An investigation by the Data Protection Commissioner into a massive data breach involving the accounts of 500 million Yahoo customers is due to conclude in the coming weeks.
The commissioner, Helen Dixon, said her office had conducted an investigation into the 2014 breach, which was only revealed last September.
Speaking following the publication of her annual report for 2016, Ms Dixon said Yahoo EMEA Ltd was the Dublin-based data controller. The company transfers the personal data to Yahoo Inc for processing and it was at that company the breach had occurred.
“We’re of the view that it could have been detected sooner and the risks mitigated sooner,” Ms Dixon said.
"Under Irish data protection law it's very clear that European data controllers and Irish-based companies have obligations to ensure that where they are transferring to a processor, they've undertaken due diligence to ensure that that processor is capable of safeguarding the data of European users to the standard that it would be in Europe, " Ms Dixon said.
“We are just at the end of the finalisation of our report which will be served in the coming weeks on Yahoo, and whatever remedial action we identify, we will be following up with them.”
Data breaches
In her report, the commissioner confirmed Yahoo EMEA had reported further data breaches during the investigation that were also in the public domain and which her office continued to assess. The company has revealed that in August 2013, data associated with more than one billion user accounts was stolen by an unauthorised third party.
Under the new EU general data protection regulation, companies will face fines of up to 4 per cent of global turnover for data breaches.
“Clearly, talking about fines of €20 million or 4 per cent of global turnover, we could anticipate they’re not going to be everyday-type fines,” Ms Dixon said.
“But there are going to be cases where there simply are mass-scale breaches that have significant effects on millions of users. The only way to start driving a better compliance culture is to have those types of enforcement tools in our toolkit.”
Privacy policy
The commissioner also said her office had engaged "intensively" with Facebook and WhatsApp since the messaging platform owned by the social media giant changed its privacy policy last August.
“At this point WhatsApp has done a lot of work in redrafting in particular its FAQs to users and coming up with clearer language. We are reviewing that and we hope to come to a point of final resolution in this matter somewhere towards the summer of this year,” she said.
Ms Dixon said a recruitment drive continued last year with an emphasis on strengthening the organisation’s skills base in the areas of legal, technology, audit and investigations.
Recent appointments bring the staff numbers to 61 and recruitment in 2017 will increase the team to 100 across the Portarlington and Dublin offices.
The commissioner said an additional nearby premises was being sought to house the further staff members who will join the Data Protection Commissioner’s office over the next two years, bringing the Dublin-based staff to about 130.
Additional reporting: Bloomberg