Chief Compliance Officers (CCOs) and Data Protection Officers (DPOs) have also faced increased scrutiny in recent years, especially as data privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have imposed stricter obligations on companies to protect personal data. Here are notable cases involving CCOs and DPOs, as well as the growing legal accountability surrounding their roles.

https://cisomarketplace.com/10-biggest-cco-dpo-related-fines

Analyzing Two Pivotal CISO Cases: USA v. Sullivan and SEC v. SolarWinds

1. Facebook (Meta) GDPR Violation Case (2021)

  • DPO Involvement: Facebookโ€™s Data Protection Officer and legal team came under fire for mishandling data privacy under the GDPR, particularly in relation to data transfers between the European Union and the United States.- Key Issue: The Irish Data Protection Commission (DPC) found that Facebook had violated GDPR in its transatlantic data transfers, following the invalidation of the Privacy Shield agreement. Facebookโ€™s DPO and legal team were involved in the companyโ€™s defense, but the DPC found their compliance efforts insufficient.- Consequences: Facebook was fined โ‚ฌ265 million by the DPC, with potential further repercussions on data transfer practices between the EU and the U.S. The case emphasized the critical role of the DPO in ensuring cross-border data transfers comply with privacy regulations.

9 Notable CISO Legal Cases

2. British Airways GDPR Fine (2019โ€“2020)

  • CCO/DPO Involvement: British Airways faced a record-breaking GDPR fine following a data breach that exposed the personal data of over 400,000 customers. The companyโ€™s CCO and DPO were responsible for overseeing compliance and reporting obligations.- Key Issue: The breach involved attackers exploiting vulnerabilities in British Airwaysโ€™ website, leading to unauthorized access to customer data. The Information Commissionerโ€™s Office (ICO) cited failures in implementing adequate technical and organizational measures to protect data.- Consequences: British Airways was initially fined ยฃ183 million, although the fine was later reduced to ยฃ20 million in light of the companyโ€™s financial struggles during the COVID-19 pandemic. The breach emphasized the DPOโ€™s role in ensuring compliance with GDPRโ€™s data security provisions, especially regarding technical safeguards.

3. Marriott International GDPR Violation (2018โ€“2020)

  • DPO Involvement: Marriottโ€™s DPO faced significant pressure following a massive data breach that occurred in the Starwood guest reservation database, exposing information from approximately 500 million customers.- Key Issue: The breach occurred years before Marriott acquired Starwood, but the company failed to conduct adequate due diligence and implement necessary security measures during the acquisition process. The breach was revealed in 2018, though it had occurred as early as 2014.- Consequences: Marriott was fined ยฃ18.4 million by the ICO under GDPR (reduced from ยฃ99 million), with further regulatory scrutiny for its data protection practices during the acquisition. The case highlighted the responsibility of DPOs in ensuring that data security and privacy measures are upheld, even during complex corporate transactions like mergers and acquisitions.

4. Google CCPA Violations (2020)

  • CCO Involvement: Google came under investigation for potential violations of the California Consumer Privacy Act (CCPA), focusing on whether the company properly disclosed how it handled user data and whether it allowed users to opt out of data collection and sharing.- Key Issue: The CCPA requires companies to provide consumers with transparency over how their data is used, sold, and shared, and to offer them the ability to opt out of such practices. Google faced accusations that it failed to comply with these obligations, particularly concerning targeted advertising and user data handling.- Consequences: In 2020, Google agreed to a $391.5 million settlement with multiple U.S. states regarding its location tracking practices. The case underscored the importance of the CCO role in ensuring compliance with data privacy regulations and transparency to consumers. It also emphasized the need for clear policies around data collection, consent, and user rights under CCPA.

5. H&M GDPR Fine (2020)

  • CCO/DPO Involvement: H&Mโ€™s compliance and data protection teams were implicated in one of the largest GDPR fines to date, which stemmed from improper handling of employee data in their Nuremberg service center.- Key Issue: H&M was found to have improperly collected and stored detailed information about employeesโ€™ personal lives, including sensitive data on health, family issues, and religious beliefs. The data was collected without adequate legal justification and used to make employment decisions.- Consequences: The Hamburg Data Protection Authority fined H&M โ‚ฌ35.3 million for GDPR violations. This case put a spotlight on DPOs and compliance officers, particularly regarding employee data protection under GDPR, emphasizing the need for strict data minimization and transparency practices when handling internal personnel data.

