Peter A Clarke

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

Tim Hortons is a Canadian fast food outlet specialising in take away coffees and snacks. It has a large presence in Canada.  It heavily promotes its apps to allow customers to order their beverages and food by phone. 

The Privacy Commissioner of Canada has found that Tim Hortons app violated privacy laws in collecting vast amounts of sensitive location data.   The app permitted Tim Hortons to track and record the users movements every few minutes even when the app was not open.  Tim Hortons asked for permission to access geolocations functions but misled users who thought that access would be used when the app was open.  In fact the location data was collected even when individuals app was not open. As long as the device was on data was collected.  Tim Horton’s only stopped the practice when the Privacy Commissioners began to investigate.

Collection on this scale would give Tim Hortons an enormous amount of raw data from which, with the right algorithms, determine where users lived, where they worked and even when they used a competitor’s product.  The question of proportionality was raised by the Privacy Commissioner.  And appropriately.  In the Australian context the issue is whether the purpose for the collection of that vast amount of data relates to the ordering and purchasing of coffee. 

It is no surprise that the Privacy Commissioner found there wasn’t a ” robust privacy management program for the app.” It is a fairly typical story to see the majority of the work being focused on developing a the functionality of the app and making it as attractive to users as possible and considering privacy protections as Read the rest of this entry »

The Australian Privacy Commissioner has taken action against Ashley Madison data breach in July 2015 was a sensation.  As has the Canadian Privacy Commissioner.  They have released joint findings.  Joint findings are found here.

It is likely to be an influential findings as the combined report does undertake a detailed analysis of both the facts and the expectations under the various privacy principles.  Given the dearth of authorities this will provide valuable guidance.

As with many data breaches/interference with privacy complaints followed up by regulators the initial cause of the breach/interference gives rise to a broader investigation which almost invariably highlights deficiencies in compliance throughout the organisation.  It is commonly the case that a breach of security has many causes; out of data software protection, poor protocols, inadequate staff training, excessive data retention far beyond the date when it is usable or relevant to the organisations operations and a lack of understanding as to identity verification.

Ashley Madison, or more accurately its corporate entity Avid Life Media Inc (“ALM”), entered Read the rest of this entry »