Privacy Transformation - Issue 202

Curated privacy news, insights & resources, with a focus on Irish and EU developments.

PRIVACY

Meta challenges DPC’s €265m fine over third-party data ‘scrape’

Meta is asking the High Court to quash a decision of Ireland’s data-protection watchdog to fine it €265 million for an alleged breach of EU privacy rules regarding the personal information of about more than 500 million Facebook users.

German Constitutional Court confirms generalised data retention illegal

After seven years of ambiguity regarding the German law on data retention, the German Federal Constitutional Court ruled it inapplicable and incompatible with EU law.

EU countries in search of ‘solutions’ over data retention, encryption

Data retention and encryption emerged as the most pressing issues for law enforcement in the EU government’s comments on the establishment of a High-Level Expert Group on police access to digital data.

CPRA regulations finalized with OAL approval

New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review.

Do not expect privacy if charged with a crime, says UK police standards body

People charged with a crime should have no reasonable expectation of privacy, the national policing standards body has said.

EU consumer department to present voluntary pledge over ‘cookie fatigue’

The European Commission’s consumer protection office will launch a voluntary initiative to move away from repetitive cookie banners in what might be the prelude to a legislative proposal.

UK Government In Court Over Use Of Migrants' Personal Data

The UK's High Court is hearing a challenge to the government over the use of personal data for immigration decisions. The judicial review will examine whether the so-called immigration exception is compatible with Article 23 of the UK GDPR, by allowing personal data to be processed without user consent.

🔗 RELATED:

• ICO statement on the High Court ruling about the immigration exemption in the Data Protection Act 2018
• High Court Judgement

EDPS: Press Release - Coordinated Enforcement Action on the role of data protection officers

Launched in March 2023, the EDPS is taking part in the European Data Protection Board’s (EDPB) Coordinated Enforcement Action on the role and tasks of data protection officers, alongside 26 data protection authorities of the EU and the European Economic Area (EU/EEA).

SECURITY & TECH

Meta reportedly set to overhaul EU ad policies

Meta may allow only European users to opt out of personalised ads on its platforms in favour of broader categories like age and location by submitting an online form, the Wall Street Journal reported.

🔗 RELATED: Noyb: Meta (Facebook, Instagram) switching to "Legitimate Interest" for ads after noyb win

America’s online privacy problems are much bigger than TikTok

Concerns of Chinese data access highlight Congress’s own failure to protect Americans’ personal information.

🔗 RELATED:

• ✍🏻 Opinion: Yes, TikTok is a threat to America. But so are U.S. social media companies
• France bans TikTok on work phones of civil servants
• ✍🏻 Opinion: China crisis is a TikToking time bomb

FBI confirms access to breached cybercrime forum database

The FBI confirmed they have access to the database of the notorious BreachForums hacking forum after the U.S. Justice Department also officially announced the arrest of its owner.

Biden Acts to Restrict U.S. Government Use of Spyware

The president signed an executive order seeking to limit deployment of a tool that has been abused by autocracies — and some democracies — to spy on dissidents, human rights activists and journalists.

Europol warns against potential criminal uses for ChatGPT and the likes

The EU law enforcement agency published a flash report on Monday (27 March) warning that ChatGPT and other generative AI systems can be employed for online fraud and other cybercrimes.

💡 Insights: BingBang - AAD misconfiguration led to Bing.com results manipulation and account takeover

How Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal.

DATA BREACH

Latitude Financial cyber-attack worse than first thought with 14m customer records stolen

Latitude Financial has revealed that 14m customer records – including driver’s licence numbers, passport numbers and financial statements – were stolen from its system in a cyber-attack that was far worse than the company initially reported.

🔗 RELATED: Latitude Financial Admits Breach Impacted Millions

ChatGPT exposed premium users’ personal information, credit card details

A bug allowed ChatGPT users to see titles from each other’s chat history and — the company later disclosed — leaked the personal payment information of a small percentage of premium subscribers.

ENFORCEMENT

Norwegian DPA: Fine for U.S. firm of almost $240,000 for failure to notify within 72 hours

According to Datatilsynet (the Norwegian DPA), in July 2021, Argon Medical Devices discovered a security breach affecting their EU employees but did not notify the regulator until September 2021, long after the 72-hour deadline for reporting.

French DPA: Cityscoot fined for infringement of data minimisation among other requirements

CNIL carried out an investigation on the company CITYSCOOT, which rents scooters for short periods. As part of the investigation, the CNIL found that during the rental of a scooter by a private individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept a record of these journeys. CNIL imposed a fine of EUR125,000 for infringements of data minimisation, lack of contractual arrangements and lack of transparency & consent.

🔗 RELATED: ✍🏻 Opinion: Odia Kagan - Scoot and capture: CNIL takes on precise geolocation and reCaptcha

UK DPA: NHS Highland issued 'formal reprimand' for unforgivable HIV patient data breach

The breach of data meant the confidentially of HIV patients was exposed and now the NHS has been forced to reform email systems and make amends for a "no excuse" error

🔗 RELATED: ICO - “A crucial learning experience.” ICO calls for highest standards in HIV services after NHS Highland reprimand

RESOURCES

📘 CISA: ISC Best Practices for Making a Business Case for Security

Increasingly complex security challenges and a dynamic threat environment necessitate the requirement for a strong and agile security planning, programming and budgeting process. To that end, this publication assists security professionals in constructing a decision-making process or rationale for proceeding with a security project or security program, completing a benefit-cost analysis to support spending decisions, applying these concepts to the ISC Risk Management Process, and measuring success.

📕 ENISA Publications:

• ENISA Foresight Cybersecurity Threats for 2030
• Cloud Cybersecurity Market Analysis
• ENISA Cybersecurity Market Analysis Framework (ECSMAF) -V2

CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!