Privacy In Focus | May

May 24, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Friday, 24th May 2024

Is the UK Data Protection and Digital Information Bill Off?

Read more

---

Airport Facial Recognition: Individuals Should Have Maximum Control Over Biometric Data

The EDBP has issued an Opinion on the use of Facial Recognition systems in airports across the EU.

Currently, there is no uniform legal requirement in the EU for airport operators and airline companies to verify that the name on the passenger’s boarding pass matches the name on their identity document, and this is subject to national laws. Therefore, "where no verification of the passengers’ identity with an official identity document is required, no such verification with the use of biometrics should be performed", as this would result in an excessive processing of data.

The EDPB has considered the compliance of processing of passengers’ biometric data with four different types of storage solutions, ranging from ones that store the biometric data only in the hands of the individual to those which rely on centralised storage. In all cases, only the biometric data of passengers who actively enrol and consent to participate should be processed.

Read the Opinion here

More details

---

EDPB Reports on ChatGPT Taskforce

The EDPB published a report was adopted by the DPAs on the work of the ChatGPT taskforce. This taskforce was created by the EDPB to promote cooperation between DPAs investigating the chatbot developed by OpenAI. It analyses several aspects concerning the applicable GDPR rules relevant for the various ongoing investigations, such as:

- the lawfulness of collecting training data (“web scraping”), as well as processing of that data for input, output and training of ChatGPT.

- fairness: compliance with the GDPR is a responsibility of OpenAI and not of the data subjects, even when individuals input personal data.

- transparency and data accuracy: the controller should provide proper information on the probabilistic nature of ChatGPT and refer explicitly to the fact that the generated text may be biased or made up.

The report points out that it is imperative that data subjects can exercise their rights effectively. Taskforce members also developed a common questionnaire as a possible basis for their exchanges with Open AI, which is published as an annex to the report.

Read more

---

Police in Northern Ireland Fined for Data Breach

Today the ICO has announced that they will fine the Police Service of Northern Ireland (PSNI) £750,000 for failing to protect the personal information of its entire workforce. In response to a freedom of information request, in a "hidden" tab of an excel spreadsheet published online, the surname, initials, rank and role of all 9,483 serving PSNI officers and staff were revealed.

The investigation has found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information to be inadequate.

Read more

---

EU Council Approves EU AI Act

On Tuesday, 21st of May 2024, the EU member states voted in favour of the EU AI Act.

The European Council has now issued its final approval of the EU AI Act.

Read more

---

ICO Concludes Investigation into Snap's 'My AI' Chatbot

In June 2023, the ICO opened an investigation into ‘My AI’ following concerns that Snap had not met its legal obligation to adequately assess the data protection risks posed by the new chatbot. The investigation led to the issuing of a Preliminary Enforcement Notice to Snap on 6 October 2023.

The investigation resulted in Snap demonstrating that it had implemented appropriate steps to mitigate the risk. The ICO will continue to monitor the rollout of ‘My AI’ and how emerging risks are addressed.

The main takeaway is that organisations developing or using generative AI must consider data protection from the outset, before bringing the products to market.

Read more

Do You Know Your Privacy Regulations?

It is not just companies that can get fined for breaching data privacy regulations. Individuals can be prosecuted too, as in the recent case of Mr Saleem.

A former Management Trainee at Enterprise Rent-A-Car UK Limited accessed client data which he had no business need to access. After an internal investigation, he was fired for gross misconduct and reported to the ICO. He was order to pay £747 in total in personal fines.

Make sure you know and follow your company's internal regulations about accessing personal data of everyone you work with.  

Read more about the case here

Visit the ICO website for more information

---

Friday, 17th May 2024

EU Commission Launches Formal Investigation Against Meta

The Commission has opened formal proceedings to assess whether Meta may have breached the Digital Services Act (DSA) in areas linked to the protection of minors. The Commission is concerned that the systems of both Facebook and Instagram, including their algorithms, may stimulate behavioural addictions in children, as well as create so-called 'rabbit-hole effects'. There is also concern about age-assurance and verification methods put in place by Meta.

