Privacy Transformation - Issue 203

Curated privacy news, insights & resources, with a focus on Irish and EU developments.

PRIVACY

Italy's data protection agency opens ChatGPT probe on privacy concerns

Italy's data protection agency said today it had opened a probe into OpenAI's ChatGPT chatbot over a suspected breach of the artificial intelligence application's data collection rules.

🔗 RELATED:

• Italy will fall behind if ChatGPT not reactivated soon - Deputy PM
• ✍🏻 A view from DC: Should ChatGPT slow down?
• Australian mayor prepares world’s first defamation lawsuit over ChatGPT content
• UK NCSC: ChatGPT and large language models: what's the risk?

Scottish police tech piloted despite major data protection issues

Scottish policing bodies are pressing ahead with a data sharing pilot despite data protection issues around the use of US cloud providers, placing sensitive personal data of tens of thousands of people at risk.

Majority of Irish shoppers 'concerned about privacy and how data is used'

The majority of Irish shoppers are worried about privacy and how their data is used when it comes to targeted advertising, while more than two-thirds have encountered fake reviews, a new study has found.

✍🏻 Opinion: Are parents unwittingly exploiting their children on social media?

Regularly posting images and videos of our children online infringes their privacy and dignity and can leave them exposed to the darker forces of the internet.

ICO: Balancing people’s privacy rights with the need to prevent crime

From unlocking our mobile phones to online banking verification, facial recognition technology has become an accepted part of our everyday lives. But how do we feel about live facial recognition technology, enabling CCTV cameras in public places to identify us while we’re out and about? Is it really necessary to have our faces scanned when we are simply buying some milk and a bag of frozen peas?

🔗 RELATED: Facewatch: ICO Judgement Clears the way for Facewatch

💡 Insights: The European Union’s Artificial Intelligence Act, explained

The European Union (EU) is considering a new legal framework that aims to significantly bolster regulations on the development and use of artificial intelligence. This article gives insights into how the Act aims to classify AI systems by risk and mandate various development and use requirements depending on the level of risk identified.

💡 Insights: German Data Protection Authorities on pure subscription models – pay or okay with tracking?

On March 22, 2023, the Conference of Independent German Federal and State Data Protection Supervisory Authorities passed a resolution regarding the evaluation of so called pure subscription models on websites. Even though the resolution is not legally binding, it represents the expectations of the German supervisory authorities and should therefore be examined carefully.

✍🏻 Opinion: Data Globalisation is Alive

The march of data localisation as a geopolitical force has been relentless in recent years. Partly the result of a backlash against globalisation and partly an opportunity to advance economic protectionist policies, data localisation has been embraced by policy makers, regulators and activists in such a powerful way that even the most global companies have had to devise strategies to play the game. But the reality since before the days we realised the earth was not flat, is that the world is indeed global and the urge to communicate, explore and interact beyond artificial and natural boundaries is intrinsic to our nature.

SECURITY & TECH

Capita blames cyber-attack for outage as company races to restore IT systems

Capita, the outsourcing group that runs crucial operations for the NHS and the military, was still restoring online services for customers on Monday morning as it confirmed a cyber-attack was to blame for a major IT outage that hit clients including local councils on Friday.

🔗 RELATED: Failed IT systems at Capita fuel fears of cyber-attack on crucial NHS provider

✍🏻 OPINION: The RESTRICT Act Will Not Improve Privacy in America

Privacy advocates have been calling for the United States to adopt strong consumer privacy protection laws along the lines of the EU’s GDPR for a long time now, but the proposed Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act ain’t it, chief.

ICO: Generative AI: eight questions that developers and users need to ask

Data protection law still applies when the personal information that you’re processing comes from publicly accessible sources. If you’re developing or using generative AI that processes personal data you need to ask yourself a series of questions.

Varadkar: Data watchdog’s TikTok probe could lead to app being banned from government devices

Taoiseach tells Fine Gael MEP that government is very conscious of concerns around TikTok but is awaiting the results of an investigation by Ireland’s Data Protection Commission.

Google: Android Apps Must Let People Delete Their Accounts, Data

Google is now requiring Android app developers to implement controls that let an app's users delete their account and data either in the app or outside it, via the web. Developers must comply with the policy by May 31, 2024.

DATA BREACH

Uber suffers another data breach after law firm’s servers attacked

Uber has found itself in the middle of yet another data breach, the third time in six months. This time as a result of private driver data being stolen from a third-party law firm.

ENFORCEMENT

🔍 Analysis: GDPR Enforcement: The Use of Reprimands by the Irish Data Protection Commission

While administrative fines are the landmark corrective measure levied against organisations for serious data protection breaches, DPC decisions have shown that reprimands are a sanction frequently imposed on organisations, but which are not often discussed in detail.

UK DPA: UK privacy regulator fines TikTok £12.7m for children’s data violations

The Information Commissioner’s Office announced the fine after concluding an investigation into potential breaches by the company of the UK’s data protection regime. The inquiry found multiple infractions by the video-sharing platform, including some related to processing data belonging to children under the age of 13. An additional charge set out in the ICO’s prior notice of intent was dropped, however, reducing the original fine from £27 million to nearly £13 million.

🔗 RELATED: ICO Statement: ICO fines TikTok £12.7 million for misusing children’s data

Italian DPA: Unauthorised processing and disclosure of 4.3 million data from acquired data lists

The Italian Supervisory Authority has fined  Problem Solving srl EUR54,609 for unauthorised processing and disclosure of 4.3 million data from acquired data lists. [Notice is in Italian].

UK DPA: Reprimand issued for Achieving for Children

Due to communication failure and a lack organisational measures, Achieving for Children (AfC) inappropriately disclosed personal data, special category data and criminal conviction data in a report.

GUIDANCE & OPINIONS

EDPB: Guidelines 9/2022 on personal data breach notification under GDPR

The European Data Protection Board has issued updated guidance on Personal Data Breach Notification under the GDPR. A significant clarification provided in this update is that where an organisation has an EU Representative in a Member State, the mere presence of the representative does not trigger the one-stop shop mechanism. It is therefore necessary that supervisory authorities in each Member State are notified where affected data subjects reside.

EDPB: Letter to the European Parliament, the Council, and the European Commission on data sharing for AML-CFT purposes in light of the Council’s mandate for negotiations

This letter highlights the significant risks to privacy and data protection posed by some amendments introduced by the Council, which would allow private entities, under certain conditions, to share personal data between each other for AML/CFT purposes concerning “suspicious transactions” and data collected in the course of performing customer due diligence obligations.

EDPS: Opinion on the Proposal for a Council Directive amending Directive 2011/16/EU on administrative cooperation in the field of taxation

EDPS Opinion on the Proposal for a Council Directive amending Directive 2011/16/EU on administrative cooperation in the field of taxation.

RESOURCES

📕 ICO: ICO Sandbox publishes its exit report following work with ‘Good With’ – a startup aiming to give young adults fairer access to financial products and services

Good With, a fintech and edtech start-up, entered the Sandbox as part of its work to develop mobile applications which will help educate young adults on personal finance. [Read Report]

📗 Paper: The Limitations of Privacy Rights

In this Article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture.

CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!