Companies trying to shift liability for data breach by hiding catch-all exclusion clauses in End User Licence Agreements (EULAs) can learn from one company's latest antics.
At the end of last year, Toy company VTech was subject to a data security breach which cost them the data of 6.3 million children and and 4.8 million parents. The data compromised included photos, voice messages and chat conversations between the adults and their children. Since the breach, VTech changed its Learning Lodge Software's EULA to include an exclusion of its liability for data breach, shifting the burden to parents to assume full responsibility for using its software:
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk."
What's the big deal?
Apart from being a bit mean, it goes against the basic principles of data protection and consumer law in the UK. The Data Protection Directive 95/46 EC places obligations on the data controllers and processors to take appropriate steps to protect the information from unauthorised disclosure or access, the burden is not on the data subject. Further, the Consumer Rights Act 2015 ("the Act") was drafted with the aim of increasing fairness and transparency for consumers, which includes in respect of digital content. The Act "greylists" certain limitations of liability and considers "transferring inappropriate risks to consumers" unfair and potentially unenforceable. Were this clause to be analysed in conjunction with the Act, it is unlikely the Competition and Markets Authority and/or Trading Standards would let this slip thought the net.
In response, the ICO stated that when handling people's personal data, organisations are responsible for keeping that data secure. It is unclear whether there will be formal consequences for VTech, but if they do not change the wording, they could come under further scrutiny. Currently, the ICO can impose limited fines. However, under the upcoming General Data Protection Regulation, the maximum fine for a breach of data protection law would rise to up to 4% of a company's worldwide turnover.
Organisations need to take care when drafting EULA and similar terms; blanket exclusions of liability which place unfair burdens on the consumer are likely to be seen as illegal and unenforceable and could have serious repercussions.