Privacy In Focus | March

March 9, 2023

by Rhema Sijuwade

We bring you a round up of articles and updates in the data sphere

30 Mar.

Health department leaks data of patients who accessed HIV services

The UK’s Information Commissioner’s Office reprimanded NHS Highland for a data breach that resulted in the exposure of sensitive patient information. 37 patients were visibly copied into a general email detailing their access to HIV services. The ICO did not issue a fine but publicly stated the severity of this breach and the need for stronger safeguards to be put in place concerning HIV services. They also instructed healthcare services to strengthen their data protection practices. NHS Highland has responded by including the ICO’s suggestion in their development plans and will give the Commissioner’s Office an update in June.

Read more

29 Mar.

UK government releases white paper to encourage the safe use of AI

The UK government has published a white paper to promote the use of AI and highlights its benefits. The paper focuses on how AI positively impacts the UK, contributing over £3bn to the economy. It further details the effective results of AI in different industries ranging from farming to medicine. However, there are many privacy and human rights concerns in relation to AI. The government ensures that these new technologies can be trusted if they are safe, transparent, fair, remain accountable with the correct governance, and are contestable.

Read more

28 Mar.

ICO prioritises Freedom of Information complaints

The UK’s Information Commissioner’s Office has stated that freedom of information complaints will be prioritised if there is wide public interest. The Commissioner’s Office is seeking support from public bodies to ensure quick responses to complaints and have advised that organisations should readily provide information on what people are legally entitled to know. Significant delays in the process limit the impact of the Freedom of Information Act. The ICO is combating this by speeding up the FOI complaints process.

Read more

27 Mar.

Meta aims to dismiss the €265m fine issued by the Irish DPC

Meta has requested the High Court to dismiss the €265m fine issued by the Irish Data Protection Commissioner. The Irish data watchdog found personal data from Facebook users gathered on an online forum and claimed that this violated the GDPR as they had failed to implement data protection by default. However, Meta maintains that the collation of this data was not due to a fault in their systems or any unauthorized access. The company also clarified that this information was already publicly available and refuses liability for the actions of third-party data scrapers.

Read more

24 Mar.

European Commission forms High-Level Group to help implement the Digital Markets Act

The European Commission has established a group consisting of 30 representatives from European communication, data protection, consumer protection, and regulatory groups. They will provide their expertise and guidance on how to implement the Digital Markets Act in an orderly and consistent manner. This group will help the DMA to be ‘future-proof’ and will aid its development alongside new services and technology.

Read more

23 Mar.

McDonald’s Korea fined $532,110 for inadequate data practices

The Personal Information Protection Commission (PIPC) issued a 696 million won fine to McDonald’s Korea due to its inadequate data protection practices. 4.87 million customers were affected by the data leak caused by hackers. PIPC found that McDonald’s Korea did not carry out adequate access control. The restaurant also failed to dispose of personal information when the data retention period had expired. McDonald’s Korea also failed to properly alert law enforcement and victims that there had been a data breach.

Read more

22 Mar.

German political parties accused of breaching GDPR

Non-profit government organization NOYB has accused German political parties of microtargeting Facebook users during the 2021 federal elections. Although microtargeting is not specifically mentioned in the GDPR, NOYB argues that personal, sensitive information, such as political affiliation, should not be used to manipulate voters. The European Parliament voted to ban microtargeting as part of political campaigns however, privacy campaigners are pushing for laws to ban microtargeting altogether.

Read more

21 Mar.

Fertility app possibly selling user data to third party companies

A recent study carried out by the University of New South Wales and consumer group Choice found that some menstruation-tracking apps sell personal data to third party companies, and give user data to companies that advertise in the app. Other pregnancy apps were found to collect extensive data that had no correlation to menstruation such as financial practices, housing, and education level. More concerningly, many of these apps did not specify why they needed this information or how long they intended to keep it.

Read more

20 Mar.

Irish DPC fines the Bank of Ireland €750,000

The Irish Data Protection Commissioner has issued a fine of €750,000 to the Bank of Ireland for inadequate data protection practices resulting in 10 breaches. During these breaches, users were able to access other user accounts as the bank did not follow proper protocol. RTE reported that 136 accounts were affected, however, there was no occurrence of theft or financial loss. Some breaches were caused by the bank’s faulty customer information system. The Bank of Ireland has admitted to these shortcomings and apologised for its privacy failures.

