dpas bulletin - november 22
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news, and developments, from all around the world.
In the last few weeks, the ICO has sought to appeal a ruling by the First Tier Tribunal, EU drivers have been hit by unlawful fines for breaching ULEZ rules, and the UK held a global AI safety summit.
So without further delay, let’s explore what’s been going on in the data protection world. Don’t forget to subscribe for these monthly breakdowns, and to visit our website for more news.
Key Insights
Don’t miss our webinar: ‘Managing A Backlog & Dealing With SARs’
Our next webinar (at 11am on 23rd November) is all about how to handle SAR backlogs in your organisation. Come along to learn some expert tips from our experienced panel, and to find out the best practices for handling these in a timely manner, and use the resources you have to the best of your ability.
Surfshark study finds that a third of social media GDPR fines were linked to child protection.
A new study conducted by Surfshark has revealed that of all the GDPR fines issued to the top used social media platforms since the GDPR came into effect in 2018, a whole third of those have been related to children’s data.
Surfshark identified the 10 platforms with the highest number of users, and whether or not they have received fines for inadequate data protection practices. The bottom half of these 10 haven’t been issued any fines, but the top 5 (Facebook, Instagram, TikTok, WhatsApp and X/Twitter) have amassed a total of 13. Of these 13, 4 of them were for the mishandling of children’s data.
These 4 fines add up to a total of €765 million, which works out to be over a quarter of the overall amount fined to these five platforms since 2018.
Read more about this study here.
Observer finds that UK Biobank had shared medical data with insurance companies.
Following an investigation by the Observer, it’s been found that UK Biobank has shared medical data (donated for research purposes by half a million UK citizens) with insurance companies. Despite pledging that the data donated wouldn’t be shared with any third parties for any reasons not agreed to by the donor, and claiming that the data was strictly guarded, it wound up in the hands of insurance consultancy and tech firms several times during the last three years.
The Observer found that UK Biobank failed to explicitly notify data subjects that their medical data would be shared with insurance companies, and that they in fact publicly claimed that they wouldn’t do so.
The Information Commissioner’s Office (ICO) is considering the matter, stating: “People have the right to expect that organisations will handle their information securely and that it will only be used for the purpose they are told or agree to. Organisations must provide clear, accurate and comprehensive information… especially where sensitive personal information is involved.”
Government Regulatory Activity
EU drivers fined unlawfully for breaching London’s ULEZ rules.
Thousands of EU-registered vehicle drivers may have been sent fines unlawfully for breaching rules regarding London’s ultra-low emissions zone (ULEZ). This is due to UK authorities not having access to the personal data of EU citizens following Brexit. Numerous driver details have therefore allegedly been obtained illegally in pursuit of issuing fines for failing to register their ULEZ-compliant vehicles with Transport for London (TfL), which has resulted in investigation from Belgium.
Read more here.
Committee proposes that data protection regulations be upgraded to affirmative procedure.
The European Statutory Instruments Committee has recommended that the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 be upgraded to the affirmative procedure, due to doubts regarding individuals’ rights. The Committee has therefore suggested that the regulations should require a debate and approval in both Houses of Parliament.
Read more about this here, or read the full report here.
The UK hosts the first global AI safety summit.
Leaders from all over the globe gathered at Bletchley Park early this month as the United Kingdom held the first AI Safety Summit to discuss the potential dangers to privacy posed by artificial intelligence.
This event was attended by numerous officials, such as US Vice President Kamala Harris, Italian Prime Minister Giorgia Meloni, and UN General Secretary António Guterres. Elon Musk was also in attendance, and partook in an interview with UK Prime Minister Rishi Sunak to share his thoughts on what the future holds regarding the ongoing development and prominence of artificial intelligence.
Towards the end of day 2 of the summit, Sunak announced the UK AI Safety Institute, for the purpose of testing the safety of new AI technologies before they’re released. Many leading companies, such as OpenAI, Meta and Microsoft, have agreed to have their AI models tested by governments before they’re made available to the public.
