Irelands data protection chief said today that Yahoo broke EU law by failing to protect user information in Europes largest ever data breach — but issued no penalty against the company.
The case, which dates back to 2014, concerns the compromising of user information linked to some 500 million Yahoo accounts, of which about 39 million belonged to European users. The breach, Europes largest, was referred to the Irish Data Protection Commission (DPC), which has jurisdiction over Yahoos activities in Europe.
In a statement, the DPC said that Yahoos oversight of data processing operations “did not meet the standard required by EU data protection law,” and that its global policies “did not adequately take into account Yahoos obligations under data protection law,” in addition to other findings.
As a result the DPC notified Yahoo that it had to take “specific and mandatory actions” to bring its data processing in compliance with EU data protection law.
But the Irish data chief did not issue any penalty against the firm.
“The DPC will be engaging closely with Yahoo (now Oath EMEA) to monitor the quick and comprehensive implementation of these actions and if necessary will issue enforcement notices to secure compliance,” the data protection chief added.