AI companies need continual data for training their AI models. For some websites, license deals with OpenAI and Google are set to bring in millions every year by making users’ data available for AI training. Reddit has incorporated such licensing deals into their business model, and it plans to protect that revenue source by barring those AI data collectors that are not willing to pay for collecting data.
Thus Reddit is going to update its own Web standard to stop automated data collection from unlicensed AI players. By modifying the “Robots Exclusion Protocol”, the platform will limit the number of requests a single entity can make.
---
Evolve Bank & Trust confirmed that it was the victim of a cybersecurity attack that involved customers' data being illegally released on the dark web. The Arkansas-based lender said they have engaged appropriate law enforcement agencies to aid in their investigation and response efforts. The hack was done by ransomware group LockBit. They released a cache of files posted across 21 separate links on the dark web after Evolve failed to meet its ransom demands.
“It appears these bad actors have released illegally obtained data, including Personal Identification Information (PII), on the dark web. The data varies by individual but may include your name, Social Security Number, date of birth, account information and/or other personal information,” Evolve Bank said in a notice on its website.
---
The Australian Government has recently released a National Framework for the Assurance of Artificial Intelligence in Government, which establishes cornerstones and practices of AI assurance. Instead of focusing on technical detail, the framework sets foundations across all aspects of government, with jurisdictions to develop specific policies and guidance.
This framework will help governments to:
• understand the expected benefits of AI
• identify risks
• ensure lawful use
• understand if AI is operating as expected
• demonstrate, through evidence, that the use of AI is safe and responsible.
---
The California Privacy Protection Agency (CPPA) - the most comprehensive data privacy law in the USA - and the Commission Nationale de l'Informatique et des Libertés (the French DPA) signed a declaration of cooperation, which would allow both authorities to collaborate to safeguard personal information and advance privacy. This declaration establishes a general framework of cooperation to facilitate joint research and education related to new technologies and data protection issues, to share best practices, and convene periodic meetings.
We look forward to the developments and cooperation between these two organisations.
---
Today the ICO released a statement claiming that they are in the process of reviewing their two-year trial regarding Government Agencies. The trail was started in 2022 by John Edwards, the UK Information Commissioner, and meant to reduce the amount of fines usually given to government agencies when a data breach occurred. In his open letter in 2022, Mr Edwards stated his motivations: when a public body is fined, the main stakeholders and managers do not suffer any repercussions for a data breach; fines produce a cut in the budget available to provide essential services. In that case, the victims of a data breach suffer twice. The objective of the ICO was to inform public bodies about privacy requirements and try to establish norms which would prevent any data breaches in the first place.
The ICO are now reviewing the results of the trial, and will inform the public about their further developments in the near future.
---
Today, the CNIL published a Q&A detailing how they will use people's data during the Olympic Games, which will be hosted in Paris this summer. There will be two major methods for ensuring safety: 'object-detection' CCTV cameras and a QR code system where people will be required to present a QR code if they wish to enter certain regions of Paris.
A few key points:
- The CCTV cameras will not be using facial recognition software, only object-recognition to detect any suspicious criminal activity, and will have to cease operation by March 31, 2025 - unless otherwise extended by law.
- To obtain the QR code to enter certain areas, people will have to submit: name; date and place of birth; postal and e-mail address; telephone number; photograph; the reason and proof of access to the zone (proof of residence, proof of employment, etc.); number and copy of identity card, driving license, passport or residence permit; dates and times of entry to and exit from the secure area.
- The information provided for obtaining a QR code will be kept for 3 months, and then deleted.
---
Swedish financial services company Avanza Bank was fined 15 million SEK (about 1.34 million EUR) for unlawfully revealing the personal data - identity numbers, loan amounts, and account numbers - of up to 1 million individuals to Meta, due to a misconfigured Meta pixel. Upon discovery, Avanza deactivated the Meta-pixel tool and confirmed data deletion by Meta.
Avanza failed to implement adequate technical and organizational measures to secure personal data which led to unauthorized data disclosure.
---
On June 20th, 2024, the EDPS celebrated 20 years. To celebrate 20 years in active data protection service, they have released a book which includes articles from some of the most renowned privacy experts. Complete with insightful observations, photographs, timelines and memories, with a look to the future, this is a most interesting read.
