dpas bulletin - july 31
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
Why did the ICO reprimand the London Borough of Hackney? How many data breaches did UK councils experience in 2023? And what new data protection bill was announced in the King’s Speech?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Grindr fined by Norwegian court for sharing data illegally
Early this month, Grindr was fined by a Norwegian court for violation of GDPR, in a case based on a complaint (supported by European privacy advocacy group Noyb) by the Norwegian Consumer Council.
The dating app had been sharing data with advertisers in what was a clear breach of data protection law, and so will have to pay NOK 65 million (approximately £4.5 million or €5.7 million.
Read more about this here.
Rhode Island enacts data privacy legislation
In the United States’ ongoing journey to implement effective data privacy laws, Rhode Island has now become the latest state to enact comprehensive data protection legislation.
The Rhode Island Data Privacy Act was passed on 28th June 2024, and is set to come into law on 1st January 2026. This legislation offers a definition of personal data, provides rights to customers consistent with those provided by other US State Data Privacy Laws, and imposes obligations on controllers conducting business in the state or producing products/services to Rhode Island residents.
Read more about this here.
ICO announces date of their 2024 conference
The Information Commissioner’s Office (ICO) has announced that this year’s Data Protection Practitioners’ Conference (DPPC) will be held online on Tuesday 8th October.
The conference will deliver talks from keynote speakers, practical workshops, and “thought-provoking panels” to provide data protection practitioners with an interesting and informational event “regardless of experience level, sector or specialism”.
Read more about this here.
Microsoft-owned adtech business targeted by EU privacy complaints
Xandr, a Microsoft-owned adtech business, has received a complaint supported by Noyb, from an individual in Italy.
This complaint has accused Xandr of several breaches of the GDPR, including transparency failings and the use of inaccurate information about people. The complaint calls for an investigation by the data protection authority, which Noyb supports, as well as suggesting that Microsoft be ordered to pay a fine of up to 4% of annual revenue.
Read more about this news here.
ICO publishes advice regarding privacy notices
The ICO has published advice for internet users, urging them to take the time to read privacy notices when installing a new app.
The commissioner encourages people to read the notice, despite how overwhelming the wall of text may appear, so that they understand how the app plans to use their data. Many people are guilty of scrolling past these and clicking “I agree” without paying any attention to the contents, and so the ICO has released this statement in the hope that more users will make an effort to ensure that they are happy with the app’s approach to data privacy before signing up.
Read more about this here.
FOI request reveals UK councils experienced over 5,000 data breaches in 2023
A Freedom of Information (FOI) request sent to 27 UK councils by Apricorn has revealed that they saw more than 5,000 data breaches in 2023.
Examples of councils that experienced a significant number of breaches include Kent County Council, who declared over 700, Surrey County Council and Norfolk Council, who each declared over 600, and Warwickshire County Council and East Sussex, who each amassed almost 500. Managing director of EMEA Apricorn, Jon Fielding, suggested that investing in comprehensive training would “educate employees about the importance of safeguarding data and the proper protocols to follow in case of device loss or theft.”
Read more about this here.
Changes to Google’s privacy team spark AI concerns
The last few months have seen an increase in worries shared among policymakers due to at least six of Google’s top privacy and regulatory officials having left the company.
Despite Google claiming that it “had not lowered its privacy and AI ethics standards”, there are concerns that the tech giant is releasing new artificial intelligence products without appropriate safeguards in place to protect their customers’ privacy. More weight is given to these concerns considering the fact that no government rules are presently in place to regulate the risks of these products, the responsibility to ensure proper protections lies with Google itself.
Read more about this here.
Survey reveals only 15% of Irish firms are GDPR compliant
A survey conducted by Ireland’s leading market research agency, Ipsos B&A, has revealed that only 15% of businesses in the country claim that they are compliant with the EU GDPR.
58% of firms had deemed themselves “materially compliant”, and 25% had said that they are “somewhat compliant”. Over 80% of those surveyed said that they felt that the risks of non-compliance with this legislation were increasing, which is an increase from the response last year, at 70%.
