Privacy In Focus | February

February 9, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Thursday, 29 February

USA: Biden Releases New Executive Order on Privacy

On February 28th, Biden issued an Executive Order that would prevent non-friendly countries from trying to access the private data of American citizens. This is the first Executive Order of its kind, and a big step in progress for the parched area of privacy protection in the USA.

The Executive Order directs the Department of Justice (DoJ) to establish, implement and administer programmes to stop data brokers from harvesting personal data and selling it on to countries like China, Russia, Cuba, Venezuela, Iran and North Korea. This will require the DoJ to issue regulations that would prohibit certain categories of data transactions completely – mainly those that would have the potential to pose risk to national security.

Read more

US Rail Giant to Pay $75 Million for Over-Using Biometric Data

The rail giant BNSF – owned by Warren Buffet’s Berkshire Hathaway – operates one of the biggest freight rail networks in the USA. It is involved in a lawsuit and has agreed to pay 75 million dollars to resolve the class action. They are being sued for collecting biometric information, such as fingerprints and eye scans of their employees, on a scale that is more than necessary, violating the Illinois state biometric law.

This law is one of the strictest in the USA, and various companies have been found failing to comply with it – for instance, in 2020 Facebook has said that they would pay 650 million dollars for violating it.

To read the full legal procedure, read here

EU: BEUC Members File Complaint Against Meta’s Pay or OK Model

On Thursday, 29th of February, eight organisations filed complaints against Meta’s ‘pay-or-consent’ model. This model was introduced in the European Union in November 2023, and, according to many experts, violates the foundational principles of GDPR on fair processing, data minimisation and purpose limitation. The eight companies, all part of the network of the European Consumer Organisation, the BEUC, filed the complaints each with their own data protection authority, hoping that these, in turn, with the help of the European Data Protection Board, would put pressure on the Irish DPA where Meta has its headquarters.

Meta’s new model states that the company will continue to harvest user data, and if the customers are unhappy with that they may pay a monthly subscription (up to £10 per month) for their data not to be processed. This violates the principle idea that privacy is a human right, and people should not be forced to pay for their data not to be gathered.

Read more

Worldwide: Somalia Opens its First DPA

On February 24th, an elaborate ceremony, attended by numerous parliamentarians and ministers was held celebrating the opening of Somalia’s Data Protection Authority. This was the result of the country’s first ever Data Protection Act being passed in March 2023.

Experts observe that this is a significant and important step in expanding Somalia’s democracy, and a clear demonstration of the willingness of the Somalian government to crack down on the numerous data breaches and digital crimes that have been happening across the country. The country is also facing a threat in the face of Alshabaab, a terrorist group that benefits from all the data leaks of private citizens.

Overall, this is a major step for Somalia, and the young team at the DPA is facing a significant of amount of hard work.

Read more

Friday, 16 February

UK: The ICO approves a new Certification Scheme

Certification Schemes exist under UK GDPR to help firms demonstrate to their clients that they are in compliance with specific data protection requirements. If a company is certified, people feel more confident in using their products and services.

The new Legal Services Operational Privacy Certification Scheme (LOCS) is aimed at the legal sector – law firms and barrister’s chambers often process large amounts of sensitive data, and this certification will reassure their clients that they adhere to data protection standards.

For more detailed information on the new certification scheme, click here

EU: iMessage, Bing, Edge and Microsoft Advertising removed from Digital Services Act

Companies that provide a major service in the digital industry are known as ‘gatekeepers’ under the Digital Markets Act (DMA). Once classified as such, they are subject to the restrictions and requirements on the DMA.

On the 13th of February, the European Commission, following a rebuttal from Apple and Microsoft, revoked the status of iMessage, Bing, Edge and Microsoft Advertising as ‘gatekeepers’ – these services do not meet the EU criteria for being ‘prominent’ in a particular digital sphere. This now means that they are not required to fulfil the ‘do’s and don’ts’ of the ‘gatekeeper’.

This does not affect other services from Apple and Microsoft – those still ought to be compliant with the DMA.

European Commission’s decision here

US: New York company College Board fined for selling student data

On February 13th, the Office of the New York State Attorney General announced a $750000 settlement with the company College Board. The company helped schools administer various types of tests which were part of the college admissions process. Before the students took the exam, they were encouraged to fill in their sensitive information, such as ethnicity, religious affiliation, GPAs and the like. Students were told that this would help them get college scholarships.

The students then started to receive marketing emails, and their data was passed on to third parties. The company now has to pay $750000 in a settlement and is prohibited to use the data they have harvested from schools for any other purposes.

The detailed documentation can be found here

Friday, 09 February

OnlyFake website investigated and taken down

The website OnlyFake had been using AI to allow users generate fake IDs with photos and random personal details, allowing them to bypass online verification with a fake identity. The website was extremely popular among crypto-currency users, allowing them to create a new identity for only $15.

404 media stated in their podcast ‘Inside A Fraud factory, how during the week they had fake IDs at the click of a mouse; AI audio porn; a low tech response to the wave of deepfake abuse; and the Instagram ad to investment scam pipeline. However, the OnlyFake website asserted it did not produce forged documents, which would be illegal. According to its terms of service, the site’s templates are intended solely for use in movies, TV shows and web illustrations, distancing themselves from any illicit activities its service might be used for.

The website has recently been taken down.

Read more

Friday, 02 February

Social Media Companies accused of being responsible for exposing children to inappropriate content

On the 31st of January 2024, the CEOs of Meta, Discord, X, Snap and TikTok were called to a Senate Judiciary Committee hearing after it was revealed that online child sexual exploitation was rising. At the hearing families whose children self-harmed and/or committed suicide as a result of social media use wanted to hear what the CEOs would say in their defence; senators from both parties inquired what measures were being put in place to ensure online child safety.

Read more

CJEU Clarifies the Law: Storing Biometric Data Indiscriminately is Unlawful

After a witness in Bulgaria had testified wrongly, was imprisoned for a year and then let out on rehabilitation. As part of his sentencing, the Bulgarian criminal records are obliged to keep fingerprints, a photograph and DNA samples in order to prevent crime in future instances. The Bulgarian citizen demanded that his biometric data be removed from records, at which point the Bulgarian Courts referred this case to the Court of Justice of the EU (CJEU).

Read more

UBER fined 10 million euros for restricting drivers’ access to their data

Over 120 00 drivers for Uber complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH) that Uber was making it difficult for them to access their personal data. The French Supervisory Authority referred this case to Netherlands, where Uber has its headquarters. On the 31st of January the Dutch Data Protection Authority issued a fine of 10 million euros to Uber.

The company was making it very difficult for drivers to access their records – the request button, although accessible through the app, was hidden under many layers of menu options. When the drivers got their data, the file was poorly organised, making the information very difficult to interpret. Uber declined to explain whether it shared the details of European drivers to countries outside of the EEA. Upon the issuing of the fine, Uber has issued a notice of objection regarding the DPA’s decision.

Full details of Case: Dutch | English