---
Today, the European Commission has informed Apple that it thinks Apple's App Store rules are in breach of the Digital Markets Act (DMA). The App Store prevents app developers from diverting consumers to alternative channels for payment. Users are encouraged to use Apple Pay, and discouraged, via various means, to go outside of the Apple system to pay for services. This is unacceptable under the DMA.
The Commission also opened a new non-compliance procedure against Apple over concerns that its new contract requirements for third-party developers and third-party app stores fall short of effective compliance with Apple's obligations under the DMA.
---
Friday, 21st June 2024
The “SpongeBob: Krusty Cook-Off” mobile game is a popular cooking simulation game that includes both targeted advertising and in-app purchases and is directed to children under the age of 13. Owned by Tilting Point Media, it is alleged to have collected and shared its young players' personal data - without parental consent - with third parties, violating the California Consumer Privacy Act (CCPA) and the federal Children’s Online Privacy Protection Act (COPPA).
The company now has to pay $500,000 in civil penalties and must comply with the COPPA and CCPA requirements:
- Not share the personal information of users less than 13 years old without parental consent, and not share the personal information of consumers 13-16 years old without affirmative “opt-in” consent
- Use only neutral age screens that encourage children to enter their age accurately.
- Provide just-in-time notices in cases where Tilting Point Media does sell or share the personal information of children
---
The Vermont Data Privacy Act (VDPA) will not be enacted into law – at least in its current form - after Governor Phil Scott's veto earlier this week. The VDPA was largely considered the strongest comprehensive data privacy law in the United States, at least since the California Consumer Privacy Act (CCPA), with its high focus on data minimisation and the right for any individual to sue a company that mishandles their data.
Arguments for refusing the Bill to pass centred on the private right of action; its high complexity compared to similar laws (for instance, Connecticut or California); and the severe impact it would have on small to mid-level businesses and non-profits.
The Vermont legislation has not been passed, but its sponsor, Democratic Rep. Monique Priestley, has vowed to fight on.
---
Overnight on Thursday, the ransomware group Qilin - responsible for the hack of London hospitals - published almost 400GB of the private information on their darknet site. A sample of the data seen includes patient names, dates of birth, NHS numbers and descriptions of blood tests.
Qilin had infiltrated the computer systems of the company used by two NHS trusts in London and encrypted vital information making IT systems useless. They claim they are not to blame: “we are very sorry for the people who were suffered because of it. Herewith we don’t consider ourselves guilty and we ask you don’t blame us in this situation. Blame your government.”
---
Tuesday, 18th June 2024
The London hospitals hack by ransomware gang Qilin was first announced on 3 June when pathology service provider Synnovis said all its IT systems were offline. According to NHS London, this has led to five planned C-sections to be rescheduled and 18 organs diverted for use by other trusts, with 736 hospital outpatient appointments and 125 community outpatient appointments to be postponed. The HIV, Hep C and Hep B tests are also currently suspended.
Qilin, which has a well established reputation of attempting to extort money, claims that it carried out this cyber-attack as revenge for the UK government’s actions in an undisclosed war. They have spoken to the BBC on encrypted chat service qTox attempting to justify the attack as a form of political protest. It is unclear where they are based, or the extent of their political motivations, although there is suspicion that they are very likely connected to Russia.
Synnovis says it is working to recover its IT systems and has not confirmed whether or not Qilin are holding it to ransom.
---
Today the EDPB, responsible for ensuring the consistent application of EU data protection rules throughout the European Economic Area (EEA), announced that they have elected a new Deputy Chair, Zdravko Vukić, Director of the Croatian Personal Data Protection Agency. He will be replacing Aleid Wolfsen (Chair of the Dutch Data Protection Authority), who has reached the end of his five-year mandate as EDPB Deputy Chair.
We congratulate Mr Vukić on his new appointment and look forward to new developments from the EDPB.
---
During the past two years, train stations around the UK have been testing AI surveillance technology with CCTV cameras with the aim of alerting staff to safety incidents and potentially reducing certain types of crime.
The cameras have been using object recognition—a type of machine learning that can identify items in video—to detect people trespassing on tracks, to monitor and predict platform overcrowding, and identifying antisocial behaviour. Some images of people crossing near ticket barriers were sent to be analysed by Amazon’s Rekognition system, which allows face and object analysis. This could allow passenger “satisfaction” to be measured, while some say that “this data could be utilized to maximum advertising and retail revenue.”
