The Ashley Madison data leak is now already infamous. For those who may have been on holiday and missed it – a group of hackers called "The Impact Group" stole the customer dataset from Ashley Madison, a website which invited members to sign up to find matches with other members for the purpose of having an "affair". After Ashley Madison refused to delete its website, the stolen data (containing names, contact details and the messages of millions of its members) was published on the "dark net".
An interesting consideration that has arisen out of this data leak is the question of applicable data protection law. Ashley Madison is a Canadian company but its membership operations are stated to be governed by Cypriot law.
Whilst the Canadian data protection authority is leading the investigation, data protection authorities across the EU will be looking into this too. The applicable data protection law under the Directive is that where the data controller is established (and where the data controller is established in a number of jurisdictions, it will have obligations under a number of different regimes) or, if not located within the EU, the country in which equipment is used in the EU.
The ICO has advised that it is working with its counterparts its Canada and has warned that anyone who processes the leaked data in the UK needs to be aware that they could be taking on responsibilities under the DPA.
A copy of the ICO blog is available here.
What action could be taken to manage risks that may arise from this development?
None - for interest.