Wednesday, 31st July 2024
Meta has agreed to pay $1.4 billion to Texas on the 30th of July 2024, after being accused of harvesting millions of citizens’ biometric data without proper consent.
Meta launched a feature in 2011 called “tag suggestions” that recommended to users who to tag in photos and videos by scanning the face of those pictured. This feature was turned on by default and ran facial recognition on users’ photos, automatically capturing data protected by a 2009 privacy law.
In 2021, a year before the lawsuit from Texas was filed, Meta announced it was shuttering its facial recognition system, including the tag suggestions feature. It wiped the biometric data of 1 billion users.
“We are pleased to resolve this matter, and look forward to exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers,” a Meta spokesperson said.
---
The ICO has issued a reprimand to the Electoral Commission for having lax security measures: their servers were not kept up to date with the latest security updates and many accounts were using passwords identical or similar to the ones originally allocated to users.
This lead to hackers gaining access to servers that contained the personal information of approximately 40 million people. They had access to all the personal information held on the Electoral Register, including names and home addresses. The servers were accessed on several occasions without the Electoral Commission’s knowledge.
The ICO has issued a reprimand, which can be read here
---
Friday, 26th July 2024
The European Commission published its second report on the application of the General Data Protection Regulation (GDPR). This follows on from the first report was published on 24 June 2020.
This second report found some enforcement issues with the GDPR and called for clearer guidelines to strengthen data protection across member states. The report further said that Data Protection Authorities (DPAs), responsible for enforcing data protection laws across member states, have varying interpretations of the GDPR around certain issues, for instance, the legal basis for processing personal data in clinical trials. Stakeholders would also like to see more guidelines on anonymisation, pseudonymisation, legitimate interest, and scientific research.
---
Oracle, the third-largest tech company in the world, headquartered in Texas, has been collecting data on people and selling it to third parties since August 19, 2028.
In the words of Jason Barnes, a partner at the Simmons Hanky Conroy law firm, "Oracle was building detailed dossiers about consumers with whom it had no first-party relationship… no American has actually consented to having their personal information surveilled everywhere they go by a company they’ve never heard of, packaged into a commoditized dossier, and then monetized and sold without their knowledge."
Oracle has thus far agreed to pay its customers a total of $115 million to settle accusations of violating users’ privacy contrary to the law in California and Florida. Oracle also agreed that it will cease operation of its AddThis tracking mechanism and that its ad tech products will no longer exist as of September 30, 2024.
---
In a process that has been going on for 4 years, Google has announced in mid-July that it will not be removing third-party cookies from its Chrome browser. After years of delay and massive pushback from advertisers the tech giant caved in and decided that "instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time."
---
The Chelmer Valley High School, in Chelmsford, Essex, was issued a reprimand by the ICO. It first started using facial technology in March 2023 to take cashless lunch order payments from students. Processing of biometric data to identify people has high data protection risks. To use it legally and responsibly, organisations are legally required to have a data protection impact assessment (DPIA) in place. Chelmer Valley High School failed to carry out a DPIA before starting to use the facial recognition system.
The school had also failed to properly obtain clear permission to process the students’ biometric information.
---
Nigeria's Federal Competition and Consumer Protection Commission (FCCPC) has accused Meta of abusing market dominance, sharing Nigerians' personal data without authorization and denying Nigerians the right to determine how their data is used.
It launched a 38-month investigation in May 2021, and has announced a fine of $202 million for the company for violating data protection rights.
---
The UK's leading children’s charity, the NSPCC, has criticised Apple over concerns about child safety. They claim that Apple is failing to effectively monitor its platforms and scan and report images and videos that deal with the sexual abuse of children.
In late 2022, due to privacy concerns from digital rights groups, Apple abandoned plans to roll out an iCloud photo-scanning tool, neuralMatch, that would have scanned images before they were uploaded to the iCloud by comparing them against a database of known child abuse imagery.
Child rights activists are claiming that with the rising use of AI, AI-generated images of children are posing a big risk and may further encourage predators.
---
Friday, 19h July 2024
On 16th July 2024, the EDPB released a statement, establishing that since Data Protection Authorities (DPAs) already have experience dealing with the impact of AI on human rights, in particular the right to protection of personal data, they should therefore be designated as Market Surveillance Authorities (MSAs). According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.
This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.
---
The London Borough of Hackney was issued a reprimand from the ICO following a cyber-attack in 2020 which affected at least 280,000 residents. The hackers attacked the local government's systems - accessing, encrypting, and in some instances exfiltrating records containing personal data. The records revealed racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data. The hackers encrypted the data and then deleted 10% of the council’s backup before the council managed to intervene.
In the investigation of the data breach, the ICO found lack of proper security, which included the failure to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.