Enforcement actions
ICO reprimands multiple organisations for improper measures and processes.
The Information Commissioner’s Office has reprimanded a number of organisations in the last month for not having appropriate processes/security measures in place.
- Gap Personnel Holdings Ltd: Reprimanded for inadequate security measures resulting in an unauthorised threat actor having access to individuals’ personal data twice within a 12-month period.
- Police Service of Northern Ireland (PSNI): Reprimanded for lack of appropriate measures to prevent the unlawful sharing of personal data (including criminal data) with the United States Department of Homeland Security (DHS).
- University Hospital of Derby and Burton NHS Trust (UHDB): Reprimanded for failure to process outpatients’ appointments in a timely manner, due to a lack of proper measures in place for special category data processing.
ICO fines Argentum Data Solutions (ADS) Ltd for sending millions of SMS without consent.
Brought to the ICO’s attention following their review of complaints received by the 7726 spam reporting tool, Argentum Data Solutions Ltd has been fined for sending 2,330,423 messages without consent.
Of this number, only 24,309 were sent directly by ADS, with the remaining 2,306,114 being sent by third parties due to the organisation allowing them to use the lines. These messages, sent between 1st January 2021 and 31st January 2022, were done so in breach of regulation 22 of PECR, resulting in the ICO issuing ADS with a fine.
ICO seeks to appeal Tribunal’s judgement on Clearview AI Inc.
Clearview was initially fined by the ICO for collecting (for an online database) billions of images of individuals who were not made aware that their images were being used in this way. The First Tier Tribunal overturned the ICO’s ruling, but the Commissioner is now seeking to appeal this decision.
The reason for the Tribunal’s decision was that they believed the case fell outside the reach of UK data protection law due to Clearview’s clients being foreign law enforcement agencies. However, the ICO has argued that law enforcement was not Clearview’s purpose for processing the data. Because of this, and the fact that many of the affected were UK citizens (as well as the scale and intrusive nature of the incident), the ICO is seeking to appeal the decision.
Read more about this case here.
Meta faces permanent ban from processing personal data for behavioural advertising in Europe.
Due to reports about Meta’s unlawful processing of personal data for behavioural advertising to the European Economic Area (EEA), officials have extended a Norwegian ban on their ability to do so – a decision that Meta is contesting in court. The social media giant has been found to be using its 250 million EU and EEA active users’ online habits to inform their advertising in an alleged breach of GDPR, over concerns about consent and legitimate interest.
Meta is also in the process of introducing a new paid subscription to its users that would deliver an ad-free experience for a monthly price of €9.99 (desktop) or €12.99 (IOS/Android). Otherwise, users will continue to see ads that are “relevant” to them. This service has also raised concerns from Norway’s Data Protection Authority about Meta’s GDPR compliance.
TikTok granted leave to appeal €345 million fine.
Social media giant TikTok was fined €345 million on 15th September 2023 by the Irish Data Protection Commission. This was for infringement of the GDPR in relation to dishonest practices in their services offered to children. These included dark patterns, settings set to public by default, and shortcomings in transparency. Recently, though, the High Court has granted TikTok leave to appeal this fee.
You can read more about this here.
Come to our free conference!
DPAS is partnering with RESPONSUM to bring a free data protection and information security conference to The Bond in Digbeth, Birmingham.
Kicking off at 9:00am on 31st January, this exciting event will feature a talk by a representative from the Information Commissioner’s Office, plus talks from guest speakers from Deliveroo, Pngme, Digital Health and Care Wales, and more.
If you want to expand your network, join buzzing discussions about the data protection world, and hear the perspectives of a wide range of professionals in the industry, book yourself a free ticket and come along.
There are limited places left, so don’t delay!
We can’t wait to see you there!
Book your free ticket here.
Get in touch with us!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or visit our website at www.dataprivacyadvisory.com and fill out a contact form. Our dedicated team will get back to you as soon as possible.