Privacy In Focus | June

June 14, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Friday, 14th June 2024

More Complaints Over Google's Tracking: NOYB

NOYB has filed a complaint with the Austrian Data Protection Authority over concerns about Google's new privacy feature that claims to not use third-party trackers. In reality, Noyb says, the tracking is removed from third parties to the Google browser itself.

Read more

---

EU Parliament Releases Analysis of AI and Human Rights

To favour the request of a sub-committee, the European Parliament coordinator and professor, H. Akin, has authored a document analysing AI and its impact on human rights worldwide. An interesting document, produced for the purpose of aiding the EU entities with their production of any future potential guidelines, it aims to produce a wider understanding of the complex policy, regulatory and diplomatic challenges at the intersection of technology, democracy and human rights.

Read more

---

Belgian DPA Fines Restaurant

The Belgian DPA has issued a decision on 13th of June 2024, issuing fines of 500 euros and 250 euros respectively.

The issue concerns the booking of a restaurant meal. When a booking is made through a third-party system, whether using an app to book a meal, or if the details are collected through the phone and input into a meal-booking system, the client's details should not be passed on to the third-party. This case relates to a person who, having booked a meal at a restaurant, later began to receive marketing emails from the third party booking system. The person objected to their data being used in such a way.

Restaurants and small businesses have to make sure that the processors they use have adequate data protection mechanisms in place.

Read more

---

New York Set to Take Child Privacy Seriously

The Senate Bill S7695B, called the New York Child Data Protection Act, has recently been passed through the Assembly and US senate. The bill aims to protect the privacy of children by restricting digital services from collecting or using the personal data of users they know are under the age of 18 without consent, and requiring safeguards for the sale or disclosure of the personal data of users they know are under the age of 18.

The bill claims that operators shall not process the personal data of users that are 12 years old or younger. For children 13 years of age or older, operators may process their personal data if informed consent has been obtained or if it is strictly necessary for specific activities, such as providing a specific product or service.

If enacted, the bill would take effect one year after it becomes law.

Read more

---

Concerns over Apple's AI Overhaul

Apple has recently announced a set of iOS updates which include a Siri makeover along with a number of other new features. The makeover is part of a new personalised AI system - called "Apple Intelligence" - that aims to offer users a way to navigate Apple devices more easily. The updates to the operating systems will allow access to ChatGPT through a partnership with developer OpenAI.

Elon Musk, the owner of Tesla and Twitter/X, has criticised this and threatened to ban iPhones from his companies due to data security.

"Apple has no clue what's actually going on once they hand your data over to OpenAI," Mr Musk said on X. "They're selling you down the river."

Read more

---

CNIL Opens a Consultation to Develop AI Recommendations

While the European regulation on AI has just been adopted and will come into force in stages in the coming months, the CNIL wishes to provide legal certainty to players in the sector by anticipating the link between the AI ​​Regulation and the GDPR.

Thus the CNIL is opening, for the second time, a consultation with all stakeholders to develop its recommendations around the use of: web scraping, the publication of AI models in open source, and the management of individuals' rights among other things.

This consultation follows initial recommendations recently published following a public consultation.

Read more

---

UK ICO to Join 23andMe Investigation with Canada

Today the ICO has announced that they will join Canada in investigating the data breach that occurred in October 2023 with 23andMe, a genetic testing company. The UK Information Commissioner and the Privacy Commissioner of Canada will leverage the combined resources and expertise of their two offices.

Their investigation will try to determine:

- the scope of information that was exposed by the breach and potential harms to affected people;

- whether 23andMe had adequate safeguards to protect the highly sensitive information within its control;

- whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.

Read more

---

Meta Hands Over 'Sextortion' Data

Meta says it has handed over data relating to a Scottish teenager who ended his life after becoming the victim of a sextortion gang on Instagram. Sextortion often involves victims being sent a nude picture before being invited to send their own in return - only to then receive threats that the image will be shared publicly unless they meet the blackmailer's demands. Murrey Downey, age 16, was a victim to this scheme and committed suicide as a result last December.

Murrey's mother said: “I'm glad that Police Scotland finally have the data but it's taken far too long for Meta to release it."

This case is similar to one we have reported on previously and it seems like such incidents are on the rise.

Read more

---

CNIL publishes recommendations on the development of AI systems

There have been many questions regarding the application of the GDPR to artificial intelligence (AI). In May 2023, the CNIL published its “AI action plan” and released today its first published recommendations for building AI systems. They provide concrete answers, illustrated by examples, to the legal and technical challenges linked to the application of the GDPR to AI. The points addressed in these first recommendations make it possible in particular to:

define a purpose;

define a legal basis;

carry out tests and checks in the event of re-use of the data;

carry out an impact assessment if necessary;

take data protection into account when designing the system;

take into account data protection in the collection and management of data.

