Privacy In Focus | March

March 22, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Thursday, 28th March 2024

US Data Brokers Track People’s Location

According to, devices of up to 200 people who visited Jeffrey Epstein’s notorious island left a trail of data pointing back to their locations, up to where they lived and went to work.

The data was amassed by Near Intelligence, a location data broker, and reveals with high precision the residences of many guests of Little Saint James, where Epstein is accused of having trafficked countless girls. Near Intelligence’s access to this information reveals the level of surveillance data brokers can achieve under lax US privacy laws. The firm gets the data from various advertising companies that interact with billions of devices as people browse the web. Before a targeted advertisement can be shown, phones send information about their owners to real-time bidding platforms, which frequently includes location data. Companies like Near Intelligence will then repackage the data and sell it on.

While in this case the availability of phone location data may be used in an investigation to uncover a deep and heinous crime, the idea that people can be tracked so easily is disturbing. Europe is fortunate to have strict privacy laws; the US is a different case altogether.

Read More

AI’s Negative Impact on Ethnic Minorities

Uber Eats was forced to pay out compensation because their Artificial Intelligence systems were racially discriminatory.

Mr Manjang was working for Uber Eats since November 2019, and after the company increased their security threshold, was required to undergo facial recognition checks. He was let go from the company in 2021 after being told that there were ‘continued mismatches’ in the facial verification system.

Mr Manjang sued Uber Eats with the help of the Equality and Human Rights Commission and the App Drivers and Couriers Union, which helped him fund the case. The subsequent ruling was in his favour, and he was compensated. “This marks the end of a long and difficult case,” he shared.

It is widely known that AI works less well for people from ethnic backgrounds. “My case shines a spotlight on the potential problems with the use of AI, particularly for low paid workers.”

Read More

Company Fined for Snooping on Employees

A company in Iceland, Stjornuna (the operator of Subway in Iceland), was fined ISK 1,500,00 by the DPA for excessive CCTV monitoring on employees.

A Subway worker filed a complaint about being monitored at work by CCTV and not being informed of it. The worker was also not informed of his rights at work, and so the conclusion of the supervisory authority was that Stjornun was not transparent about how they were going to monitor employee activity. They violated the first principle of GDPR which is Lawfulness, Fairness and Transparency.

Furthermore, Stjornuna also infringed on the purpose limitation principle, as the supervisory authority concluded that “the electronic monitoring was not compatible with the declared purpose of the monitoring.”

Article 88 of the GDPR gives Member States authorisation to specify rules around protecting the rights and freedoms of employees. Therefore, it is important that employers looking to monitor employees in any form, particularly the use of video surveillance, must ensure that they check the local laws for lawful processing.

Read More

Where is the UK heading with the AI Act?

The proposed AI regulation receives a second hearing in the House of Lords in the UK. While the EU Act was already voted on by the European Parliament, the UK lags behind. Read about the proposed UK AI suggestions here.

Friday, 22nd of March 2024

EU: Finland Rules That Creating Accounts When Purchasing Online Is Not Mandatory

On the 18th of March 2024, Finland’s DPA fined the online store 856,000 euros. The store had no retention policy in place, enabling them to store customer information for an indefinite amount of time. The company relied on customers taking up the initiative themselves by making a request to delete their personal data. The DPA reiterated that relying on the initiative of customers is no substitute for having a proper data retention period.

Customers were also required to create an account  on the website in order to buy even one item. This was ruled as inappropriate by Finland’s DPA, and was ordered to bring its operating procedures in line with mandatory legislation.

Source: Tietosuoja (Finland DPA)

UK: Peeking at Medical Records Is Illegal

The alleged report that a member of medical staff at The London Clinic has tried to access the medical records of Catherine, Princess of Wales, after she had undergone a surgery there in January 2024, has gained a lot of attention across the UK.

The ICO has, however, confirmed this in a statement on the 20th of March here.

This is not the first time a member of staff has tried to access medical information – there was a similar case in November 2023.

Medical data is a classified as special category data and therefore has strict rules surrounding its use, storage, retention period, and who is allowed to access it. Let us see how this investigation goes.

EU: Hackers Leak Details of 43 Million Unemployed French Individuals

The French equivalent of UK Jobcentre Plus, France Travail, suffered a data breach. An estimate of 43 million individuals have been impacted. Hackers disclosed the following information about jobseekers:

  • Full name
  • Date and Place of Birth
  • Social Security Number
  • Address
  • Phone number Email address
  • France Travail identifying number

This poses massive risks of identity theft, so the agency recommends people to be vigilant.

This is not the first instance of a data breach from France Travail. In August 2023 a similar data breach happened, so the government agency definitely needs to rethink its approach to security and data protection.

Read More: France Travail

EU: Another Data Breach from A Government Agency

This time it’s the Norwegian Labour and Welfare Agency (NAV) that has been fined NOK 20 million by the Datatilsynet, the Norwegian Data Protection Authority.

