Privacy Transformation - Issue 209
Curated privacy news, insights & resources, with a focus on Irish and EU developments.
PRIVACY
Irish Data Protection Commission to order Meta to stop data transfers to US as firm faces EU fine
Facebook owner Meta Platforms Inc. is set to be handed a record European Union privacy fine for failing to heed a top court warning aimed at protecting users’ data from the prying eyes of US security services once it’s shipped to servers across the Atlantic.
🔗 RELATED: Meta to face EU-record fine from Data Protection Commissioner over Facebook data transfer to US
Three-quarters of Irish data watchdog’s data privacy decisions since 2018 overruled – report
Three-quarters of decisions by Ireland’s Data Protection Commissioner in EU cases have been overruled by its European counterparts in favour of tougher enforcement, a new report has found. [Read ICCL Report]
Brexit: Government suffers defeats over Retained EU Law Bill
The UK government has suffered defeats in the House of Lords over plans to scrap certain EU laws by the end of the year. Peers backed an amendment which would give Parliament greater scrutiny over which rules should be ditched.
Artificial intelligence: the action plan of the CNIL
In the face of recent news on artificial intelligence, and in particular so-called generative AIs such as ChatGPT, the CNIL publishes an action plan for the deployment of AI systems that respect the privacy of individuals.
🔗 RELATED: France’s privacy watchdog eyes protection against data scraping in AI action plan
LIBE Committee to hold exchanges with DPC and ICO
On Tuesday, 23 May 2023, the Committee on Civil Liberties, Justice and Home Affairs will hold two exchanges of views dedicated to protection of personal data:
- Helen Dixon, Data Protection Commissioner for Ireland, concerning TikTok and its compliance with EU law;
- John Edwards, UK Information Commissioner, concerning the UK data protection reform;
SECURITY & TECH
OpenAI CEO calls for laws to mitigate ‘risks of increasingly powerful’ AI
The CEO of OpenAI, the company responsible for creating artificial intelligence chatbot ChatGPT and image generator Dall-E 2, said “regulation of AI is essential” as he testified in his first appearance in front of the US Congress.
UK NCSC: Why more transparency around cyber attacks is a good thing for everyone
Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the Information Commissioner’s Office (ICO), reflect on why it’s so concerning when cyber attacks go unreported – and look at some of the misconceptions about how organisations respond to them.
EU draft legislation will ban AI for mass biometric surveillance and predictive policing
The EU has taken a step closer to enforcing strong regulation of AI, drafting new safeguards that would prohibit a wide range of dangerous use cases.
Your Ad Data Is Now Powering Government Surveillance
A product called Echo, made by the Israel-based Rayzone Group, is using information intended for marketers to help authorities track people through their mobile phones.
Majority of EU countries support scanning of audio communications
A majority of the EU Council of Ministers seem to favour expanding the scanning of private messages to audio communications to detect child sexual abuse material.
DATA BREACH
Capita breach fallout widens as customers learn of data theft
The fallout from Capita’s cyber incident continues as customers say the British outsourcing giant has told them to assume that data was stolen by hackers.
🔗 RELATED: Capita warns customers they should assume data was stolen
Toyota: Car location data of 2 million customers exposed for ten years
Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
ENFORCEMENT
French SA: Health data and use of cookies - DOCTISSIMO fined
A fine of EUR 280,000 has been imposed on DOCTISSIMO for GDPR infringements. During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on the terminal of users.
Croatian SA: Administrative fine imposed on debt collection agency B2 Kapital
The Croatian Supervisory Authority (SA) received an anonymous complaint in which it was stated that there was unauthorized processing of a large number of personal data of debtors, by the Debt Collection Agency. Upon investigating, a fine of EUR 2,265,000 was imposed for violations of Article 32 (Security of rocessing), Article 13 (Information to be provided where personal data are collected from the data subject) and Article 28 (Processor).
Austrian SA: Clearview AI Infringements of Articles 5, 6, 9, 27 GDPR
Clearview AI was ordered to erase the complainant’s personal data and to designate a representative within the European Union. The DSB found that Clearview AI had infringed the following provisions of the GDPR:
- Article 5(1)(a): The processing of the complainant's personal data lacked lawfulness, fairness and transparency.
- Article 5(1)(b): The processing carried out by Clearview AI serves a completely different purpose from the original publication of the complainant's personal data (especially photographs).
- Article 5(1)(c): The permanent storage of personal data also constitutes a breach of data minimisation principle.
- Article 9(1): The scanning of the complainant's face, the extraction of his uniquely identifying facial features and the translation of these features into vectors constitutes processing of special categories of personal data. An exception to the processing prohibition pursuant to Article 9(2) does not apply in this case, which is why the processing was carried out in violation of Article 9(1) GDPR.
UK SA: ICO fines two businesses £180,000 for making unlawful marketing calls
The Information Commissioners’ Office (ICO) has issued fines totalling £180,000 for two companies that made more than 480,000 unlawful marketing calls to businesses signed up with the UK’s “Do not call” register.
GUIDANCE & OPINIONS
📗 EDPB: Final version of Guidelines on facial recognition technology in the area of law enforcement adopted
Following public consultation, the EDPB has adopted a final version of its Guidelines on facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national lawmakers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems. [Read Guidelines]
RESOURCES
📘 REPORT: 5 years: GDPR's crisis point
Irish Council for Civil Liberties 2023 report on EEA data protection authorities. [Read Report]
CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!