The opening of formal proceedings empowers the Commission to take further enforcement steps, such as adopting interim measures and non-compliance decisions. The Commission is also empowered to accept commitments made by Meta to remedy the issues raised in the proceedings.

Read more

---

Study Finds Unhealthy Data Practices in Female Health Apps

According to new research from King’s College London and University College London apps designed for female health monitoring are exposing users to unnecessary privacy and safety risks through their poor data handling practices.

Following an analysis of the privacy policies of 20 of the most popular female health apps available in the UK and USA, used by hundreds of millions of people, the study revealed that in many instances user data could be subject to access from law enforcement or security authorities.

Intimate data stored by health tracking apps can show details of sexual activity, contraception and when periods stop and start - with some also asking for information about abortions or miscarriages. Some apps lacked data deletion functions, or made it difficult to remove data once entered.

Key findings from the study included:

- 35% of the apps claimed not to share personal data with third parties in their data safety sections but contradicted this statement in their privacy policies by describing some level of third-party sharing.

- 50% provided explicit assurance that users' health data would not be shared with advertisers but were ambiguous about whether this also included data collected through using the app.

- 45% of privacy policies outlined a lack of responsibility for the practices of any third parties, despite also claiming to vet them.

Read more

---

ICO Reprimands Child Services in Birmingham  

The ICO have issued a reprimand to Birmingham Children's Trust Community Interest Company after the personal information of a child was revealed to another family. This information was revealed in error after being copied across from meeting minutes, and included the child's protection plan with personal information and criminal allegations.

Birmingham Children's Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information.

Read more

---

TikTok to Sue US Government Over App Ban

The bill officially known as the Protecting Americans from Foreign Adversary Controlled Applications Act was signed by President Joe Biden on 24 April and gives TikTok's Chinese parent company ByteDance until 19 January next year to sell the app to another company or face a ban. This was done due to rising concerns of users' data being monitored and  collected by China.

TikTok claims that the app ban is a breach of the First Amendment which protects free speech. It aims to fight for the right to remain in the US where it has the most amount of users - 170 million.

Read more

---

Hackers Tied with North Korea Launching Phishing Email Scams

The hacking collective known as Kimsuky, which is believed to be strongly tied to Lazarus Group, and thus, with the North Korean government, has been spotted abusing improperly configured DMARC record policies to send convincing phishing emails and gather vital intelligence from Western targets, officials have warned.

To make sure the victim responds to the phishing email the hackers will diligently prepare and thoroughly research their target, and either create fake identities, or impersonate other people when reaching out. When stealing other people’s identities, they will mostly impersonate journalists, academics, or other experts in East Asian affairs “with credible links to North Korean policy circles,” it was said.

Read More

Friday, 10th May 2024

iPadOS Classified as Gatekeeper under DMA

The European Commission has today designated Apple with respect to iPadOS, as a gatekeeper under the Digital Markets Act (DMA). iPadOS, despite not meeting the quantitative thresholds laid down in the DMA, constitutes an important gateway for business users to reach end users and therefore should be designated as a gatekeeper.

The Commission’s investigation found that Apple presents the features of a gatekeeper in relation to iPadOS, as among others:

– Apple’s business user numbers exceeded the quantitative threshold elevenfold, while its end user numbers were close to the threshold and are predicted to rise in the near future.
– End users are locked-in to iPadOS. Apple leverages its large ecosystem to disincentivise end users from switching to other operating systems for tablets.
– Business users are locked-in to iPadOS because of its large and commercially attractive user base, and its importance for certain use cases, such as gaming apps.

On the basis of the findings of the investigation, the Commission concluded that iPadOS constitutes an important gateway for business users to reach end users, and that Apple enjoys an entrenched and durable position with respect to iPadOS. Apple has now six months to ensure full compliance with the DMA obligations as applied to iPadOS.

Read more

Friday, 3rd May 2024

iPadOS Classified as Gatekeeper under DMA

The European Commission has today designated Apple with respect to iPadOS, as a gatekeeper under the Digital Markets Act (DMA). iPadOS, despite not meeting the quantitative thresholds laid down in the DMA, constitutes an important gateway for business users to reach end users and therefore should be designated as a gatekeeper.

