Irish data chief finds Yahoo broke EU law in breach, issues no penalty

Ireland's data protection chief said today that Yahoo broke EU law by failing to protect user information in Europe's largest ever data breach — but issued no penalty against the company.

The case, which dates back to 2014, concerns the compromising of user information linked to some 500 million Yahoo accounts, of which about 39 million belonged to European users. The breach, Europe's largest, was referred to the Irish Data Protection Commission (DPC), which has jurisdiction over Yahoo’s activities in Europe.

In a statement, the DPC said that Yahoo's oversight of data processing operations "did not meet the standard required by EU data protection law," and that its global policies "did not adequately take into account Yahoo's obligations under data protection law," in addition to other findings.

As a result the DPC notified Yahoo that it had to take "specific and mandatory actions" to bring its data processing in compliance with EU data protection law.

But the Irish data chief did not issue any penalty against the firm.

"The DPC will be engaging closely with Yahoo (now Oath EMEA) to monitor the quick and comprehensive implementation of these actions and if necessary will issue enforcement notices to secure compliance," the data protection chief added.