Similar AI surveillance systems are increasingly becoming popular around the world. “There is a very instinctive drive to expand surveillance,” says Carissa Véliz, an associate professor in psychology at the Institute for Ethics in AI, at the University of Oxford. “…surveillance leads to control, and control to a loss of freedom that threatens liberal democracies.”
---
NOYB has filed a complaint with the Austrian Data Protection Authority over concerns about Google's new privacy feature that claims to not use third-party trackers. In reality, Noyb says, the tracking is removed from third parties to the Google browser itself.
---
To favour the request of a sub-committee, the European Parliament coordinator and professor, H. Akin, has authored a document analysing AI and its impact on human rights worldwide. An interesting document, produced for the purpose of aiding the EU entities with their production of any future potential guidelines, it aims to produce a wider understanding of the complex policy, regulatory and diplomatic challenges at the intersection of technology, democracy and human rights.
---
The Belgian DPA has issued a decision on 13th of June 2024, issuing fines of 500 euros and 250 euros respectively.
The issue concerns the booking of a restaurant meal. When a booking is made through a third-party system, whether using an app to book a meal, or if the details are collected through the phone and input into a meal-booking system, the client's details should not be passed on to the third-party. This case relates to a person who, having booked a meal at a restaurant, later began to receive marketing emails from the third party booking system. The person objected to their data being used in such a way.
Restaurants and small businesses have to make sure that the processors they use have adequate data protection mechanisms in place.
---
The Senate Bill S7695B, called the New York Child Data Protection Act, has recently been passed through the Assembly and US senate. The bill aims to protect the privacy of children by restricting digital services from collecting or using the personal data of users they know are under the age of 18 without consent, and requiring safeguards for the sale or disclosure of the personal data of users they know are under the age of 18.
The bill claims that operators shall not process the personal data of users that are 12 years old or younger. For children 13 years of age or older, operators may process their personal data if informed consent has been obtained or if it is strictly necessary for specific activities, such as providing a specific product or service.
If enacted, the bill would take effect one year after it becomes law.
---
Apple has recently announced a set of iOS updates which include a Siri makeover along with a number of other new features. The makeover is part of a new personalised AI system - called "Apple Intelligence" - that aims to offer users a way to navigate Apple devices more easily. The updates to the operating systems will allow access to ChatGPT through a partnership with developer OpenAI.
Elon Musk, the owner of Tesla and Twitter/X, has criticised this and threatened to ban iPhones from his companies due to data security.
"Apple has no clue what's actually going on once they hand your data over to OpenAI," Mr Musk said on X. "They're selling you down the river."
---
While the European regulation on AI has just been adopted and will come into force in stages in the coming months, the CNIL wishes to provide legal certainty to players in the sector by anticipating the link between the AI Regulation and the GDPR.
Thus the CNIL is opening, for the second time, a consultation with all stakeholders to develop its recommendations around the use of: web scraping, the publication of AI models in open source, and the management of individuals' rights among other things.
This consultation follows initial recommendations recently published following a public consultation.
---
Today the ICO has announced that they will join Canada in investigating the data breach that occurred in October 2023 with 23andMe, a genetic testing company. The UK Information Commissioner and the Privacy Commissioner of Canada will leverage the combined resources and expertise of their two offices.
Their investigation will try to determine:
- the scope of information that was exposed by the breach and potential harms to affected people;
- whether 23andMe had adequate safeguards to protect the highly sensitive information within its control;
- whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.
---
Meta says it has handed over data relating to a Scottish teenager who ended his life after becoming the victim of a sextortion gang on Instagram. Sextortion often involves victims being sent a nude picture before being invited to send their own in return - only to then receive threats that the image will be shared publicly unless they meet the blackmailer's demands. Murrey Downey, age 16, was a victim to this scheme and committed suicide as a result last December.
Murrey's mother said: “I'm glad that Police Scotland finally have the data but it's taken far too long for Meta to release it."
This case is similar to one we have reported on previously and it seems like such incidents are on the rise.
