kinds of things as very large class actions it’s almost like closing the door on this whole sphere of litigation. If there’s a legal ruling that says that case can’t go forward and therefore this case can’t go forward I’d be fascinated to understand how the judiciary think we’d have any recourse to these private companies for these kind of actions,” she said.

Asked why the litigation has focused on Oracle and Saleforce, given there are so many firms involved in the adtech pipeline, she said: “I am not saying that they are necessarily the worst or the only companies that are doing this. They are however huge, huge international multimillion-billion dollar companies. And they specifically went out and purchased different bits of adtech software, like BlueKai, in order to bolster their presence in this area — to bolster their own profits.

“This was a strategic business decision that they made to move into this space and become massive players. So in terms of the adtech marketplace they are very, very big players. If they are able to be held to account for this then it will hopefully change the industry as a whole. It will hopefully reduce the places to hide for the other more pernicious cookie manufacturers out there. And obviously they have huge, huge revenues so in terms of targeting people who are doing a lot of harm and that can afford to compensate people these are the right companies to be targeting.”

Rumbul also told us The Privacy Collective is looking to collect stories from web users who feel they have experienced harm related to online tracking.

“There’s plenty of evidence out there to show that how these cookies work means you can have very, very egregious outcomes for people at an individual level,” she added. “Whether that can be related to personal finance, to manipulation of addictive behaviors, whatever, these are all very, very possible — and they cover every aspect of our lives.”

Consumers in England and Wales and the Netherlands are being encouraged to register their support of the actions via The Privacy Collective’s website.

In a statement, Christiaan Alberdingk Thijm, lead lawyer at Brandeis, said: “Your data is being sold off in real-time to the highest bidder, in a flagrant violation of EU data protection regulations. This ad-targeting technology is insidious in that most people are unaware of its impact or the violations of privacy and data rights it entails. Within this adtech environment, Oracle and Salesforce perform activities which violate European privacy rules on a daily basis, but this is the first time they are being held to account. These cases will draw attention to astronomical profits being made from people’s personal information, and the risks to individuals and society of this lack of accountability.”

“Thousands of organisations are processing billions of bid requests each week with at best inconsistent application of adequate technical and organisational measures to secure the data, and with little or no consideration as to the requirements of data protection law about international transfers of personal data. The GDPR gives us the tool to assert individuals’ rights. The class action means we can aggregate the harm done,” added partner Melis Acuner from Cadwalader in another supporting statement.

We reached out to Oracle and Salesforce for comment on the litigation.

Oracle EVP and general counsel, Dorian Daley, said:

The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts.  As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program. Despite Oracle’s fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith.  Oracle will vigorously defend against these baseless claims.

A spokeswoman for Salesforce sent us this statement:

At Salesforce, Trust is our #1 value and nothing is more important to us than the privacy and security of our corporate customers’ data. We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws — including the EU GDPR — to preserve the privacy rights of their own customers.

Salesforce and another Data Management Platform provider, have received a privacy related complaint from a Dutch group called The Privacy Collective. The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service.

Salesforce disagrees with the allegations and intends to demonstrate they are without merit.

Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers. To read more about the tools we provide our corporate customers and our commitment to privacy, visit salesforce.com/privacy/products/

TikTok is being investigated by France’s data watchdog

More worries for TikTok: A European data watchdog that’s landed the biggest blow on a tech giant to date — slapping Google with a $57M fine last year (upheld in June) — now has an open investigation into the social video app du jour, TechCrunch has confirmed.

A spokeswoman for France’s CNIL told us it opened an investigation into how the app handles user data in May 2020, following a complaint related to a request to delete a video. Its probe of the video sharing platform was reported earlier by Politico.

Under the European Union’s data protection framework, citizens who have given consent for their data to be processed continue to hold a range of rights attached to their personal data, including the ability to request a copy or deletion of the information, or ask for their data in a portable form.

Additional requirements under the EU’s GDPR (General Data Protection Regulation) include transparency obligations to ensure accountability with the framework. Which means data controllers must provide data subjects with clear information on the purposes of processing — including in order to obtain legally valid consent to process the data.

The CNIL’s spokeswoman told us its complaint-triggered investigation into TikTok has since widened to include issues related to transparency requirements about how it processes user data; users’ data access rights; transfers of user data outside the EU; and steps the platform takes to ensure the data of minors is adequately protected — a key issue, given the app’s popularity with teens.

French data protection law lets children consent to the processing of their data for information social services such as TikTok at aged 15 (or younger with parental consent).

As regards the original complaint, the CNIL’s spokeswoman said the person in question has since been “invited to exercise his rights with TikTok under the GDPR, which he had not taken beforehand” (via Google Translate).

We’ve reached out to TikTok for comment on the CNIL investigation.

One question mark is it’s not clear whether the French watchdog will be able to see its investigation of TikTok to full conclusion.

In further emailed remarks its spokeswoman noted the company is seeking to designate Ireland’s Data Protection Commission (DPC) as its lead authority in Europe — and is setting up an establishment in Ireland for that purpose. (Related: Last week TikTok announced a plan to open its first data center in Europe, which will eventually hold all EU users’ data, also in Ireland.)

If TikTok is able to satisfy the legal conditions it may be able to move any GDPR investigation to the DPC — which has gained a reputation for being painstakingly slow to enforce complex cross-border GDPR cases. Though in late May it finally submitted a first draft decision (on a Twitter case) to the other EU data watchdogs for review. A final decision in that case is still pending.

“The [TikTok] investigations could therefore ultimately be the sole responsibility of the Irish protection authority, which will have to deal with the case in cooperation with the other European data protection authorities,” the CNIL’s spokeswoman noted, before emphasizing there is a standard of proof it will have to meet.

“To come under the sole jurisdiction of the Irish authority and not of each of the authorities, Tiktok will nevertheless have to prove that its establishment in Ireland fulfils the conditions of a ‘principal establishment’ within the meaning of the GDPR.”

Under the framework data watchdogs have powers to issue penalties of up to 4% of a company’s global annual turnover and can order infringing data processing to cease.