Read more

17 Mar.

TikTok banned from UK government devices

Growing security concerns surrounding TikTok have led the UK to follow decisions taken by the U.S., European, and Canadian governments to ban TikTok on government devices. This decision has been made due to concerns that the Chinese government may demand access to user data under the law. The app has stated that data is stored outside of China and also suggested that U.S. and European data be stored in Norway, the U.S. and Ireland. Privacy campaigners have questioned why TikTok has not been banned for everyday users if the same cyber security threats are present. The government has taken what they feel is the proportionate action and stated that individuals should make themselves aware of TikTok’s privacy policy.

Read more

09 Mar.

UK government reveals new Data Protection Bill

Reuters report that an updated version of the UK Data Protection and Digital Information Bill has been reintroduced into Parliament after the initial halt in September. The new Bill seeks to reform the current data protection laws, making it easier for businesses to be compliant, whilst also maintaining the UK’s adequate status. Another aim outlined in the Bill is to make data protection laws simpler for businesses, in order for them to thrive economically. The government will give organisations more clarity and confidence on when they can process personal data without consent, therefore reducing the number of cookie pop-ups online.

Read more

08 Mar.

Meta possibly unable to use standard contractual clauses when transferring personal data

It appears the Irish Data Protection Commission draft decision, to suspend Meta’s use of standard contractual clauses when transferring personal data to the U.S., will be confirmed before the European Union and United States reach a data transfer agreement. The European Data Protection Board (EDPB) are due to confirm Ireland’s draft decision by mid-April and finalize it in May. If an adequacy agreement is not reached before the EDPB make their decision, Meta will not be able to legally transfer data, meaning Facebook and Instagram will not be made available in Europe until an agreement is reached. At present, the European Commission and the U.S. government are aiming to reach a new data agreement before July.

Read more

07 Mar.

WhatsApp agrees to provide users with greater transparency

WhatsApp has reached a consensus with EU protection authorities and the European Commission (CPC network) to be more transparent with their users concerning updates to terms of service. The app agreed to make it easier for users to reject updates and clearly alert users when rejection of terms results in the inability to use the platform. The CPC will ensure that these changes are implemented and will enforce compliance if need be. These obligations come under the new Digital Services Act, which require services to provide clear terms and conditions that are easy to understand.

Read more

06 Mar.

Age-verification checks continue to challenge social media developers

Axios has highlighted the challenges that many social media and streaming platforms are facing with age verification checks. Lawmakers and parents are urging online platforms to protect minors from harmful content. There is a large grey area surrounding age verification checks as, there is no one-size fits all solution. Companies also fear that they may collect too much data from users in the process of verifying their ages. To circumvent this issue, it has been suggested that online platforms should be made safer for everyone, increasing privacy protection for all users, instead of attempting to verify ages.

Read more

03 Mar.

EU legislative bodies struggle to regulate ChatGPT

Politico reported that the introduction of ChatGPT has halted development to the EU’s Artificial Intelligence Act. The Act focused on regulating AI systems that enable social scoring, manipulation, and facial recognition. However, the European Parliament did not have the foresight to address AI generative systems in the legislation, resulting in the rewriting of the draft. ChatGPT has proven hard to regulate, whilst use of the system can be harmful by spreading misinformation, it is not inherently malicious. The European Commission, Council and Parliament will engage in negotiations to iron out the AI Act details by April 2023.

Read more

2 Mar.

TikTok fined 1.75 million lira by Turkish data protection authority

TikTok has been charged with yet another fine for failure to adequately protect user data. The personal Data Protection Board (KVKK) has accused the popular app of unlawfully processing user data. This fine follows a string of action taken against TikTok due to its concerning data privacy practices, including the banning of the app from government official devices across Europe and North America. The data protection authority also requested for the app’s privacy policy to be updated and harmonised with Turkish data protection laws.

Read more

1 Mar.

YouTube accused of collecting data from minors

Privacy campaigner Duncan McCann has filed a complaint to the Information Commissioner’s Office against YouTube. McCann accused YouTube of collecting data such as, videos watched and devices used to watch content, from minors under the age of 13. Though children are banned from YouTube and are encouraged to use YouTube kids, McCann argued that children’s data is still being collected when content is watched on devices that are not registered as a children’s account. In response, a YouTube spokesman stated that they will continue to work with the ICO, parents and child protection experts.

Read more