Health department leaks data of patients that accessed HIV services
The UK’s Information Commissioner’s Office reprimanded NHS Highland for a data breach that resulted in the exposure of sensitive patient information. 37 patients were visibly copied into a general email detailing their access to HIV services. The ICO did not issue a fine but publicly stated the severity of this breach and the need for stronger safeguards to be put in place concerning HIV services. They also instructed healthcare services to strengthen their data protection practices. NHS Highland has responded by including the ICO’s suggestion in their development plans and will give the Commissioner’s Office an update in June.
UK government releases white paper to encourage the safe use of AI
The UK government has published a white paper to promote the use of AI and highlights its benefits. The paper focuses on how AI positively impacts the UK, contributing over £3bn to the economy. It further details the effective results of AI in different industries ranging from farming to medicine. However, there are many privacy and human rights concerns in relation to AI. The government ensures that these new technologies can be trusted if they are safe, transparent, fair, remain accountable with the correct governance, and are contestable.
ICO prioritises Freedom of Information complaints
The UK’s Information Commissioner’s Office has stated that freedom of information complaints will be prioritised if there is wide public interest. The Commissioner’s Office is seeking support from public bodies to ensure quick responses to complaints and have advised that organisations should readily provide information on what people are legally entitled to know. Significant delays in the process limit the impact of the Freedom of Information Act. The ICO is combating this by speeding up the FOI complaints process.
Meta aims to dismiss the €265m fine issued by the Irish DPC
Meta has requested the High Court to dismiss the €265m fine issued by the Irish Data Protection Commissioner. The Irish data watchdog found personal data from Facebook users gathered on an online forum and claimed that this violated the GDPR as they had failed to implement data protection by default. However, Meta maintains that the collation of this data was not due to a fault in their systems or any unauthorized access. The company also clarified that this information was already publicly available and refuses liability for the actions of third-party data scrapers.
European Commission forms High-Level Group to help implement the Digital Markets Act
The European Commission has established a group consisting of 30 representatives from European communication, data protection, consumer protection, and regulatory groups. They will provide their expertise and guidance on how to implement the Digital Markets Act in an orderly and consistent manner. This group will help the DMA to be ‘future-proof’ and will aid its development alongside new services and technology.
McDonald’s Korea fined $532,110 for inadequate data practices
The Personal Information Protection Commission (PIPC) issued a 696 million won fine to McDonald’s Korea due to its inadequate data protection practices. 4.87 million customers were affected by the data leak caused by hackers. PIPC found that McDonald’s Korea did not carry out adequate access control. The restaurant also failed to dispose of personal information when the data retention period had expired. McDonald’s Korea also failed to properly alert law enforcement and victims that there had been a data breach.
German political parties accused of breaching GDPR
Non-profit government organization NOYB has accused German political parties of microtargeting Facebook users during the 2021 federal elections. Although microtargeting is not specifically mentioned in the GDPR, NOYB argues that personal, sensitive information, such as political affiliation, should not be used to manipulate voters. The European Parliament voted to ban microtargeting as part of political campaigns however, privacy campaigners are pushing for laws to ban microtargeting altogether.
Fertility app possibly selling user data to third party companies
A recent study carried out by the University of New South Wales and consumer group Choice found that some menstruation-tracking apps sell personal data to third party companies, and give user data to companies that advertise in the app. Other pregnancy apps were found to collect extensive data that had no correlation to menstruation such as financial practices, housing, and education level. More concerningly, many of these apps did not specify why they needed this information or how long they intended to keep it.
Irish DPC fines the Bank of Ireland €750,000
The Irish Data Protection Commissioner has issued a fine of €750,000 to the Bank of Ireland for inadequate data protection practices resulting in 10 breaches. During these breaches, users were able to access other user accounts as the bank did not follow proper protocol. RTE reported that 136 accounts were affected, however, there was no occurrence of theft or financial loss. Some breaches were caused by the bank’s faulty customer information system. The Bank of Ireland has admitted to these shortcomings and apologised for its privacy failures.
TikTok banned from UK government devices
UK government reveals new Data Protection Bill
Reuters report that an updated version of the UK Data Protection and Digital Information Bill has been reintroduced into Parliament after the initial halt in September. The new Bill seeks to reform the current data protection laws, making it easier for businesses to be compliant, whilst also maintaining the UK’s adequate status. Another aim outlined in the Bill is to make data protection laws simpler for businesses, in order for them to thrive economically. The government will give organisations more clarity and confidence on when they can process personal data without consent, therefore reducing the number of cookie pop-ups online.
Meta possibly unable to use standard contractual clauses when transferring personal data
It appears the Irish Data Protection Commission draft decision, to suspend Meta’s use of standard contractual clauses when transferring personal data to the U.S., will be confirmed before the European Union and United States reach a data transfer agreement. The European Data Protection Board (EDPB) are due to confirm Ireland’s draft decision by mid-April and finalize it in May. If an adequacy agreement is not reached before the EDPB make their decision, Meta will not be able to legally transfer data, meaning Facebook and Instagram will not be made available in Europe until an agreement is reached. At present, the European Commission and the U.S. government are aiming to reach a new data agreement before July.
WhatsApp agrees to provide users with greater transparency
WhatsApp has reached a consensus with EU protection authorities and the European Commission (CPC network) to be more transparent with their users concerning updates to terms of service. The app agreed to make it easier for users to reject updates and clearly alert users when rejection of terms results in the inability to use the platform. The CPC will ensure that these changes are implemented and will enforce compliance if need be. These obligations come under the new Digital Services Act, which require services to provide clear terms and conditions that are easy to understand.
Age-verification checks continue to challenge social media developers
Axios has highlighted the challenges that many social media and streaming platforms are facing with age verification checks. Lawmakers and parents are urging online platforms to protect minors from harmful content. There is a large grey area surrounding age verification checks as, there is no one-size fits all solution. Companies also fear that they may collect too much data from users in the process of verifying their ages. To circumvent this issue, it has been suggested that online platforms should be made safer for everyone, increasing privacy protection for all users, instead of attempting to verify ages.
EU legislative bodies struggle to regulate ChatGPT
Politico reported that the introduction of ChatGPT has halted development to the EU’s Artificial Intelligence Act. The Act focused on regulating AI systems that enable social scoring, manipulation, and facial recognition. However, the European Parliament did not have the foresight to address AI generative systems in the legislation, resulting in the rewriting of the draft. ChatGPT has proven hard to regulate, whilst use of the system can be harmful by spreading misinformation, it is not inherently malicious. The European Commission, Council and Parliament will engage in negotiations to iron out the AI Act details by April 2023.
TikTok fined 1.75 million lira by Turkish data protection authority
YouTube accused of collecting data from minors
Privacy campaigner Duncan McCann has filed a complaint to the Information Commissioner’s Office against YouTube. McCann accused YouTube of collecting data such as, videos watched and devices used to watch content, from minors under the age of 13. Though children are banned from YouTube and are encouraged to use YouTube kids, McCann argued that children’s data is still being collected when content is watched on devices that are not registered as a children’s account. In response, a YouTube spokesman stated that they will continue to work with the ICO, parents and child protection experts.