Read more about this here.
Lithuania DPA fines Vinted 2.4 million euros over GDPR violations
Another company succumbing to monetary penalties in recent weeks is online marketplace Vinted, who were fined by the Lithuanian data protection authority for GDPR violations.
The fine, which totaled over 2.3 million euros, followed a series of complaints relating to data deletion requests. These complaints, which began in 2020, pertained largely to difficulties experienced by individuals attempting to exercise their right to data erasure.
Read more about this here.
New data protection bill announced in the King’s Speech
This month saw the King’s Speech 2024, which gave us an indication of what the new Labour government, having just recently come into power, has in its legislative agenda. While not everything we have learned was announced in the speech itself, a lot of new information has come to light from the background briefing notes.
Several bills make up the proposed introductions relevant to the data protection industry. These include a Product Safety and Metrology Bill (which would affect developers of AI models), a Cyber Security and Resilience Bill (to “strengthen the UK’s cyber defences”, and perhaps most notably, a Digital Information and Smart Data Bill, which will “enable new innovative uses of data to be safely developed and deployed”.
Read more about this here.
ICO reprimands London Borough of Hackney following cyber-attack
Following a cyber attack on London Borough of Hackey in October 2020 in which hackers gained access to, and encrypted, over 400,000 files (affecting at least 280,000 residents), the ICO has issued them a reprimand.
After originally considering issuing a fine, the ICO decided that due to positive actions being taken following the attack, they would take the public sector approach rather than impose any monetary penalties.
Read more about this here.
ICO publishes 2023-2024 annual report
The ICO has published their annual report this month. This includes a performance report, which covers their key accomplishments and examinations of their “most impactful” work, an accountability report, and financial statements.
Read this report here.
ICO expresses disappointment in Google’s decision to keep third-party cookies
Since Google made the decision to ditch its former plans, and instead keep third-party cookies, the ICO has come out with a statement expressing their disappointment.
Deputy Commissioner of the ICO, Stephen Bonner, stated that “the new plan set out by Google is a significant change” and that the ICO “will reflect on this new course of action when more detail is available.” He also shared that the ICO plans to “monitor how the industry responds and consider regulatory action where systemic non-compliance is identified for all companies, including Google”.
Read more about this here.
New study reveals lack of understanding of privacy notices
Following a new study conducted by scientists at the Max Planck Institute for Security and Privacy (in collaboration with Utrecht University, University of Michigan, and the University of Washington), it’s been revealed that there’s a general lack of clarity among users on language used in privacy notices.
The study uncovered – through interviews with European web users – that privacy notices often take advantage of “users’ cognitive biases” and use terminology that isn’t widely understood. Respondents also shared that they find privacy notices “annoying” and usually try to quickly get rid of them. The study suggests numerous solutions for organisations to combat the lack of interaction, such as by including more icons and colours in their privacy notices and laying the information out in a more digestible format.
Read more about this here.
ICO reprimands Essex school for using facial recognition for canteen payments
The ICO has issued a reprimand to Chelmer Valley High School in Chelmsford, Essex for starting to use facial recognition technology (FRT) to take cashless canteen payments from students.
The commissioner expresses that organisations must have a Data Protection Impact Assessment (DPIA) in place in order to use FRT “legally and responsibly”, something that this school failed to do.
Read more about this here.
CrowdStrike malfunction may have caused GDPR violations
On 19th July, CrowdStrike suffered a major malfunction which caused 8.5 million Windows computers to become afflicted with the condition famously known as the “blue screen of death”. This outage, estimated to have come at a cost of trillions, affected a great number of organisations, from banks to hospitals, and according to privacy specialists, might have therefore been the cause of a number of GDPR breaches.
Senior data protection professional Jon Baines (of London law firm Mishcon de Reya), for example, suggests that companies may have breached data protection laws due to individuals being unable to access their personal data. Baines states that though any breaches of the GDPR ordinarily need to be reported, it’s somewhat less certain in this particular case.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.