Privacy Transformation - Issue 200

Curated privacy news, insights & resources, with a focus on Irish and EU developments.


PRIVACY

Use of Meta tracking tools found to breach EU rules on data transfers

Austria’s data protection authority has found that use of Meta’s tracking technologies violated EU data protection law as personal data was transferred to the US where the information was at risk from government surveillance.

🔗 RELATED: Austrian DSB: Meta Tracking Tools Illegal

📣 Opinion: Lackadaisical approach to data law is going to have real-life consequences

One of the major consequences of Ireland's lack of enforcement of European data retention laws may well see murderer Graham Dwyer win his appeal over the use of mobile phone records to convict him.

EU lawmakers formalise position on the Data Act in plenary vote

The Data Act is a landmark legislative proposal intended to remove barriers to the circulation of industrial data by regulating the rights and obligations of all the economic actors involved in sharing data from Internet of Things (IoT) products – connected devices capable of collecting and exchanging data.

EDPB launches coordinated enforcement on role of DPOs

Data protection officers could be "solicited" by their data protection authority in the "weeks and months to come" as part of the European Data Protection Board’s freshly launched 2023 coordinated enforcement action.

🔗 RELATED: EDPB: Launch of coordinated enforcement on role of data protection officers

CNIL outlines its priority themes in 2023

France’s data protection authority has published its "priority themes" which will guide its investigations for 2023 . They include:

  • The use of “smart” cameras by public actors
  • The use of the personal credit repayment incidents file
  • Access to the electronic patient record in health care institutions
  • User tracking by mobile applications

To understand how consent choices can be mishandled, it is important first to understand how consumer consent is captured and analysed, and what can cause these pipelines to rupture.


SECURITY & TECH

📣 Opinion: How the HSE cyber attack changed the face of online crime globally

The biggest attack on a health system anywhere hastened the demise of the Conti group of hackers.

Biden admin’s cloud security problem: ‘It could take down the internet like a stack of dominos’

Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe. Now the White House worries that the cloud is becoming a huge security vulnerability.

WhatsApp: Rather be blocked in UK than weaken security

WhatsApp says it would rather be blocked in the UK than undermine its encrypted-messaging system, if required to do so under the Online Safety Bill.

US Chamber of Commerce calls for AI regulation

The US Chamber of Commerce on Thursday called for regulation of artificial intelligence technology to ensure it does not hurt growth or become a national security risk, a departure from the business lobbying group's typical anti-regulatory stance.

Leading EU lawmakers propose obligations for General Purpose AI

The EU lawmakers spearheading the work on the AI Act pitched significant obligations for providers of large language models like ChatGPT and Stable Diffusion while seeking to clarify the responsibilities alongside the AI value chain.

🔗 RELATED: EU lawmakers set to settle on OECD definition for Artificial Intelligence

Snapchat’s AI could be the creepiest chatbot yet

Given the brand’s overwhelming popularity with teens, Snapchat hoped to make its AI Chatbot a bit less hallucinogenic than Microsoft’s Bing. But Snapchat’s bot seems to be susceptible to its own disturbing conversations.

UK ministers banned from using TikTok on government phones

British government ministers have been banned from using Chinese-owned social media app TikTok on their work phones and devices on security grounds.

🔗 RELATED:

F.T.C. Intensifies Investigation of Twitter’s Privacy Practices

The investigation is focused on whether Twitter has adequate resources to protect its users’ privacy after the mass layoffs and budget cuts ordered by Mr. Musk, said five people familiar with the investigation who spoke on the condition of anonymity.

In the latest blow to Meta’s consentless behavioral ad-targeting business in Europe, a Dutch court has found the social media giant’s Irish subsidiary did not have a lawful basis to process local users’ data for ad targeting.

UK gov’t asks National Cyber Security Centre to review TikTok

The U.K. government has asked the National Cyber Security Centre (NCSC) to review TikTok in a move that could prefigure a ban on the app on government devices.


ENFORCEMENT

The ICO has issued a reprimand to the Metropolitan Police Service following several issues identified around their uploading, amending and deleting of various criminal intelligence files relating to Organised Crime Groups.

ICO reaches agreement with Easylife

The ICO has reached an agreement with Easylife Ltd to reduce the monetary penalty notice, issued for breaching the GDPR, to £250,000. The ICO fined Easylife in 2022 following an investigation which found the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products.


GUIDANCE & OPINIONS

Norwegian DPA: Guidance on the use of Cloud Services

The guidance is primarily aimed at data controllers and reviews the considerations that must be made if you wish to use a cloud service.

ICO: Guidance on AI and data protection

The Guidance on AI and Data Protection has been updated after requests from UK industry to clarify requirements for fairness in AI.


RESOURCES

📑 Paper: Privacy Nicks - How the Law Normalizes Surveillance

In this article, it is argued that by ignoring de minimis privacy encroachments, the law is complicit in normalizing surveillance. Privacy law helps acclimate people to being watched by ignoring smaller, more frequent, and more mundane privacy diminutions. We call these reductions “privacy nicks,” like the proverbial “thousand cuts” that lead to death.

📔 ICO: Privacy in the product design lifecycle

If you’re making a product or service that involves processing personal information, it is important to consider data protection law throughout the design and development process.

▶ ICO: Privacy, Seriously - Event Webinars

Online conference streamed on 23 February ‘Privacy, Seriously’, design and product leaders revealed how they put privacy at the heart of responsible innovation. Watch below to learn from the experts and organisations at the cutting edge of technology and regulation, and maybe even catch a glimpse of where the tech sector goes next.

▶ ICO: UX Design and Data Protection Series: What does privacy look like in the real world of tech?

New ICO webinar in their series on UX Design and Data Protection, examining what privacy looks like in the real world of tech.

📗 Australian Cyber Security Centre: Updated Information Security Manual

The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals and information technology managers.

📕 OECD: Emerging privacy-enhancing technologies

This report examines privacy-enhancing technologies (PETs), which are digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. The report reviews recent technological advancements and evaluates the effectiveness of different types of PETs, as well as the challenges and opportunities they present. It also outlines current regulatory and policy approaches to PETs to help privacy enforcement authorities and policy makers better understand how they can be used to enhance privacy and data protection, and to improve overall data governance.

ENISA: Cybersecurity of AI and Standardisation

This ENISA Report provides an overview of standards (existing, being drafted, under consideration and planned) related to the cybersecurity of artificial intelligence (AI), assess their coverage and identify gaps in standardisation.


CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!