dpas bulletin - january 29
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
Why is Apple suspending its AI-generated news summaries? What proposal from the Home Office seeks to combat ransomware attacks? And what concerns were raised about the DWP’s use of AI?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Chinese AI company “DeepSeek” takes over AI market, causing alarm
Hangzhou-based tech company DeepSeek (an artificial intelligence company first launched in 2023) has recently launched models that have had a tremendous impact on the AI industry over the past week.
Market performance of tech giants NVIDIA, Alphabet Inc, and Microsoft has dipped significantly in the wake of the launch that saw DeepSeek overtake OpenAI’s ChatGPT on the Apple Store and Google Play Store. Indeed, the release has been so impactful on chipmaker Nvidia, that the company has set the record for the largest single day loss by one company in market capitalisation history.
Read more about this here.
EU’s top court declares gender irrelevant for buying train tickets
Mousse, a French association who campaigns for LGBTQI+ justice, brought a case challenging rail operator SNCF for the inclusion of a choice between self-declaring as “Monsieur” or “Madame” when booking train tickets online.
The complaint wasn’t, however, about the limitations imposed by only two valid options, but rather that the question was being asked at all. The Court of Justice of the EU (CJEU) ruled in favour of Mousse, agreeing that as the GDPR states that data collected must be “adequate, relevant, and limited to what is necessary in the light of the purposes for which those data are processed”, this part of the booking form was in breach of the regulation.
Read more about this here.
Apple suspends AI-generated news article summaries following inaccuracy concerns
An Apple feature that summarises articles in news alert notifications has been temporarily suspended following complaints of inaccurate summaries.
Examples of these errors include summaries that claimed Luigi Mangione, the alleged United Healthcare CEO shooter, had shot himself, and that Luke Littler – before playing in the PDC World Darts final – had won the competition. A complaint from the BBC about this underbaked feature has resulted in Apple stating that the feature was to be suspended in its imminent software update, and after making some improvements, will return in the future.
Read more about this here.
Teacher forced into hiding after fake clip alleges use of racist slur
During local elections in May last year, Cheryl Bennett, a PE teacher from the West Midlands was handing out leaflets with a colleague, and became victim to a slew of abuse following maliciously doctored security camera footage.
The footage showed Bennett allegedly verbally abusing somebody at their front door, using racist language toward the homeowner. This clip ended up being shared across social media to be seen by millions, including Akhmed Yakoob, a lawyer and independent candidate (at the time) for the West Midlands mayoral election. After Yakoob shared this clip (as well as Bennett’s name and place of work) and urged anyone still in the Labour party that now was their “time to leave”, Bennett filed legal action for defamation and a violation of her data protection rights. For this, she was paid “substantial” damages.
Read more about this here.
Charities to benefit from “soft opt-in” in new DUA Bill provision
Historically, charities within the UK have not been able to rely on the soft-opt in approach that is afforded to businesses, however change could be on the cards with a significant amendment to the Data (Use and Access) Bill. The exception to charities derives from Regulation 22 of the Privacy and Electronic Communications Regulations, which only allows the approach to be used where the context is in the ‘sale’ of products or services.
The new amendment would give charities the opportunity to rely on the soft opt-in approach, albeit with some strict criteria attached. This move could be hugely beneficial, with the Data & Marketing Association estimating that this extension will increase annual donations to UK charities by a whopping £290 million.
Read more about this here.
ICO provides new year guidance for start-ups new to data protection
Entrepreneurs making a start on their very own businesses were the target of one of the ICO’s most recent guidance pieces, as they give some useful tips and recommendations for anybody looking to launch their ventures in the new year.
This advice included considering data privacy from the business’s conception to build trust and security, and looking into the ICO’s privacy notice generator and direct marketing advice generator to make it as easy as possible for new business owners to make data protection a priority as they should, and of course embed data protection by design and default at inception
Read more about this here.
Concerns raised about DWP’s use of AI to read correspondence
To deliver speedier responses to benefits claimants and applicants, the Department of Work and Pensions has been using artificial intelligence (AI) to read through the huge quantities they receive. This even includes handwritten missives.
