CA's Delete Act Impact, 23andMe Data Breach Concerns, UK ICO's GDPR Complaint Approach

By Robert Bateman and Privado.ai

In this week’s Privacy Corner:

• Why data brokers should be concerned about California’s new Delete Act.
• Why users of genetic-testing firm 23andMe should be concerned about the company’s recent alleged data breach.
• Why the UK Information Commissioner’s Office (ICO) should not be too concerned about fully investigating every GDPR complaint, following a recent court ruling.
• What we’re reading: Our top three picks for privacy content this week.

California Tightens Grip on Data Brokers As ‘Delete Act’ Signed into Law

The California Delete Act was signed into law by the state’s governor on Monday.

• The Delete Act amends California’s data broker registration law and will enable consumers to delete personal information via a centralized portal.
• The law imposes new registration, transparency, and auditing obligations on data brokers.
• Oversight of data brokers will shift from the Attorney General (AG) to the California Privacy Protection Agency (CPPA), and the maximum fine for violating the registration rules will double.

Does California need another privacy law?

The Delete Act’s stated intention is to close a “loophole” in the California Consumer Privacy Act (CCPA).

The CCPA allows consumers to delete personal information that businesses have collected from them directly. But the “right to delete” does not extend to personal information that a business has obtained from another source.

This loophole means Californians have been unable to delete information held by data brokers, which typically obtain information from third-party sources.

How does a consumer even know that a data broker has their personal information?

The Delete Act’s headline provision is a centralized opt-out mechanism, which will be maintained by the CPPA, enabling consumers to submit a single deletion request to all registered data brokers.

Data brokers must check the portal every 45 days and action any deletion requests they find there. Data brokers must continue to delete any information they obtain about opted-out consumers every 45 days—forever.

If a deletion request falls under one of the CCPA’s “right to delete” exceptions, the data broker must instead treat it as a request under the “right to opt out” and stop selling the consumer’s personal information.

This centralized data deletion process is one reason data brokers lobbied so heavily against this law.

What else does the Delete Act require?

On top of the new data deletion duties, the Delete Act brings new transparency obligations.

Previously, data brokers would only need to provide their name, website URL, and contact details when registering with the state.

Under the new law, data brokers must disclose what types of data they deal in, what proportion of CCPA rights requests they accepted and refused, and whether they have any subsidiaries not covered by the Delete Act (among other things).

From 2028, the law will also require data brokers to commission third-party audits every three years.

What about enforcement?

The Delete Act doubles the maximum fine that can be issued against data brokers that fail to register. However, the fine remains relatively small, at $200 per day.

Some commentators are asking whether, at a mere $73,000 per year, it would be more cost-effective for a data broker to forgo registration and simply pay the fine.

But let’s not give them any ideas.

Data About Over a Million Users of Genetics Firm 23andMe Breached, Says TechCrunch

TechCrunch has reportedly seen a file containing private data about around one million alleged users of the genetics-testing service 23andMe.

• Data allegedly belonging to 23andMe users appeared for sale on BreachForums on Monday.
• One data set, seen by TechCrunch, appears to contain information about one million users of “Jewish Ashkenazi descent”. Another data set reportedly contains data about 100,000 Chinese 23andMe users.
• The incident appears to have affected users with recycled passwords that were previously breached on other platforms.

What do we know?

TechCrunch reports that individual 23andMe users’ data is up for sale for between $1 and $10 per profile.

Despite the sellers’ claims about the origin of the data, TechCrunch nor 23andMe has verified that the information belongs to 23andMe users.

23andMe provided some limited information about the incident in an article titled “Addressing Data Security Concerns”.

The company revealed that “customer profile information” had been “compiled from individual 23andMe.com accounts” after attackers seemingly leveraged login information obtained via other data breaches.

The data was exfiltrated via 23andMe’s DNA Relatives feature, which enables users to share and compare information about their genetic makeup.

The article states that there is currently no evidence of “a data security incident within (23andMe’s) systems”—which suggests that the vulnerability was solely users’ passwords rather than the integrity of the company’s infrastructure.

23andMe is requiring users to reset their passwords and “encouraging” them to enable multi-factor authentication.

How serious is this incident?

Genetic data constitutes “sensitive data” under most US privacy laws and “special category data” under the GDPR, along with information about race, disability, and trade union membership.

These types of information are particularly precious because, in Europe, at least, they relate to characteristics typically targeted in acts of persecution, war, and genocide.