---
On 5 September 2023, the Commission designated Bytedance Ltd (of which TikTok is a subsidiary) as a gatekeeper under the Digital Markets Act (DMA). In November 2023, Bytedance applied for an annulment of that decision. The Court, at Bytedance's request, decided to look into that decision. As of today, 17th July 2024, the judgment is that Bytedance is indeed a gatekeeper under the DMA, based on the fact that Bytedance met the quantitative thresholds laid down in the DMA regarding its global market value, the number of TikTok users within the European Union.
---
The Dutch Data Protection Authority (AP) has imposed a fine of 600,000 euros on the company behind the drugstore Kruidvat. The company collected data from website visitors and was able to use this to create personal profiles of these people. This is very sensitive information due to the specific nature of drugstore products. Items such as pregnancy tests, contraceptives or medication for all kinds of ailments, when linked to location data (which can be traced via the IP address) of the unique visitor, can create a very specific and invasive profile of the person.
In the cookie banner on Kruidvat.nl, the boxes 'agree' to the placement of tracking software were checked by default, which is not permissible. Visitors who still wanted to refuse the cookies had to go through many steps to achieve this. The AP has found that personal data of website visitors to Kruidvat.nl had been processed unlawfully.
---
On the 15th of July, the ICO has written to 12 water companies, calling on them to proactively disclose information relating to sewage discharges on a monthly basis. In May 2024, they issued six water companies - Anglian Water, Severn Trent Water, South West Water, Northumbrian Water, United Utilities and Yorkshire Water - with decision notices requiring them to disclose the start and stop time of sewage discharges. The ICO noted that information about ‘emissions’, which includes sewage discharges, as a special category of information, has no grounds to be omitted from public knowledge in most cases.
---
Friday, 12th July 2024
NOYB is partially responsible for the fact that we have the option to 'reject' cookies, and that most of the non-necessary cookies are unticked by default. The European Data Protection Board established a "cookie banner taskforce" in September 2021 largely due to cookie banner complaints from NOYB. On July 11, 2024 NOYB released a report providing a comparison of EDPB recommendations with national DPA positions.
---
The EU AI Act is published in the EU Official Journal today, enabling lots of businesses to re-examine how they approach AI and personal data. What about the UK? While the UK has no legislation that would regulate AI completely as of yet, there are certain standards to uphold. The ICO has published a guide on how to use AI and personal data appropriately and lawfully. It covers such basics as:
- AI-made decisions
- Collecting data for developing AI systems
- Addressing AI bias
- How to carry out DPIAs with AI
- Data minimisation
---
Today, the 12th of July 2024, the long-awaited EU AI Act, that was passed as law in March 2024, is published in the EU Official Journal. This means that it becomes binding law 20 days later. This is a happy day for many privacy advocates and AI experts, as the EU is leading the first ever comprehensive law to regulate AI and ensure it is as safe as possible in use. As it becomes enforced, we are certain many countries will look upon the EU to gauge how to create and apply AI regulation in their own territories.
---
Ticketmaster was hacked in May 2024, and has only now issued emails to their Canadian customers to "be vigilant and take steps to protect against identity theft and fraud." The personal details of 560 million Ticketmaster customers were stolen in the hack, which included encrypted credit card details.
During the investigation, it was revealed that the hackers had taken data from Ticketmaster by stealing login details from Snowflake, the company it uses for its cloud storage account. Over 160 other Snowflake clients have been targeted in the same way. Banking group Santander was one of those affected - 30 million of its customers in Chile, Spain and Uruguay were hacked.
Ticketmaster is urging customers to monitor their online accounts, including bank account statements, for any suspicious activity, and is encouraging customers to sign up for identity monitoring services. “Identity monitoring will look out for your personal data on the dark web and provide you with alerts for 1 year from the date of enrolment if your personally identifiable information is found online,” the company said.
Read our initial story about the Ticketmaster hack here
---
The amount of data that phone apps collect about your screen time, usage habits, location, tracking and a whole host of personal information can be astounding. We encourage people to read the Privacy notifications that appear when you download new apps to be aware of what information you will be sharing. The area where such personal information is most sensitive is in period and fertility apps. When downloading those, make sure:
- Is the privacy notice clearly written and easy to understand?
- Will they delete your data when you don’t want to use the app anymore?
- What measures do they have in place to prevent hackers from accessing your personal information?
- Who are they sharing your information with?
- Are you happy with where your personal information could end up?
The ICO has released a set of how-to videos to help people navigate the app privacy notices
---
The recent boom of neurotechnology's ability to record and intervene on neural brain activity promises scientific and clinical advantages, and raises important ethical, legal and societal risks. Information about a person's nervous system activity may allow for inferences about their motor activities, perceptions, and cognitive and affective processes - all of which constitute highly sensitive data.