The AI the DWP uses, known as “white mail”, takes on this task to read amounts of correspondence in a day that would otherwise take weeks, with the aim of prioritising the most vulnerable cases for officials to tackle first. However, this has recently had concerns raised against it due to the highly sensitive personal data processed by the AI that’s included in this correspondence, and how benefits claimants are not made aware of the AI’s involvement at all. An internal data protection impact assessment (DPIA) concluded that those sending correspondence to the DWP “do not need to know about their involvement in the initiative”.
Read more about this here.
ICO releases statement on AI Action Plan
The Information Commissioner’s Office has released an official statement in response to the UK Government’s recent AI Action Plan.
The ICO welcomes the plan and “the Government’s commitment to accelerate the use of AI across the economy”. They state that AI is a “priority area” for them due to its transformative potential, and that for the public to have trust in the technology, data protection is an essential element to consider. Stephen Almond, the ICO’s Executive Director for Regulatory Risk, states that the ICO “look forward to working closely with the Government to implement the plan as a priority and ensure that these proposals maximise AI’s significant opportunities while protecting the public.”
Read more about this here.
UK Home Office proposes ransomware payments ban to discourage attacks
To combat ransomware attacks, the Home Office has proposed a ban on ransomware payments, for the purpose of deterring cyber criminals from launching the attacks in the first place.
The three main objectives of this are:
- to reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations
- to increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape
- to enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level
This ban would be on all public sector bodies and Critical National Infrastructure (CNI), potentially dissuading attackers from targeting UK organisations if they believe that it won’t result in a payout.
Read more about this here.
West Sussex-based company fined for instigating nuisance loan promotion texts
ESL Consultancy Services, a company based in West Sussex, has been fined £200,000 by the ICO for instigating unlawful loan promotion texts to recipients who had not consented.
During an investigation into affiliate marketer and lead generator Daniel George Bentley, the ICO searched addresses linked to him and seized a number of documents relating to ESL Consultancy Services. Among the property seized were several devices, such as phones, laptops, and external storage drives. Analysis of these revealed substantial evidence of the collaboration between the two companies, including Skype conversations discussing their arrangement, and indicating an understanding of the ICO’s enforcement role – something they chose to ignore. The ICO concluded that between September 2022 and December 2023, ESL used a third party to send marketing texts with no valid consent in place for this to be a lawful practice, disregarding direct marketing requirements and infringing on individuals’ rights and freedoms for their own financial gain.
Read more about this here.
EDPB publishes guidelines on pseudonymisation for comments
This month, the European Data Protection Board published guidelines on pseudonymisation, which are open to consultation until 28th February.
Pseudonymisation refers to when data, kept separately and securely, is required to attribute information to identified or identifiable individuals, for example, when an NHS number is required to attribute health data to a patient. These guidelines set out what the EDPB considers to be the legal and technical requirements necessary for pseudonymisation to be an effective practice.
Read more about this here.
Noyb files complaints against six China companies for unlawful data transfers
Austrian privacy advocate group Noyb has filed complaints against six companies established in China for violations of EU GDPR regarding data transfers.
The companies targeted by these complaints were TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi, who all came under fire for unlawful transfers of EU users’ personal data to China. Four of these companies openly admitted to doing so, however, the other two claimed to have been transferring this data to “undisclosed third countries”.
Read more about this here.
ICO publishes their strategy for fair and transparent online tracking
As part of their mission to “level the playing field” for online tracking this year, the ICO has shared their strategy to set out how they’ll take on the challenges in this area, to achieve their vision of a “fair and transparent online world”.
The ICO’s strategy aims to promote compliance to achieve a “fairer online tracking ecosystem” by:
- clarifying how the law applies and our expectations in guidance and other publications;
- engaging with industry to shape a more compliant and privacy-oriented ecosystem;
- scrutinising the compliance of organisations across the online tracking ecosystem; and
- investigating and enforcing against organisations that do not comply.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.