Read more

---

Court Trails and Personal Data: an Example from Monaco

Today, the European Court of Human Right has released a judgement concerning the collection of personal data by authorities.

The case concerns Mr Rybolovlev (who is famous for unsuccessfully suing the art-giant Sotheby's) and his lawyer, Ms Bersheda. During a private meal, Ms Bersheda secretly recorded a conversation of just under 10 minutes with her phone. When investigated, she handed over her phone to the police to allow the recording to be examined and to prove her good faith. The investigating judge did not set any limits upon how much information was allowed to be collected to be examined, which led to the criminal expect to extract a plethora of personal and professional information from Ms Bersheba. Tens of thousands of calls, text, emails of over a period of 3 years were collected.

The European Court of Human Rights found that this was a breach of Article 8 (right to respect for private life) of the European Convention on Human Rights, and issued a judgement against the investigating judge of the case who did not limit the scope of the investigation.

Read more

---

TikTok Suffers From Cyberattack

The TikTok accounts of some celebrities, including Paris Hilton, have been targeted in a recent cyberattack, although TikTok claims that they have not been compromised.

So far TikTok has faced close scrutiny over their approach to storing and protecting user's data. Suspicions are high because of its ties to Beijing.

Read more

---

UK Tribunal Insists that Google Must Face £13.6 Billion Lawsuit

The Competition Appeal Tribunal, in London, has ruled that Google must face a £13.6bn lawsuit. The case, brought by a group called Ad Tech Collective Action LLP, alleges the search giant behaved in an anti-competitive way which caused online publishers in the UK to lose money.

Ad Tech Collective Action says Google has engaged in what is known as "self-preferencing" - in other words promoting its own products and services more prominently than that of its rivals, meaning that publishers end up getting less money for the ads they host.

Read more

---

Google's Problematic History with Privacy

According to 404 Media, an internal Google database reveals that the company has accidentally collected childrens’ voice data, leaked the trips and home addresses of car pool users, and made YouTube recommendations based on users’ deleted watch history, among thousands of other employee-reported privacy incidents. The database contains thousands of reports over the course of six years, from 2013 to 2018.

Privacy campaigners claim that, although individually the incidents may have only each impact a relatively small number of people, taken as a whole, the internal database shows how one of the most powerful and important companies in the world (mis)manages a staggering amount of personal, sensitive data on people's lives

Read more

---

Hacker Epidemic: Ticketmaster's Data Stolen

A group of hackers, ShinyHunters, said they had stolen the personal details of 560 million customers from Ticketmaster - one of the largest online ticket sales platforms in the world - and are demanding a £400,000 ransom payment. The stolen data includes names, addresses, phone numbers and partial credit card details from Ticketmaster users worldwide. Experts are warning that it’s part of a larger ongoing hack involving a cloud service provider called Snowflake, a cloud storage provider, as ShinyHunters has been linked to a string of high-profile data breaches.

In 2021 the group sold a genuine database of stolen information from 70 million customers of US telecoms firm AT&T. In September 2023, almost 200,000 Pizza Hut customers in Australia had their data breached. The FBI cracked down on the domain in March 2023, arresting its administrator Conor Brian Fitzpatrick, but it has reappeared, according to tech media.

Read more

---

30 Million Santander Users' Data Hacked

The information of millions of users of Santander bank was stolen by a hacker group going by the name of ShinyHunters.

"Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,…" said a spokesperson.

The following data was stolen:

30 million people’s bank account details

6 million account numbers and balances

28 million credit card numbers

HR information for staff

However, it was said that 'no transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords' were stolen.

Read more

---

Temu Designated as a Very Large Online Platform

The EU Commission has formally designated Temu as a Very Large Online Platform (VLOP) under the Digital Services Act (DSA). Temu is an online marketplace with an average of more than 45 million monthly users in the European Union, which is above the DSA threshold.

This means that now Temu will have to comply with the stringent rules of the DSA. These include, but are not limited to: regular risk assessments, publishing ads library, give access to publicly available data to researchers, comply with transparency requirements, and be subject to an external independent audit every year.

Read more

---

EDPS AI Guidelines

The EDPS has published guidelines on generative Artificial Intelligence and personal data for EU institutions, bodies, offices and agencies.

The guidelines aim to help EU bodies to comply with Regulation (EU) 2018/1725 when using or developing generative AI tools. They emphasise data protection’s core principles, and include concrete examples to use as an aid when anticipating risks, challenges and opportunities of generative AI systems and tools.

Read more