I am wondering if GDPR complaints are going to somehow be weaponized like DMCA takedown notices.
No GDPR Penalties For UK Swann 'Spying Hack'
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no further action” after customers unintentionally received video from different users in separate incidents earlier this year.
These data breaches received substantial media attention in June/July 2018, such as:
- The BBC - Swann's home security camera recordings could be hijacked: A popular wireless security camera designed to safeguard businesses and homes was vulnerable to a spying hack.
- The Inquirer - Swann camera customers report receiving the wrong footage
- Daily Mail - 'Anyone could have seen where we put our money!': Pub owner slams security firm Swann
This took place after the arrival of the GDPR - broad new European privacy regulations which include the prospect of heavy fines for such incidents.
In this note, we examine what happened, the UK’s response to IPVM, and what the GDPR implications are for manufacturers and sellers of IoT devices such as video surveillance.
What ********
** ****,*** *** ************ *** ** *** ******** *** owned * ***** ****** ******* ********* video **** * ********’* ******* ** her ********** ***. *** *** ***** a **** ******* ********, **** **** in ***, **** * ********* ***** customer ********** ** ******* ** ********* video **** ** ******* ***.
***** ***** **** ********, ******* *** first ** * ************* ***** *** the ****** ** ********* ***** *********** being **** *** **** *******.
** * ******** ****,** *** ******* **** ***************“************ ******** ***** ***** **** *** camera ** *******” ** *****’* ***** service, ********* “********* ****** ** ******’* camera.” ***** **** ***** **** *****, which *** *** ****** ** ******'* personal *********** ***** ********.
ICO ************
** *** **, ****** *** **, a ****** ******** ****** – ************** ************’* ****** ** ***- ******** *** **** ********** *******. It ************ *** ***** ******** ******** reported ** *** *** *** ******* months, ********* **** **** **** **** the **** *** **** *******:
*** **** ********* ***** ************** (******) Limited *** **** ****** **** ** further ******. *** **** ** ********* being ****** ** *********** *** ********** low *** ** **** ********* *** company *** ********** *** *** ************ sufficient ******** ***** ***** ********** *** own *************
GDPR ********** *****
***** **** ******** **** ***** ***** the ************** ** *** ** ** the **’* *** **** ******* *****, the ****, ***** ****** *** **.
*** ********* **** ***** ********** ** GDPR ********** **** ********* **’* *************** “******* ******** **** *** *** made ********** ******* *** **********’* ************ to ** ********** ****** ** ******* persons.”
************* *** *********** ***** **** ******* about ****** ***** **** ********* ** they *** ******** ** ********, ***** the******* ******** ** ** ** ** ******* euros ** *% ** ********* *******.
How ***** ******* **** *********
*******, *** ***’* ******** *** ** sanction ***** ***** ****, ** ***, fears ** ******** *** ***-******** **** fines *** ** ***** ************ ********* are *********.
*** **** ****** ***** *********** ****** to ******** *********** **** ** ***** to ******** ******* ** *** ** punish *********.******* ** **** ************** *** ****** *** “***********,” ******* there *** * “******* ** **** measures ** ******** *** ****** ***** occurred,” *** ******* ***** *** * “lack ** ************* **** ***********”.
** ****** *** ***** *** *********** with ***********, ***** *** **** ** avoid ********* **********.
GDPR ************
************* ****** *** **** **** **** as ******** **** *** **** ** toothless. ***-**** ********* ****** ********, ***** a *** ****** **** ****** ** Swann’s ***** *** **** *** ****** only ******** * *** ******, **** of **** ***** *** ********** *** compensation ** ******* ************ **.
************, *** ***** **** **** **** establish * ********* ********* ** ************* and *********** **** ** ***** ** data ********. ** **** ***** *** importance ** ***** ********** *** *********** with *********** ** **** ** * breach.
IPVM’s *** ********* ***** *** ********
*** *** ** ****************** ****’* **** ********* ***** ****** recognition***** **** ********** ** ***** ** London.
*** ******-**** ************* ** ***** ******** and ***** *** ** ** ********** of ******* ******* ****** ** * ***** in **** *************** ** ******** **** ********** ******** – ******* ****** ****** ******* **** manufacturers *** ***********’ *****.
I’ve had the same experience with a Samsung Smartcam D1.
To anyone with any experience ICO, DPA and GDPR, this will come as no surprise and there is very much a positive flip-side. When the DPA first came in back in the 80's, a plethora of "experts" emerged setting up companies and scamming hoards of people into paying for advice on DPA compliance using fear of huge fines as the impetus to use their services. All they did was to provide information that was freely available if you looked, then simply created the myth of enormous fines and prosecutions that would never have been enforced on minor issues. They were there as a deterrent to be used only in exceptional cases of wilful intent and tangible losses.
The same was set to happen with GDPR, so an early test case will help enormously. The whole concept of GDPR and DPA is a measured response to a data breach. It determines the cause, intent and damage to enable a decision and sanction to be made. Where clear intent is identified, coupled with deliberate enabling actions and then complete abuse of the data harvested - this would lead to a sanction toward the higher end available. But to not sanction Swann for a relative minor breach where there is most likely no intent and no real damage to personal data integrity is reasonable.
The US has a binary litigious outlook on these matters - so perhaps it may seem an odd outcome, but wholly expected from my experience of following the DPA and GDPR for many years. Remember - GDPR was never set up exclusively for CCTV, and the reality is that is has very little interest in it. Place into context the incredible data breaches of raw personal data harvested with intent from leaky Facebook, Apple, Twitter and many others that will directly impact peoples lives, livelihood's and business to a devastating effect and you get a better idea of what GDPR was set up to do.
The likelihood is that Johns complaint will be rejected - most likely given the context of where the "issue" took place - a CCTV exhibition demonstrating the features being challenged. I accept it's a fair challenge, but it is pretty well small fry when you look at the appalling beaches and abuse of data taking place elsewhere. It's also worthwhile considering that whilst the ICO and GDPR may be criticised by some, its a great deal better than anything in place outside of the EU where the vast amount of data harvesting and fraud is not only being perpetrated - but also enabled by the US tech giants where a figure of 50million accounts being exploited doesn't even raise an eyebrow anymore in the race to the top of corporate greed.