A recent NeuroRights Foundation study examined privacy practices in the consumer neurotechnology market. Companies demonstrated significant gaps in compliance across the areas of data collection and storage, data sharing, user rights, and data safety and security. In light of this, UNESCO has launched a Global Consultation on the first draft of the Recommendation on the Ethics of Neurotechnology. Anyone can share their concerns and views.
The deadline for submitting your opinion is the 12th of July 2024. Privacy and data protection matters - share your view!
---
On the 2nd of July, Brazil's national data protection agency (ANPD) said it would immediately suspend Meta's latest privacy policy, which allows it to train generative AI models such as chatbots based on posts from its users. If Meta fails to comply it will face a daily fine of R$50,000 (£6,935).
"This is a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil," a Meta spokesperson said. Brazil has 102 million Facebook users and more than 113 million Instagram users, so that is a significant drop in trainable data for the company.
---
The Spanish government is launching an initiative to prevent under-18s from watching porn. In the beginning of July 2024, Madrid unveiled an app that would verify the age of someone who would like to access porn websites. Once verified, they'll receive 30 generated “porn credits” with a one-month validity granting them access to adult content.
The app is called the Digital Wallet Beta (Cartera Digital Beta) and will be available by the end of summer. There are plans that eventually, Madrid's porn passport is likely to be replaced by the EU’s very own digital identity system (eIDAS2) — a so-called wallet app allowing people to access a whole range of public and private services.
---
According to a recent Arcom study, "digital advertising will represent 65% of the advertising market by 2030." Chrome announced recently it will limit third-party cookies, and the rise of 'consent-or-pay' systems also put potential consumers behind a protective paywall.
What should digital advertising look like in the future, and how should it be done correctly to not put data protection at risk? CNIL talk with two experts to hear their opinion.
---
The Lithuanian DPA issued an administrative fine to Vinted of 2,385,276 Euros for violation of the GDPR. This follows from an 2021-22 investigation whereby Vinted users complained about being denied Subject Access Requests by the company, and for having no clear data storage retention periods.
When considering the amount of the fine, the cross-border data flows and high number of complaints were taken into consideration.
---
Oftentimes after travel, the printed boarding passes and luggage tags get carelessly disposed of in airport bins, hotel rooms and sometimes simply left in the front seat pocket in the airplane. Ms Forte describes her discovery on how easy it is to scan the barcode or QR code in a boarding pass and get access to a whole host of intimate personal details. Such free software is freely available on the App Store.
This makes it incredibly easy to steal data via phishing emails by posing as an airline worker, for example. Use these principles when flying, especially when flying to a country you are new to:
- Don’t post pictures of your boarding pass or luggage tags online.
- Try to avoid identifying which airline you are flying with in any social media posts. If someone does not know which airline you were using it would take a lot longer and a lot more effort to go through trying each airline’s website flying that route to find the one you were using.
- Destroy your boarding pass and luggage tags securely. Use a cross cut shredder ideally. Keep them in your possession until you return home and you can dispose of them securely.
- Only give the airline the information it marks as essential when booking your flight. If it is not marked as a compulsory field then leave it blank. Reduce the amount of personal information they hold on you in the first place.
---
A paper published by The Royal United Services Institute (RUSI) - the world’s oldest and the UK’s leading defence and security think tank - aims to understand the wide range of harm caused by ransomware attacks to individuals, organisations and society at large.
The paper analyses the average victim experience, analysing the timing of the incidents, the level of preparation of security measures, human factors such as pre-existing work-place dynamics, engagement with third-party service providers and what manner of communication campaigns were used after the ransomware attacks.
"Understanding how ransomware attacks are personally felt by victims and what factors aggravate or alleviate the harm they experience is key for policymakers seeking to implement measures to minimise harm as much as possible."
---
On June 2nd, 2024 CNIL published a second set a how-to sheets to show how the General Data Protection Regulation (GDPR) enables the promotion of innovative and responsible AI. This follows on from a first set of recommendations recently published after a public consultation.
The topics covered include:
- Legitimate interest is the most common legal basis for the development of AI systems
- Web scraping practices can be implemented but must be particularly supervised
- Open source dissemination is a positive practice in many respects and for data protection in particular
- The information and exercise of people’s rights must be at the heart of stakeholders’ thinking
---
The European Commission announced on the 1st of July that it has informed Meta of its preliminary findings that its “pay or consent” advertising model fails to comply with the Digital Markets Act (DMA). The issue of the 'pay-or-okay' model is the main question in dispute.
As per Article 5(2) of the DMA, Meta:
- Does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the “personalised ads” based service.
- Does not allow users to exercise their right to freely consent to the combination of their personal data.
Meta now has to reply in writing to the Commissions preliminary findings.