6. Clearview AI GDPR Investigation (2021โ€“2022)

  • DPO Involvement: Clearview AI, a facial recognition company, came under investigation for its data scraping practices, which involved collecting billions of images from the web without usersโ€™ consent. The companyโ€™s DPO was responsible for ensuring GDPR compliance, which was questioned by regulators.- Key Issue: GDPR mandates that companies must obtain explicit consent for the collection and use of personal data, particularly biometric data like facial images. Clearview AIโ€™s practice of scraping publicly available images without consent violated this requirement.- Consequences: The ICO in the UK and the CNIL in France both fined Clearview AI and ordered it to stop processing data of EU citizens. In December 2022, the French CNIL fined the company โ‚ฌ20 million for GDPR violations. This case highlighted the significant responsibilities of DPOs in monitoring and managing the lawful collection and use of personal data, especially in emerging technologies like facial recognition.

7. WhatsApp GDPR Fine (2021)

  • DPO Involvement: WhatsApp, owned by Facebook (Meta), faced a significant GDPR fine for failing to properly disclose how it shared data with other Facebook companies, as well as other data protection failings. WhatsAppโ€™s DPO was directly involved in the compliance strategy that was found to be insufficient.- Key Issue: The Irish Data Protection Commission found that WhatsApp had violated GDPRโ€™s transparency requirements by failing to clearly explain to users how their data would be shared with other Facebook entities.- Consequences: WhatsApp was fined โ‚ฌ225 million for the violations. The case brought attention to the DPOโ€™s role in ensuring that user-facing privacy notices and internal data-sharing practices comply with the stringent transparency requirements of GDPR.

8. Ticketmaster GDPR Fine (2020)

  • DPO Involvement: Ticketmaster was fined ยฃ1.25 million by the UK ICO for failing to protect customer data during a breach that occurred in 2018. The breach compromised payment information for approximately 9 million customers across Europe.- Key Issue: The breach occurred due to vulnerabilities in a third-party chatbot service used on Ticketmasterโ€™s payment page. Ticketmasterโ€™s DPO and compliance team were responsible for ensuring that third-party services met GDPRโ€™s data protection standards, but failed to do so.- Consequences: The fine highlighted the CCO and DPOโ€™s responsibility in managing vendor risk and ensuring compliance with GDPRโ€™s third-party data protection requirements. This case underlined the importance of scrutinizing the security practices of third-party service providers.

Emerging Trends for CCOs and DPOs in Post-2020 Cases

  1. Accountability for Data Privacy: With laws like GDPR and CCPA now in full effect, CCOs and DPOs are under increasing pressure to ensure comprehensive data protection strategies. Non-compliance can result in heavy fines and significant reputational damage.2. Vendor and Third-Party Risk: Cases like Ticketmaster and Marriott show that CCOs and DPOs are expected to manage risks not only within their organizations but also among third-party vendors who may have access to sensitive data.3. Employee Data Protection: The H&M case emphasizes that GDPR protections extend to employee data. DPOs must ensure that companies treat employee data with the same care as customer data and avoid over-collection or misuse of personal information.4. Transparency and Consumer Rights: Cases like Google and WhatsApp highlight that companies must be fully transparent about their data practices. CCOs and DPOs play a critical role in ensuring that privacy notices, data-sharing practices, and user rights are clearly communicated and compliant with privacy laws.5. Cross-Border Data Transfers: As demonstrated in the Facebook case, CCOs and DPOs must navigate complex regulatory landscapes when dealing with international data transfers, especially in light of the Schrems II ruling that invalidated the Privacy Shield agreement between the EU and U.S.

These cases illustrate the growing regulatory and legal pressures on CCOs and DPOs. As data privacy laws continue to evolve, these officers are expected to ensure their organizationsโ€™ compliance, transparency, and accountability regarding personal data handling, which can significantly impact the companyโ€™s legal standing and financial health.