Privacy In Focus | February

February 16, 2023

by Rhema Sijuwade

We bring you a round up of articles and updates in the data sphere

2 Mar.

TikTok fined 1.75 million lira by Turkish data protection authority

TikTok has been charged with yet another fine for failure to adequately protect user data. The personal Data Protection Board (KVKK) has accused the popular app of unlawfully processing user data. This fine follows a string of action taken against TikTok due to its concerning data privacy practices, including the banning of the app from government official devices across Europe and North America. The data protection authority also requested for the app’s privacy policy to be updated and harmonised with Turkish data protection laws.

Read more

1 Mar.

YouTube accused of collecting data from minors

Privacy campaigner Duncan McCann has filed a complaint to the Information Commissioner’s Office against YouTube. McCann accused YouTube of collecting data such as, videos watched and devices used to watch content, from minors under the age of 13. Though children are banned from YouTube and are encouraged to use YouTube kids, McCann argued that children’s data is still being collected when content is watched on devices that are not registered as a children’s account. In response, a YouTube spokesman stated that they will continue to work with the ICO, parents and child protection experts.

Read more

28 Feb.

China tightens rules on international data transfers

The Cyberspace Administration of China announced that from June 1st, the Standard Contract and Measures on the Standard Contract for Outbound Cross-border Transfer of Personal Information will take effect. These regulations will apply to small and midsize companies that plan to transfer the personal data of up to 100,000 individuals outside of China. The rules will require companies to assess the risk of data mishandling and detail the amount, type and sensitivity of information being transferred.

Read more

27 Feb.

Hackers breach Justice Department Bureau

On February 17th, the U.S. Marshals Service fell victim to a major cyber-attack in which hackers had access to personal information regarding investigative targets and agency employees. The Service oversees the protection of judges, federal prisoner transport and the federal witness protection program. A Marshals Service spokesman stated that the information accessed by hackers contained sensitive law enforcement data. The Justice Department is currently investigating the attack and the extent of the damage.

Read more

24 Feb.

Increase in phishing attacks on fake ChatGPT websites

Cyble Research and Intelligence Labs (CRIL) revealed that the popularity of ChatGPT has been exploited by several Threat Actors (TA). These TAs use phishing sites disguised as ChatGPT to steal sensitive user data such as credit card information. Some TAs have created social media accounts to build credibility and gain trust from unsuspecting users. CRIL reported that Threat Actors are distributing malware on both Windows and Android by encouraging users to download ‘ChatGPT software’. They have advised that users should avoid downloading files from any unknown website along with several other suggestions, to keep safe online.

Read more

23 Feb.

The European Commission bans TikTok on official devices

Concerns over data protection has led the European Commission to prohibit the use of TikTok on official devices. European Commission staff members will also be prohibited from using the app on personal devices that have official apps installed. This precaution has been taken just a year after TikTok was banned from federal government devices in the U.S. Though multiple TikTok spokespeople have assured the implementation of a ‘robust’ system for the processing of Europeans’ data, increasing scrutiny and concerns over Chinese government access to user data has urged the Commission to take further action.

Read more

22 Feb.

One in four children’s apps on Google Play collect data from minors

A study conducted by consumer group Comparitech found that one in four children’s apps in the Google Play store, violate the ICO’s Children Code guidelines on the protection and collection of children’s data. Many of the apps collect data without having ‘child-specific privacy policies’ in place, despite its ‘expert approved’ grading by Google. A google spokesperson emphasised that “Google Play takes the protection of children on its platform seriously”, however they also provided the disclaimer that developers are responsible for their app compliance with the relevant laws.

Read more

21 Feb.

WhatsApp and Meta announce changes to how user data is managed

Data from Meta and WhatsApp will no longer be handled by Irish entities – Meta Platforms Ireland and WhatsApp Ireland – or regulated by separate national data authorities. Instead, user data from these platforms will be controlled by the relevant global entities in the US. These changes will not affect how the platforms function or how data is protected. Users in the UK will also be protected by its’ data protection laws and ICO guidelines. Users will soon be notified of the changes that will take place on 25 April.

Read more

20 Feb.

European Commission will propose new legislation to harmonise the GDPR

The European Commission will propose a new law aimed to help data protection authorities enforce the GDPR. This GDPR development is in response to national data protection watchdogs who have critiqued the current system, calling it inefficient. The new EU regulations will provide clear rules for national data protection authorities when dealing with cross-border investigations and breaches. The Commission stated that the law will “harmonise the administrative procedure in cross-border cases and support a smooth functioning of the GDPR”. This legislation will be presented to the European Parliament in the second quarter of 2023.

Read more

18 Feb.

EU-US Data Privacy Framework discouraged by European Parliamentary Committee

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has urged the European Commission to reject the EU-US Privacy Framework, due to incongruence between US domestic law and the GDPR framework. The Committee explained that the Framework does not meet strict GDPR standards and further highlighted the absence of a federal data protection law. They went on to state that proceedings should be paused until ‘meaningful reforms are introduced.’

Read more

16 Feb.

UK ICO release tips to help game designers comply with the Children’s code

ICO guidance on how to protect children in digital spaces is welcomed at a time where children are increasingly vulnerable online. These tips detail how game designers can actively protect younger users from online harm and ensure that games companies apply the Children’s code. The ICO have provided recommendations such as regular risk assessments to identify and address data protection risks within games, making sure that reliable age-verification tools are in place and how to encourage children to make the right privacy decisions.

