Privacy Transformation - Issue 205
Curated privacy news, insights & resources, with a focus on Irish and EU developments.
PRIVACY
Time is right for converstiton about AI regulation, says outgoing Data Protection Commissioner
The Irish Data Protection Commissioner has said Artificial Intelligence (AI) is an area that needs regulation and now is the right time for a conversation on the issue.
Facebook US data transfer decision due in May – DPC
A decision over whether to ban Facebook data transfers to the US is due by mid-May, Ireland’s Data Protection Commissioner (DPC) has confirmed.
Facial recognition technology for garda use should not be delayed, says Simon Harris
Minister for Justice Simon Harris has said he does not want to see “any delay” to plans to introduce contentious facial recognition technology by the gardaí. The Green Party has said it has concerns about the plan being pursued by Mr Harris, which would see a piece of legislation currently working its way through the Oireachtas amended to enable the use of the technology.
🔗 RELATED:
- ✍🏻 Opinion: Why we should be alarmed at Garda plans for facial recognition technology
- Facial-recognition technology will turn gardaí into roaming surveillance units
- Harris doubles down on plans to fast-track facial recognition technology
UK data reform bill revived after lengthy legislative delay
On Monday (17 April), the Data Protection and Digital Information Bill, which will introduce an array of changes to the UK version of the EU General Data Protection Regulation (GDPR) put in place by the UK in 2018, reached its second reading in the House of Commons, the stage before it proceeds to scrutiny by a Parliamentary committee.
Federal court backs Facebook in fight with Canada’s privacy commissioner
The federal privacy commissioner’s attempt to have Facebook take responsibility for the Cambridge Analytical scandal under Canadian privacy law has been rejected by a judge. In a decision, Justice Michael Manson of the Federal Court dismissed the commissioner’s attempt to enforce its 2019 finding that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by having inadequate data privacy safeguards over how third-party apps played with the data of Facebook users.
EDPB: EDPB resolves dispute on transfers by Meta and creates task force on Chat GPT
The EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the IE DPA on the legality of data transfers to the United States by Meta Platforms Ireland Limited (Meta IE) for its Facebook service. The binding decision addresses important legal questions arising from the draft decision of the Irish DPA as lead supervisory authority (LSA) regarding Meta IE. The EDPB binding decision plays a key role in ensuring the correct and consistent application of the GDPR by the national Data Protection Authorities.
Ireland to ‘lead on enforcing’ EU laws on policing illegal content online
Ireland’s new media commission will have a lead role in enforcing sweeping new European laws aimed at ordering the world’s largest internet companies to police content on their platforms, an Oireachtas committee has heard.
SECURITY & TECH
EU launches research centre on algorithmic transparency
The new European centre will focus on decoding algorithmic black boxes, becoming an international hub for research in the field in order to support the application of EU digital rules.
🔗 RELATED: Press Release: Commission launches European Centre for Algorithmic Transparency
EU Commission proposes regulation to tackle cyber threats and incidents
The EU Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States.
✍🏻 OPINION: AI Lies, Privacy, & OpenAI
What should we do if LLMs aren’t compatible with privacy legislation? This article examines the privacy concerns associated with the rapid advancements of OpenAI's technology.
🔗 RELATED: OpenAI is not currently training GPT-5
WhatsApp and other messaging apps oppose 'surveillance'
WhatsApp, Signal and other messaging services have urged the government to rethink the Online Safety Bill. They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient's app and nowhere else.
Oblivious raises €5.35m for secure use of confidential data
Confidential computing start-up Oblivious has raised €5.35m in funding to change the way trust is brokered between the data scientist and data owners.
DATA BREACH
Hackers claim vast access to Western Digital systems
The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom — of a “minimum 8 figures” — in exchange for not publishing the stolen data.
🔗 RELATED: Hackers reportedly holding Western Digital data hostage
Irish Charities for abuse victims may face sanctions over data breach
A number of charities that saw the personal data they held on abuse victims stolen in a ransomware attack could face sanction from the data regulator.
Capita admits customer data may have been breached during cyber-attack
Outsourcing group Capita, which runs crucial services for the NHS and military, has for the first time admitted that hackers accessed potential customer, staff and supplier data during a cyber-attack last month.
ENFORCEMENT
ICO fines online recruitment firm for sending 107 million spam emails targeting jobseekers
The Information Commissioner’s Office has fined Join The Triboo Limited £130,000 for bombarding people with spam emails. Join The Triboo Limited sent 107 million spam emails to 437,324 people between August 2019 and August 2020, meaning that each individual would have received on average 244 emails during that year.
ICO reprimands Surrey Police and Sussex Police for recording more than 200,000 phone calls without people’s knowledge
The Information Commissioner’s Office (ICO) has issued a reprimand to both Surrey Police and Sussex Police, following the rollout of an app that recorded phone conversations and unlawfully captured personal data.
GUIDANCE & OPINIONS
EDPB: Guidelines 01/2022 on data subject rights - Right of access
Following public consultation, the EDPB has adopted a final version of the Guidelines on data subject rights - Right of access. The Guidelines analyse the various aspects of the right of access and provide more precise guidance on how the right of access has to be implemented in different situations. Among others, the Guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests.
EDPB: Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority
The EDPB has published updated guidance concerning identifying a controller or processor's lead supervisory authority, specifically regarding the notion of main establishment in the context of joint controllership and taking into account the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
Irish DPA:
Records of Processing (Article 30) Guidance
In 2022 the DPC conducted a sweep of the Records of Processing Activities of thirty organisations to identify common issues arising and possible shortcomings in respect of the drafting and maintenance of RoPAs. As a result of the findings of this examination and subsequent analysis, the DPC has drafted this guidance to assist organisations in complying with their Article 30 obligations.
My Child's Data Protection Rights
The DPC has produced four short guides for parents on children’s data protection rights under the GDPR. These guides are intended to help parents to understand their children’s rights and to answer questions that can arise in typical situations where those rights apply.
- My child’s data protection rights – the basics
- Children’s data and parental consent
- Protecting my child’s data
- Are there any limits on my child’s data protection rights?
EDPS: Opinion on the negotiating mandate to conclude an international agreement on the exchange of personal data between Europol and Ecuadorian law enforcement authorities
EDPS Opinion on the negotiating mandate to conclude an international agreement on the exchange of personal data between Europol and Ecuadorian law enforcement authorities
RESOURCES
📘 EDPB: 2022 EDPB Annual Report
The European Data Protection Board has published its 2022 Annual Activity Report. The report provides a summary of the work carried out by the EDPB in the last year, and includes the results of a guidance review carried out among stakeholders and, for the first time, a thematic digest with a selection of examples of final One-Stop-Shop decisions.
📕 EDPB: Report of the work undertaken by the supervisory authorities within the 101 Task Force
The positions presented in this document result from the coordination of the Supervisory Authorities taking part in the task force with a view to handling the “101 complaints” received from NOYB regarding the tools “Google Analytics” and “Facebook Business Tools” and reflect the common denominator agreed by the Supervisory Authorities in their interpretation of the applicable provisions of the GDPR.
CISA: Security-by-Design and -Default
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) jointly developed Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. This first-of-its-kind joint guidance urges manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. [Access Guide]
🎨 Infographic: Global data transfer contracts
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally. There are at least 20 draft, template, or standardized contractual clauses or undertakings for international data transfers covering over 70 countries.
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!