The fact that the attackers appear to have specifically sought out users Jewish and Chinese users illustrates why genetic data is so sensitive. We do not want this data in the wrong hands.

Is 23andMe investigating?

Despite some ambiguities in its breach notification article, 23andMe is very clear about one thing: It’s investigating.

The company says it “immediately began an investigation” upon learning about the incident.

23andMe is “continuing to investigate this matter” and “continuing to investigate to confirm these preliminary results”.

The company reiterates that its “investigation continues” and that it will always “immediately investigate” upon learning about possible security incidents.

For now, users should reset their 23andMe passwords, log out of all sessions, and also consider changing recycled passwords on other accounts.

Court Finds that UK Regulator Does Not Need to Fully Investigate Every GDPR Complaint

The UK Information Commissioner’s Office (ICO) has broad discretion over how it investigates UK GDPR complaints, the Court of Appeal of England and Wales has ruled.

• The court’s ruling results from a judicial review of an ICO decision involving the money transfer firm Wise.
• The complainant, Ben Dello, argued that the ICO broke the law when it closed his complaint on the basis that Wise was “likely” to have met its “data protection obligations”.
• The court ruled that the ICO must “handle” and “respond to” complaints but has discretion over the form and extent of its investigations.

What’s the background to this case?

Mr Delo made two complaints to the ICO about Wise (formerly TransferWise), which allegedly failed to adequately respond to his subject access request (SAR).

The details are complex, but case involves Wise lodging a “suspicious activity report” (also SAR) about Delo’s account and then failing to provide all the information Delo requested in his SAR (that’s the first kind of “SAR” again).

Wise eventually conceded and provided Delo with all the personal data he requested—but did not accept liability for breaching the UK GDPR.

The UK’s Information Commissioner (Elizabeth Denham, at the time) reviewed Delo’s complaint and accompanying evidence but did not contact Wise for its response.

The Commissioner told Delo that Wise was "likely" to have met its data protection obligations and closed the complaint without taking any further action.

What’s wrong with that?

Delo argued that the ICO should have gone further and reached a “conclusive determination” as to whether Wise had violated the UK GDPR—not just conclude that Wise was “likely” not to have violated it.

That sounds reasonable?

There are two reasons why the ICO might not want to make a “conclusive determination” in every complaint.

First, for practical reasons.?

• In 2020/21, the ICO received over 36,000 new complaints.?
• A team of 140 staff dedicated to complaint handling managed to close over 31,000 of them.?
• On average, closing each complaint took around 4.75 hours.

The ICO said reaching a conclusive determination in each complaint would “take the system to breaking point, if not beyond". The regulator did not say what lies beyond “breaking point”.

Second, for legal reasons.

The ICO showed that the relevant law, which is spread between the UK GDPR and Data Protection Act 2018, requires the regulator to investigate “to the extent appropriate”.

Other relevant verbs include “handling” complaints, “informing” people about the progress of their complaints, and “taking appropriate steps to respond” to complaints.

None of these obligations involve conclusively determining whether a legal violation has occurred.

The court found that this leaves the ICO with a lot of discretion about how it conducts its investigations and handles complaints.

So the ICO can just shred every complaint it receives as long as it notifies the complainant?

The ICO does get to decide what’s “appropriate” in each case.?

Some complaints are likely frivolous, uninterpretable, or simply sent to the wrong place. The ICO should be able to decide not to pursue such complaints to the fullest possible extent.

Ultimately, the regulator is the arbiter of which complaints deserve more of its resources than others.?

People have several routes to appeal the ICO’s decisions and can also take organizations to court (if they have the money and have experienced “damage”).

It’s hard to disagree with the court’s reading of the law. But UK data protection enthusiasts—some of whom can be quite critical about the ICO’s alleged lack of enforcement vigor—might not be thrilled by the outcome of this case.

What We’re Reading

Take a look at these three privacy-related reads published this week:

• In the latest edition of the Shifting Privacy Left podcast, Debra J Farber talks to Steve Hickman from Epistimis about “leveraging a privacy ontology to scale privacy processes".
• The Patchwork Dispatch State Privacy Updates - 10/11 : Kier Lamont’s regular update on US state privacy law is a must-subscribe. This edition covers developments in Wisconsin, New Hampshire, Colorado, Massachusetts, and Illinois.?
• History of data protection: 1978 : Gloria González Fuster maintains a wonderful blog detailing the history of data protection. There’s nothing particularly special about 1978, but it’s always fascinating to see how far back the origins of modern data protection law go.