Read more

15 Feb.

Australians able to opt out of targeted ads under proposed privacy reforms

The modernisation of the Australian Privacy Act will afford more privacy protections to citizens. Under the proposal, Australians will have increased control over their personal data such as right to erasure, right to sue for serious privacy breaches and the ability to opt out of targeted ads. In a review released by Attorney General Mark Dreyfus, it was found that there is strong support for more protections for personal information under the Act, especially considering the “large scale data breaches of 2022”, however he urges the government to help smaller businesses comply with the new law instead of creating an exemption for them.

Read more

14 Feb.

Meta increases Ad transparency

Meta is following the steps taken by Google and other ‘big tech’ firms to provide users with information on how machine learning is used to deliver ads. The company has updated its “Why am I seeing this ad?” tool to include information on how users’ online activity, informs Meta’s machine learning models. Meta has worked alongside external privacy experts and policy stakeholders to increase transparency around their machine learning. Users will now be able to access their Ads Preferences from the “Why am I seeing this ad?” tool, making it easier for them to control the ads they see.

Read more

13 Feb.

EU Parliamentary Committee endorse EU Digital Wallet

The Industry, Research and Energy Committee have supported plans to introduce the EU’s digital identity document. The eID framework was endorsed by the Committee with an overwhelming majority of 55 to 8 votes. Committee member, Romana Jerković stated that the Digital Wallet will become an all-in-one identity gateway that allows citizens to have full control over their data, “from social, financial and medical data to contacts and more”. The European Digital Identity framework requires formal approval from Members of European Parliament before its’ international rollout.

Read more

10 Feb.

New EU rules for political advertising

The European Parliament has proposed a new set of rules to accompany the Digital Services Act (DSA) and the Digital Markets Act, 2022. These rules are to prevent harmful political advertising and to promote transparency. Though technology has significantly aided in political campaigns, its use has resulted in the fast spread of damaging misinformation and manipulation. The rules will address micro-targeting, external manipulative influences and will update traditional election rules so that they are just as effective online. Parliamentary negotiators aim to reach a consensus on the new rules with EU member states before the 2024 European elections.

Read more

09 Feb.

Meta fined by South Korea’s data protection watchdog for violating personal information protection law

The Personal Information Protection Commission (PIPC) will impose a fine of 6.6 million won on Meta for ‘allegedly disadvantaging’ users who do not provide personal information. Meta has been accused of blocking users from Facebook and Instagram if they did not consent to cookies. The PIPC stated that ‘behavioural information’ is not the minimum personal information needed to use Meta services, therefore any limitation of these services for users who reject cookies, constitutes as a violation to the Personal Information Protection Act.

Read more

08 Feb.

National Data Protection Bureau to create 500,000 jobs in Nigeria

The National Data Protection Bureau has announced that 500,000 jobs will be created through the expansion of Nigeria’s data protection industry. The NDPB seek to train and certify data privacy and protection experts. Between 2020 and 2022, the NDPB have created almost 10,000 jobs, 1900 DPOs and 130 DPCOs. The Bureau have initiated a training and certification process to create data professionals within the country, responding to the pressing need to establish internationally acceptable data standards and, to increase implementation of the data protection bill.

Read more

07 Feb.

African States strengthen their data protection laws

According to the advocacy organisation ‘Internet Society’, more than 17 African countries have implemented extensive data protection legislations. The United Nations Conference on Trade and Development reported that 33 countries have some form of data protection legislation in place. Though many African countries experienced high numbers of malware attacks on their industrial control systems in 2022, data protection bodies are diligently improving efforts to upgrade their data protection systems. Many nations are following the privacy guidelines provided by the African Union Convention on Cyber Security and Personal Data Protection.

Read more

06 Feb.

Italy’s Data Protection Agency, Garante, halts AI chatbot over GDPR concerns

Garante has instructed AI chatbot maker, Replika, to stop processing the data of Italian users due to non-compliance with EU data protection laws. The Italian DPA has found that Luka Inc. (Replika’s developer) lacks transparency concerning the processing of user data and, that it does not have the legal right to process the data of minors. Further concerns have been expressed that Replika poses a threat to minors and emotionally vulnerable people. On the platform, users can establish virtual relationships with customised avatars, being advertised as providing emotional support to users. Replika has been given 20 days to change its policies before an expensive fine is imposed.

Read more

03 Feb.

Bill introduced to protect employees from excessive surveillance

The Stop Spying Bosses Act was proposed by three U.S. Senators, to establish transparency surrounding surveillance and to implement limitations on employer surveillance practices. The Bill addresses the ‘tracking, monitoring, data collection and disciplining’ of employees through use of artificial intelligence. This surveillance has been described as invasive and exploitative, as it gives employers the ability to penalize workers without accountability or transparency. The ultimate goal of the Act is to create more equality within the workplace by promoting employee privacy rights and enforcing employer accountability.

Read more

02 Feb.

Should law enforcement use Google location data?

The American Civil Liberties Union is arguing that using Google location data as evidence to prosecute individuals is unconstitutional and should be excluded from court proceedings. Public defenders say that geofence warrants violate the Fourth Amendment, which protects citizens from unreasonable searches by the government. However, in a previous case concerning the use of geofence, a federal judge held that, if the police believed in good faith that use of geofence data was in line with legal authority, the evidence can be used in court. Google has stated that they will support the work of law enforcement whilst also refusing broad access requests.

Read more

01 Feb.

Nigerian data protection industry reaches value of N5.5 billion

The minister of Communications and Digital Economy, Isa Pantami, has stated that the Nigeria Data Protection Bureau (NDPB) is valued at N5.5 billion. Pantami has emphasized the importance of data protection regulations and institutions to facilitate investments in Nigeria as well as, data privacy being a constitutional right for law abiding citizens. The current aim of the National Information Technology Development Agency is to encourage corporate bodies and individuals alike, to comply with data protection law, in order to create a ‘culture of privacy’.

Read more