newsletter

Privacy Transformation - Issue 212

Curated privacy news, insights & resources, with a focus on Irish and EU developments.

PRIVACY

Public Services Card debacle shows the State is prepared to take liberties with citizens' data

The result of the latest investigation into the Public Services Card by the Data Protection Commission was made public on Tuesday. While it landed with less fanfare than the DPC’s initial high-profile investigation of the card in August 2019 — mostly given the investigation was instigated by a private citizen — its results mean the State is now two for two in terms of PSC investigations. In other words, it has comprehensively lost them both.

Microsoft expects Ireland's Data Protection Commission to fine Linkedin €425m

Software giant Microsoft said on Thursday that it expected to take a charge of about $425m (€394m) in the current quarter for a potential fine from the Irish regulator over alleged privacy violations at its unit LinkedIn.

UK Gov: UK and US reach commitment in principle over 'data bridge’

The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, that will create a ‘data bridge’ between the 2 countries.

✍🏻 Facial recognition technology row is Hamlet without the biometric prints

Last week was marked by a change of personnel within Government as Minister for Justice Helen McEntee returned to her department after the birth of her son. Her first comments to the media mirrored those of the outgoing statement of the Minister with responsibility for her portfolio, Simon Harris. She expressed frustration at continuing delays in introducing facial recognition technology (FRT) to Irish policing. “This is not for racial profiling. This is not about mass surveillance,” she said.

SECURITY & TECH

AI Act’s plenary vote cast with uncertainty as political deal crumbles

The agreement among the leading groups in the European Parliament on the AI regulation is dead, opening the door for amendments from both sides of the aisle.

Amazon's Ring cameras were used to spy on customers

Every single Amazon Ring employee was able to access every single customer video, even when it wasn't necessary for their jobs. Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.

Meta to let users refuse its cross-site tracking following German antitrust intervention

Meta has been dragged kicking and screaming into another notable privacy concession in Europe: The German Federal Cartel Office has announced a new account center incoming which will see the tech giant provide users of its social networking services with a greater degree of choice over whether they allow it to combine data on their activity across its services or not.

DATA BREACH

MOVEit hack: BBC, BA and Boots among cyber attack victims

The BBC, British Airways, Boots and Aer Lingus are among a growing number of organisations affected by a mass hack. Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen. The cyber criminals broke into a prominent piece of software to gain access to multiple companies in one go.

🔗 RELATED:

ENFORCEMENT

UK SA: ICO reprimands Thames Valley Police for releasing witness details to suspected criminals

The UK Information Commissioner’s Office has issued a reprimand to Thames Valley Police after details were released which led to suspected criminals learning the address of a witness. The witness therefore moved house and the impact and risk to them remains high.

GUIDANCE & OPINIONS

EDPB: Guidelines on the calculation of administrative fines following public consultation adopted

The EDPB has adopted a final version of the Guidelines on the calculation of administrative fines following public consultation. These guidelines aim to harmonise the methodology data protection authorities (DPAs) use to calculate fines and include harmonised ‘starting points’. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.

RESOURCES

📖 Book Recommendation: Transatlantic Jurisdictional Conflicts in Data Protection Law

A timely publication and a welcome contribution to an important topic, this book looks at transatlantic jurisdictional conflicts in data protection law and how the fundamental right to data protection conditions the EU's exercise of extraterritorial jurisdiction. The EU promotes personal data protection as a fundamental right and its data protection laws have had strong effects beyond its territory. In contrast, similar US information privacy laws are rooted in the marketplace and carry less normative heft. This has provoked clashes with the EU when their values, interests and laws conflict. This research uses three case studies to suggest ways to mitigate transatlantic jurisdictional tensions over data protection and security, the free flow of information and trade.

▶ Video Report: Your face is ours — The dangers of facial recognition software

Clearview AI is redefining our privacy. The New York-based tech company is working to identify and compile the faces of every human being on the planet. Clearview AI claims that the database will serve as a force for good, helping to solve crimes and prevent espionage. But the risks it carries are immense. France 24’s Jessica Le Masurier and Romeo Langlois have this special report.

📚 ENISA Publications:

📗 REPORT: Data privacy and the UK Information Commissioner’s Office during a crisis: Lessons learned from the Covid-19 pandemic

A new report exposes failures by the Information Commissioner’s Office (ICO) in protecting the public privacy and data rights during the Covid-19 pandemic.