dpas bulletin - september 26
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
Why was the Labour Party reprimanded by the ICO? Why do cyber attacks lead to dismissals one third of the time? And what in-car listening technology is Ford seeking a patent for?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Labour Party reprimanded for failure to respond to SARs in time
The Information Commissioner’s Office (ICO) issued a reprimand to the Labour Party near the end of August for repeated failings to respond to Subject Access Requests (SARs) within the legal timeframe.
Following a cyber attack in October 2021, Labour received an influx of new requests from the public, which developed into a backlog that they failed to clear in a timely manner. Of 352 requests received since November 2022, 78% had not been responded to within the required time, and 56% were even delayed by a year or longer.
Read more about this here.
Dutch DPA fines Clearview AI for database of faces
Following Clearview AI’s creation of an “illegal database” of billions of faces, the organisation has now been met with a fine of 30.5 million euros.
The Netherlands’ Data Protection Agency (DPA) stated that the facial recognition startup had breached the EU GDPR by both building the database, and insufficiently informing the public about whose faces were included in it. The Netherlands’ DPA chairman Aleid Wolfsen said in a statement that facial recognition is a “highly intrusive technology that you cannot simply unleash on anyone in the world”.
Read more about this here.
Australian users unable to opt out of Meta’s scraping of their public posts
Meta has been using Facebook and Instagram users’ public posts to train artificial intelligence. Following complaints in Europe due to privacy concerns, Meta introduced the option for European users to opt out of this, but as has recently been brought to the public’s attention that this option is not present for Australian users.
While Australians do have the option to set their accounts to private to bring the scraping of data from their posts to a halt, that wouldn’t prevent the scraping that has already taken place without their outright consent. Meta executives were recently questioned about this issue, and claimed that the “opt-out” option in Europe was in response to a “very specific legal frame”, declining to confirm if this would ever be an option for users in Australia.
Read more about this here.
Irish data protection authority starts investigation of Google’s AI model
Irish supervisory authority, the Data Protection Commission (DPC) has begun an investigation into Google Ireland Limited to determine the lawfulness of their AI development.
The particular AI model in question is Google’s Pathways Language Model 2 (PaLM2). The DPC is investigating how EU citizens’ personal data is being used to train this model, and whether the “fundamental rights and freedoms of individuals are adequately considered and protected when the processing of personal data is likely to result in a high risk”.
Read more about this here.
Australian government commits to introducing data protection law for children
This month, the Australian government made the decision to develop the country’s first data protection law for children, instructing the Office of the Australian Information Commissioner to draft the code.
This commitment was prompted by an increasing number of reports of children’s privacy being invaded in numerous ways, such as secret surveillance of their online classrooms and the creation of sexually explicit deep-fakes. These inappropriate exploitations of children’s personal data has now resulted in this law being introduced, poised to provide rights such as being able to sue for serious invasions of privacy.
Read more about this here.
ICO signs Memorandum of Understanding with NCA
The ICO has signed a Memorandum of Understanding (MoU) with the National Crime Agency (NCA) which sets out how they will cooperate with one another to strengthen the UK’s cyber resilience.
Aiming to help organisations across the nation better protect themselves against cyber criminals who hold data to ransom, this MoU sets out a number of commitments. This includes the NCA never passing on information to the ICO that was shared with them by an organisation in confidence, and a dedication to working together to provide consistent guidance and encourage learning regarding cyber-related matters.
Read more about this here.
ICO publishes response to Meta’s user data AI training announcement
The ICO has published a response to Meta resuming their training of generative AI on user data. In June of this year, Meta paused these plans in response to a request from the ICO, and now, since making changes that make it easier for users to opt out, these plans have been resumed.
The ICO emphasises that they have not provided regulatory approval for Meta to continue their AI training plans, and so it is their responsibility to “ensure and demonstrate ongoing compliance”.
Read more about this here.
Survey reveals one third of cyber-attacks lead to staff dismissals
A recent survey has revealed that over one third of cyber-attacks lead to job losses.
500 UK professionals in IT, resilience or cybersecurity roles were surveyed, 37% of which reported that cyber-attacks have led to staff dismissals. These dismissals were either of staff members responsible for the attack, or as a result of financial necessity following the incident.
Read more about this here.
TfL data breach exposes personal data of 5,000 customers
Early this month, Transport for London (TfL) broke the news that personal data of approximately 5,000 customers had been leaked.
Initially, it was stated that bank account numbers and sort codes were exposed in the breach, but a subsequent update from TfL 10 days later revealed that other information, such as names and email addresses, had been leaked. Having said that they would be contacting affected customers as soon as possible as a precautionary measure, TfL committed to undertaking a staff-wide IT identity check.
Read more about this here.
Ford seeks patent for listening technology within cars for targeted ad purposes
In what could be considered a controversial move, Ford Motor Company is seeking a patent for in-car listening technology that would monitor dialogue within the vehicle for more targeted advertising for the user.
“In-vehicle advertisement presentation”, as this technology has been named, will pull data from various sources, like conversations within the car and historical user data, to provide visual or audio ads (depending on what is deemed more suitable). The application for this patent was filed in February, and not published until late August. In a statement from Ford in defence of this application, it was assured that they “will always put the customer first in the decision-making behind the development and marketing of new products and services.”
Read more about this here.
DSIT classify UK-based data centres as Critical National Infrastructure
The first Critical National Infrastructure (CNI) designation in almost a decade has just been announced, with Technology Secretary Peter Kyle having declared on 12th September that UK data centres are to be given this classification.
Data centres, where a significant proportion of the data generated in the UK is stored, can now be expected to receive greater government support. According to Kyle, this will “allow better coordination and cooperation with the government against cyber criminals and unexpected events.”
Read more about this here.
ICO issues reprimand to Bonne Terre Limited
Bonne Terre Limited, also known as Sky Betting and Gaming, has received a reprimand from the ICO for “unlawfully processing people’s data through advertising cookies without their consent”.
The lawful basis being relied upon for the processing of personal data via marketing cookies was consent, as confirmed by Bonne Terre. The ICO identified that certain cookies were being deployed before users had been given a chance to interact with the consent management platform (CMP), and ultimately determined that the betting company was infringing Articles 5(1)(a), 6(1)(a) and 7(1) of the UK GDPR.
Read more about this here.
JOIN OUR NEXT FREE WEBINAR!
Join our expert panel, Rowenna Fielding (Miss IG Geek Ltd) and Kristal Rocks (DPAS), on our next free webinar!
Beyond Checklists: What Does “Good” Look Like?
(16th October, 11am – 12pm BST)
How do you measure effective data protection practices?
Boxes checked? Documents filed? It’s a difficult question to answer, because data protection is so much more than these things.
So what are good metrics for the quality and consistency of your data protection measures? And how can you implement these to evaluate your organisation’s compliance achievements in an ongoing manner?
Join this webinar for a discussion about:
- How you can effectively measure your organisation’s data protection success in a way that prioritises quality and outcomes over checking boxes
- How this approach can be a much better way to ensure continuous compliance and results
- What effectiveness in action looks like from an auditing perspective
If you want to learn about how you can design and implement metrics for how successful your data protection measures are in real time, come along to this webinar to join the conversation!
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.