newsletter

Privacy Transformation - Issue 208

Curated privacy news, insights & resources, with a focus on Irish and EU developments.

‌ ‌

PRIVACY

Irish Government will not say if spyware is used to monitor Irish citizens

The Government has declined to confirm whether or not State agencies routinely use spyware to monitor Irish citizens, following an inquiry from the European Commission.

Sending personal data, receiving non-personal data: Recent EU judgment reinforces the power of pseudonymization

A new EU General Court ruling has nuanced the threshold between pseudonymous and anonymous data. In particular, it clarifies that supervisory authorities need to carry out a “test” to assess whether data can be deemed personal data or not, opening the possibility of pseudonymized data not being deemed personal data.

The European Union’s top court has handed down a couple of notable rulings today in the arena of data protection. One (Case C-300/21) deals with compensation for breaches of the bloc’s General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them should expect to receive.

Members of the U.K. Parliament considering modifications to national privacy law heard assurances Wednesday that the European Union will go along with them.

EU Council’s legal opinion gives slap to anti-child sex abuse law

The legal service of the EU Council of Ministers slammed the EU proposal to fight child sexual abuse material (CSAM), criticising, in particular, the ambiguity of detection orders and their possible impact on privacy rights.

Facial Recognition Technology on garda body cameras could open door to 'mass surveillance', expert warns

The proposed use of facial recognition technology (FRT) on garda body cameras should not be rushed through without a lengthy consultation process, according to a digital policy professor.

PAC to seek clarity on biometric data on public services cards

The Public Accounts Committee (PAC) is to request “clarification” from the head of the Department of Social Protection regarding contrasting answers on the biometric nature of the Public Services Card (PSC).

🔎 Google promised to delete sensitive data. It logged my abortion clinic visit

Our investigation finds Google still retains location data about users who visit clinics, hospitals and other ‘particularly personal’ locations, despite Google’s commitment to delete it.

Leading EU CEOs warn Brussels data law could hurt competitiveness, cybersecurity

The CEOs of several leading European companies have urged the Commission to pull the brake on plans to regulate the use and access of data generated in the bloc arguing they could cause lasting damage to the bloc's competitiveness and cybersecurity.

France mulls new ‘frontline’ digital bill going beyond EU rules

A new legislative initiative is being discussed in Paris that would implement landmark EU legislation but also introduce new proposals on digital fraud, online harassment, child protection, media bans, and cloud switching.

SECURITY & TECH

Ex-Uber security chief sentenced over covering up hack

Uber's former chief security officer has avoided jail and been sentenced to three years' probation for covering up a cyber-attack from authorities.

EU parliament vote on spyware gets politicised, implementation challenges loom

A European Parliament special committee (PEGA) dealing with the use of Pegasus and equivalent surveillance spyware has concluded that the EU should develop a strong regulation framework and hold those responsible for their illegal actions.

FTC moves to prohibit Meta from profiting on children’s data

The US regulator claims Meta has failed to comply with a previous privacy order and plans to issue stricter restrictions on the company as a result.

WhatsApp could disappear from UK over privacy concerns, ministers told

The UK government risks sleepwalking into a confrontation with WhatsApp that could lead to the messaging app disappearing from Britain, ministers have been warned, with options for an amicable resolution fast running out.‌

Samsung Bans Staff’s AI Use After Spotting ChatGPT Data Leak

Samsung Electronics Co. is banning employee use of popular generative AI tools like ChatGPT after discovering staff uploaded sensitive code to the platform, dealing a setback to the spread of such technology in the workplace.

AI Act moves ahead in EU Parliament with key committee vote

The European Parliament’s leading parliamentary committees have green-lighted the AI Act, paving the way for plenary adoption in mid-June. The AI Act is a flagship legislation to regulate Artificial Intelligence based on its potential to cause harm.

Apple and Google lead initiative for an industry specification to address unwanted tracking

Location-tracking devices help users find personal items like their keys, purse, luggage, and more through crowdsourced finding networks. However, they can also be misused for unwanted tracking of individuals.

DATA BREACH

NextGen Healthcare says hackers accessed personal data of more than 1 million patients

NextGen Healthcare, a U.S.-based provider of electronic health record software, admitted that hackers breached its systems and stole the personal data of more than 1 million patients.

Security researcher finds trove of Capita data exposed online

London-based outsourcing giant Capita left a trove of data exposed online for seven years, TechCrunch has learned, just weeks after the company admitted to a data breach potentially impacting customer data.‌

Western Digital says hackers stole customer data in March cyberattack

Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack.

Food distribution giant Sysco warns of data breach after cyberattack

Sysco, a leading global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data.

ENFORCEMENT

Following a complaint over the use of facial recognition tech at MWC 2021, the Spanish data protection agency has upheld a finding against show organiser Global System for Mobile Communications Association.

Facial recognition: the CNIL imposes a penalty payment on CLEARVIEW AI

On 13 April 2023, the CNIL decided to impose an overdue penalty payment on CLEARVIEW AI. The company must pay 5,200,000 euros for not having complied with the order issued as part of the sanction decision of October 2022.‌ ‌

RESOURCES

Andrea Jelinek has been the first Chair of the European Data Protection Board since the EU’s General Data Protection Regulation came to life. We discussed with her the first five years of GDPR enforcement, the progress that still needs to be done in terms harmonisation and the data protection challenge posed by disruptive Artificial Intelligence like ChatGPT.

An in-depth discussion on the challenges regulators face in conducting large-scale cross-border investigations under the GDPR. This CEDPO - Confederation of European Data Protection Organisations webinar will be co-hosted with member organisation Association of Data Protection Officers, Ireland.

Date: 23 May, from 4:00-5:30PM CET.

📘 REPORT: OECD: Moving forward on data free flow with trust

This report uses business consultations to investigate private-sector views on privacy and data protection rules for cross-border data flows. It aims to inform a more comprehensive understanding of challenges and ways forward for the policy agenda of ‘data free flow with trust’. [Read Report]

CONTRIBUTE‌‌

Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!

Privacy Transformation - Issue 262

Privacy Transformation - Issue 261

Privacy Transformation - Issue 259