Following a data breach that impacted the privacy of 500 million people globally in 2014, Yahoo – and the comany’s new owners Oath, have escaped with a warning from Ireland’s Data Protection Commission.
As the General Data Protection Regulation (GDPR) was enacted on May 25 2018 and the breach occurred in 2014 the Irish regulatory body opted not to take any against against the Internet giant. The DPC has instructed Oath, the company that was created in the merger of AOL and Yahoo, to make sure that they are compliant with the new European Union GDPR legislation going forward.
While no fine was issued, the case reveals the remit of the DPC in the broader digital world when you consider that Ireland is home to the international headquarters of so many internet giants, from Facebook to Microsoft and Google, to name a few.
In the announcement of its ruling the DPC said: “The breach which was reported to the DPC in September 2016 involved the unauthorised copying and taking, by one or more third parties, of material contained in approximately 500m user accounts from Yahoo Inc infrastructure in 2014. At the relevant time, Yahoo EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with Yahoo Inc acting as its data processor. The data breach ranks as one of the largest breaches to impact EU citizens, affecting approximately 39m European users. It is the largest breach which has ever been notified to and investigated by the DPC. The investigation of this breach was afforded the highest priority by the DPC with significant resources committed to the investigation over an extended period of time.
In finding Google in breach of the data laws in place by Ireland and the EU the DPC said that Yahoo relied on global policies that did not take into account its legal obligations and had fallen short in its efforts to comply with data protection law. Despite coming to this finding the DPC did not apply a monetary sanction, instead it issued a warning to Yahoo (Oath) that it must adhere with GDPR or face greater consequences for future breaches.