In a statement released by Datatilsynet on the 18th of March, the NAV was heavily criticised for not having any adequate measures in place for protecting people’s data. The investigation uncovered “a number of breaches” that testify that “personal data security has not been given sufficient priority and resources by the management of NAV.” The agency did not react sufficiently to repeat calls and external evaluations from the Norwegian DPA and thus intensified their concerns.

In government agencies such as these, the final responsibility of ensuring compliance rests upon management. Since the NAV “forms the backbone of the welfare model on which society is built” in Norway, this data breach has incurred quite a high fine.

Hopefully other government agencies that have to process massive amounts of data take heed and ensure that their systems do not remain vulnerable.

Source: Datatilsynet

EU: Meta Offers Users a Discount for Stealing their Data

A senior Meta executive said on Tuesday, 19th of March, that they are willing to halve their monthly subscription fee from 9.99 to 5.99 euros for the “pay-or-ok” model. This is a result of numerous activism from privacy enthusiasts that push enforcement action on Meta.

Because of stringent EU privacy laws, Meta will now give users the option to say “ok” to harvesting their data and continue to use Meta services for free, or charge users 5.99 euros if they do not wish their data to be used. Privacy activist Max Schrems says – and we agree – that the issue is not at all about the money. It’s about the principle. When users register on any site they should not have to pay extra for Big Tech not to steal their data. The entire purpose of the “pay-or-okay” model is to “get users to click on “ok”, even if this is not their free and genuine choice.”

Halving the subscription amount does not make it legal.

Read More: Meta

UK: Man 39 Gets 66 Days Jail Time for Cyber Flashing.

What is Cyber-Flashing?

“The practice typically involves offenders sending an unwanted sexual image to their victims to people often via social media or dating apps. Unsolicited images may also be shared over data sharing services such as Bluetooth and Airdrop, where victims are forced to see the preview before having the option to reject it.

According to the UK Safer Internet Centre, 76% of girls aged 12-18 have been sent unsolicited nude images of boys or men.

Do you know that Cyber Flashing is a Criminal Offence? You Can Report It!

Read More about Cyber Flashing

Friday 15th of March 2024

EU: Court of Justice of the EU Rules that Unlawfully Processed Data Should be Deleted

On the 14th of March, a decision was made by the Court of Justice of the European Union regarding the right of removal of a subject’s data by a Member State’s Data Protection Authority.

In 2020, a municipal administration in Hungary, aiming to vet applications for aid from applicants who were negatively impacted by Covid-19, requested applicants’ data from the Hungarian State Treasury and the government office. This was done in order to verify the eligibility and conditions of the applicants. Upon finding out about this data request, the Hungarian Data Protection Authority ordered the municipal administration to delete the extra data gathered about applicants. The data subjects were not informed that their data was being collected and passed on from outside sources, nor were the data subjects informed on how their data was going to be used. The administration, in turn, argued that without a specific request from a person asking for their data to be deleted they were not compelled to delete the data.

As the issue escalated to the Court of Justice of the EU, a decision was made following an investigation. The Court ruled that the Data Protection Authority has the right to demand that data be deleted if it violated the GDPR principles, and in this case the data was to be deleted by the municipal administration.

Read more.

UK: ICO Reprimands London Mayor’s Office for Policing and Crime

The Information Commissioner’s Office (ICO) has reprimanded the London Mayor’s Office for Policing and Crime (MOPAC) for not having adequate measures in place to protect people’s data.

The website had two forms available for members of the public to submit complaints about the Metropolitan Police. Due to an error on the website, the past forms, which included names, addresses and reasons for submitting a complaint had been made publicly available. There is no evidence that the data was accessed, but nevertheless, due to the highly sensitive nature of the complaints, MOPAC was reprimanded because such data leaks might have caused serious damage.

Read more.

UK: ICO Reprimands Dover Harbour

With the purpose of combatting vehicle crime, an Officer of the Dover Harbour Board created a WhatsApp and Telegram group, which included over 200 officers from multiple UK police forces, on his personal phone. The ICO found that personal information was being made available in the group without any proper safeguards in place.

Due to this group being on his personal phone, supervisors and managers would not have had the oversight they ought to have in such cases. Such groups pose risk while personal data is being shared, especially if people who have left the law enforcement service remain as members in these groups.

Because of the risks involved, the ICO reprimanded the Dover Harbour Board.

Read more.

Brazil: Facebook and Zoom Hit with Fines from Brazil

A court in Brazil has fined Facebook and Zoom for illegally harvesting people’s data. Following an investigation, the court has established that the above companies pay out BRL 20 million (just over £ 3 million) cumulatively in fines, as well as BRL 500 (£78.75) to each person whose data was harvested.

In 2020 it became known that the Zoom iOS app was using the ‘login from Facebook’ feature, which transferred users’ data over to Facebook, even if they did not have a Facebook account. A huge amount of data, including but not limited to, device time zones, types of device and screen sizes allowed Facebook to track and analyse user behaviour to make targeted ads.

Zoom said in its defence that it was not monetising the data and had no profit-sharing agreement with Facebook. The Brazilian court, however, came to the conclusion that both companies were to be fined to curb further incentive for harvesting user data.