---
There have been many questions regarding the application of the GDPR to artificial intelligence (AI). In May 2023, the CNIL published its “AI action plan” and released today its first published recommendations for building AI systems. They provide concrete answers, illustrated by examples, to the legal and technical challenges linked to the application of the GDPR to AI. The points addressed in these first recommendations make it possible in particular to:
define a purpose;
define a legal basis;
carry out tests and checks in the event of re-use of the data;
carry out an impact assessment if necessary;
take data protection into account when designing the system;
take into account data protection in the collection and management of data.
---
Today, the European Court of Human Right has released a judgement concerning the collection of personal data by authorities.
The case concerns Mr Rybolovlev (who is famous for unsuccessfully suing the art-giant Sotheby's) and his lawyer, Ms Bersheda. During a private meal, Ms Bersheda secretly recorded a conversation of just under 10 minutes with her phone. When investigated, she handed over her phone to the police to allow the recording to be examined and to prove her good faith. The investigating judge did not set any limits upon how much information was allowed to be collected to be examined, which led to the criminal expect to extract a plethora of personal and professional information from Ms Bersheba. Tens of thousands of calls, text, emails of over a period of 3 years were collected.
The European Court of Human Rights found that this was a breach of Article 8 (right to respect for private life) of the European Convention on Human Rights, and issued a judgement against the investigating judge of the case who did not limit the scope of the investigation.
---
The TikTok accounts of some celebrities, including Paris Hilton, have been targeted in a recent cyberattack, although TikTok claims that they have not been compromised.
So far TikTok has faced close scrutiny over their approach to storing and protecting user's data. Suspicions are high because of its ties to Beijing.
---
The Competition Appeal Tribunal, in London, has ruled that Google must face a £13.6bn lawsuit. The case, brought by a group called Ad Tech Collective Action LLP, alleges the search giant behaved in an anti-competitive way which caused online publishers in the UK to lose money.
Ad Tech Collective Action says Google has engaged in what is known as "self-preferencing" - in other words promoting its own products and services more prominently than that of its rivals, meaning that publishers end up getting less money for the ads they host.
---
According to 404 Media, an internal Google database reveals that the company has accidentally collected childrens’ voice data, leaked the trips and home addresses of car pool users, and made YouTube recommendations based on users’ deleted watch history, among thousands of other employee-reported privacy incidents. The database contains thousands of reports over the course of six years, from 2013 to 2018.
Privacy campaigners claim that, although individually the incidents may have only each impact a relatively small number of people, taken as a whole, the internal database shows how one of the most powerful and important companies in the world (mis)manages a staggering amount of personal, sensitive data on people's lives
---
A group of hackers, ShinyHunters, said they had stolen the personal details of 560 million customers from Ticketmaster - one of the largest online ticket sales platforms in the world - and are demanding a £400,000 ransom payment. The stolen data includes names, addresses, phone numbers and partial credit card details from Ticketmaster users worldwide. Experts are warning that it’s part of a larger ongoing hack involving a cloud service provider called Snowflake, a cloud storage provider, as ShinyHunters has been linked to a string of high-profile data breaches.
In 2021 the group sold a genuine database of stolen information from 70 million customers of US telecoms firm AT&T. In September 2023, almost 200,000 Pizza Hut customers in Australia had their data breached. The FBI cracked down on the domain in March 2023, arresting its administrator Conor Brian Fitzpatrick, but it has reappeared, according to tech media.
---
The information of millions of users of Santander bank was stolen by a hacker group going by the name of ShinyHunters.
"Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,…" said a spokesperson.
The following data was stolen:
30 million people’s bank account details
6 million account numbers and balances
28 million credit card numbers
HR information for staff
However, it was said that 'no transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords' were stolen.
---
The EU Commission has formally designated Temu as a Very Large Online Platform (VLOP) under the Digital Services Act (DSA). Temu is an online marketplace with an average of more than 45 million monthly users in the European Union, which is above the DSA threshold.
This means that now Temu will have to comply with the stringent rules of the DSA. These include, but are not limited to: regular risk assessments, publishing ads library, give access to publicly available data to researchers, comply with transparency requirements, and be subject to an external independent audit every year.
---
The EDPS has published guidelines on generative Artificial Intelligence and personal data for EU institutions, bodies, offices and agencies.
The guidelines aim to help EU bodies to comply with Regulation (EU) 2018/1725 when using or developing generative AI tools. They emphasise data protection’s core principles, and include concrete examples to use as an aid when anticipating risks, challenges and opportunities of generative AI systems and tools.