The Commission’s investigation found that Apple presents the features of a gatekeeper in relation to iPadOS, as among others:

– Apple’s business user numbers exceeded the quantitative threshold elevenfold, while its end user numbers were close to the threshold and are predicted to rise in the near future.
– End users are locked-in to iPadOS. Apple leverages its large ecosystem to disincentivise end users from switching to other operating systems for tablets.
– Business users are locked-in to iPadOS because of its large and commercially attractive user base, and its importance for certain use cases, such as gaming apps.

On the basis of the findings of the investigation, the Commission concluded that iPadOS constitutes an important gateway for business users to reach end users, and that Apple enjoys an entrenched and durable position with respect to iPadOS. Apple has now six months to ensure full compliance with the DMA obligations as applied to iPadOS.

Read more

New UK Law to Increase Security and Privacy for Tech Appliances

The UK Product Security and Telecommunications Infrastructure (Product Security) regime (PSTI) comes into effect today, on the 29th April 2024. This means that manufacturers of phones, TVs and smart doorbells are now legally required to protect internet-connected devices against access by cybercriminals by banning easy to guess passwords like ‘admin’ or ‘12345’.

Brands also have to publish contact details so that bugs and issues can be reported immediately, and must be transparent about timings of security updates.

It is hoped the new measures will help give customers confidence in buying and using products at a time when consumers and businesses have come under attack from hackers, that aim to steal personal data, at a soaring rate.

Source

Icelandic SA: Municipality of Reykjavík fined ISK 2,000,000 for the use of Google Workspace for Education

After 2022, the Icelandic SA decided to investigate the use of cloud services in elementary schools. The investigation was limited to the use of Google Workspace for Education, in the five largest municipalities in Iceland.

The Icelandic SA’s investigation revealed that students’ personal data were not only processed on the instructions of the municipality of Reykjavík, but also for Google’s own purposes. The municipality failed to demonstrate how further processing by Google was compatible with the purpose for which students’ personal data were initially collected.

The municipality of Reykjavík infringed multiple Articles of the GDPR with its use of Google’s educational system:

– Failure to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation (Articles 5, 24(1) & 28(1) GDPR)
– Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR)
– Failure to ensure that data is not further processed in a manner that is incompatible with the initial purpose (Articles 5(1)(b) & 6(4) GDPR)
– Failure to ensure data minimisation (Articles 5(1)(c) & 25 GDPR)
– Data protection impact assessment did not meet the minimum requirements (Article 35(7) GDPR)
– Data transferred to the United States without appropriate safeguards (Articles 44 & 46 GDPR)

The municipality of Reykjavik was fined EUR 13,270 (ISK 2,000,000) and ordered to bring their processing in compliance with regulations.

Read more

Friday, 10th May 2024

Social Media Makes Personal Data ‘Manifestly Made Public’

The Advocate General of the CJEU issued an opinion claiming that any personal information revealed on social media is, under GDPR law, Article 9(2)(e), ‘manifestly made public,’ and therefore does not receive the same standard of protection as other personal data. The manifestly made public personal data, may not, however, be used by social media companies for targeted ads. The clarification follow an incident whereby Max Schrems filed a complaint against Meta for providing targeted ads based on his sexuality.

Read more

ICO Fines Two Companies a Total of £340,000 for Making Aggressive and Unwanted Marketing Calls

The Information Commissioner’s Office (ICO) has fined Cardiff-based Outsource Strategies Ltd (OSL) £240,000 and London-based Dr Telemarketing Ltd (DRT) £100,000 after the companies made a total of almost 1.43 million calls to people on the UK’s “do not call” register.

People who filed complaints said the callers were aggressive and used high-pressure sales tactics to persuade them to sign up for products. The ICO investigation also found evidence that both companies were specifically targeting elderly and vulnerable people.

Read More

European Parliament Approves EU-Wide Health Data Space

In an effort to made health data more accessible and easy to transfer for people who move within the EU area, the European Parliament has approved an EU-wide health data bank. Patients’ data will be uploaded to an electronic health record, with their medical history and any medical imagery on the portal. Some of the information will be anonymised to aid in health research, and the EU reassures citizens that robust data protection mechanisms are in place.

Read More