Privacy In Focus | May

May 31, 2024

by Olena Nechyporuk

We bring you a round up of articles and updates in the data sphere

Friday, 31st of May 2024

Spanish DPA Attempts to Block Meta Data Collection During Elections

The Spanish Data Protection Agency (AEPD) has ordered a precautionary measure against Meta in view of the upcoming European Parliament elections. It suspends in Spanish territory the launch of the Election Day Information (EDI) and Voter Information Unit (VIU) functionalities, and the collection and processing of data involved in their use.

Through these two functionalities Meta intends to process personal data such as, among others, user name; IP address; age and gender or information on how it interacts with those functionalities.

The AEPD considers that the data processing planned by Meta involves an action contrary to the GDPR that would breach the data protection principles of lawfulness, data minimization and storage limitation.

Read more

---

How Will My Data Be Used During Elections? ICO Weighs In

The ICO has published information on how people can expect their data to be used during the coming General Election. People should:

• Expect clear privacy information

• Expect to be told if a political party is using profiling techniques

• Expect clear information about social media advertising

• Expect to be told how information from a petition or survey will be used

• Expect political parties to follow the law when it comes to direct marketing

• Expect former, new and returning MPs to handle your data appropriately

• Expect to have to show Voter ID

Read more

---

Breaking: European Commission Unveils AI Office

The European Commission has unveiled its AI Office, which is responsible for the implementation of the AI Act, as well as for research and innovation into artificial intelligence.

The AI Office will employ more than 140 staff to carry out its tasks. The staff will include technology specialists, administrative assistants, lawyers, policy specialists, and economists. The AI Office will also collaborate with Member States and the wider expert community. At EU-level it will work closely with the European Artificial Intelligence Board composed of representatives of Member States.

The first meeting of the AI Board should take place by the end of June.

Read more

---

Irish DPA Issues Annual Report

The DPC issued its Annual Report for 2023, detailing 19 finalised decisions resulting in administrative fines totalling €1.55 billion, along with multiple reprimands and compliance orders being imposed. Some of the most famous ones are the May 2023 fine on Meta of 1.2 billion euros and the September 2023 decision against TikTok totalling 345 million euros.

Read the report

---

Should Parents Have the Right to Access their Child's Social Media?

Ellen Roone's son committed suicide at 14 years old, and the mother is trying to petition to get access to his social media user data, in order to see what might have caused the unprecedented death.

"… an hour and a half before he left our house – and there’s a video of him saying goodbye to his friend – he was fine. So what changed or what was going through his mind? And social media may give me the answers,” she says. Mrs Roone's petition has already gathered more than 100,000 signatures.

“In my case particularly, he’s not here any more, so what privacy rules are we protecting him from? It’s like we’re protecting social media giants. I just feel it’s entirely wrong.”

Read more

---

Open AI to Set Up a New AI Safety Committee

As debates swirl around AI safety at the company, OpenAI says it is setting up a safety and security committee in the wake of a newly created AI model to supplant the GPT-4 system that underpins its ChatGPT chatbot. The committee will advise the board on “critical safety and security decisions” for its projects and operations.

Conversations around AI ethics and safety are ever-present, and especially now after the Global AI Summit in Seoul took place. Open AI was one of the companies that pledged to uphold AI safety and security guidelines on the eve of the summit, so let us see how this develops.

Read more

---

Another Government Agency Fined - This Time, It's Greece

On Monday, 27th of May, Greece's Data Protection Authority fined the Ministry of the Interior 400,000 euros for leaking the email addresses of thousands of expatriate voters in June 2023.

The investigation revealed a document containing the contact information of more than 20,000 expats who voted in a 2023 national election - it was forwarded to people working outside the ministry. The file in question contained, in addition to the known details of the electoral rolls, the e-mail addresses and contact telephone numbers of foreign voters. The Authority imposed on the Ministry of the Interior, as a controller, a fine of a total of 400,000 euros for violations of Articles 5, 25, 30, 32 and 33 of the GDPR.

Read more

A similar case happened in the UK when the Home Office was fined for exposing the personal details of migrants. The case can be read here.

We wonder, what is it with government agencies that makes them so susceptible to data breaches?  

---

Big Firms Pledge to New AI Safety Guidelines

The Global AI Summit in Seoul has been filled with conversations about a whole set of new AI guidelines, with top firms pledging to uphold to new safety standards for "safe, innovative and inclusive AI."

Some of the big names who have signed the safety standards include:

Amazon

Google

IBM

Meta

Microsoft

Open AI

Samsung Electronics

Let's watch the space to see for further developments.

Read more

---

Facial Recognition Gone Wrong - Woman Wrongly Accused

Sara - who wished to remain anonymous - was wrongly accused of theft after being flagged by a facial-recognition system called Facewatch. She says after her bag was searched she was led out of the shop, and told she was banned from all stores using the technology.

Facewatch later wrote to Sara and acknowledged it had made an error. Its technology is used in numerous stores in the UK - including Budgens, Sports Direct and Costcutter - to identify shoplifters. 192 arrests have been made so far this year as a result of it. However, facial recognition AI still has a long way to go in order to avoid such mistakes, as the case of Sara clearly shows.

Read more

---

Friday, 24th May 2024

Is the UK Data Protection and Digital Information Bill Off?

Read more

---

Airport Facial Recognition: Individuals Should Have Maximum Control Over Biometric Data

The EDBP has issued an Opinion on the use of Facial Recognition systems in airports across the EU.

Currently, there is no uniform legal requirement in the EU for airport operators and airline companies to verify that the name on the passenger’s boarding pass matches the name on their identity document, and this is subject to national laws. Therefore, "where no verification of the passengers’ identity with an official identity document is required, no such verification with the use of biometrics should be performed", as this would result in an excessive processing of data.

The EDPB has considered the compliance of processing of passengers’ biometric data with four different types of storage solutions, ranging from ones that store the biometric data only in the hands of the individual to those which rely on centralised storage. In all cases, only the biometric data of passengers who actively enrol and consent to participate should be processed.

Read the Opinion here

More details

---

EDPB Reports on ChatGPT Taskforce

The EDPB published a report was adopted by the DPAs on the work of the ChatGPT taskforce. This taskforce was created by the EDPB to promote cooperation between DPAs investigating the chatbot developed by OpenAI. It analyses several aspects concerning the applicable GDPR rules relevant for the various ongoing investigations, such as:

- the lawfulness of collecting training data (“web scraping”), as well as processing of that data for input, output and training of ChatGPT.

- fairness: compliance with the GDPR is a responsibility of OpenAI and not of the data subjects, even when individuals input personal data.

- transparency and data accuracy: the controller should provide proper information on the probabilistic nature of ChatGPT and refer explicitly to the fact that the generated text may be biased or made up.

The report points out that it is imperative that data subjects can exercise their rights effectively. Taskforce members also developed a common questionnaire as a possible basis for their exchanges with Open AI, which is published as an annex to the report.

Read more

---

Police in Northern Ireland Fined for Data Breach

Today the ICO has announced that they will fine the Police Service of Northern Ireland (PSNI) £750,000 for failing to protect the personal information of its entire workforce. In response to a freedom of information request, in a "hidden" tab of an excel spreadsheet published online, the surname, initials, rank and role of all 9,483 serving PSNI officers and staff were revealed.

The investigation has found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information to be inadequate.

Read more

---

EU Council Approves EU AI Act

On Tuesday, 21st of May 2024, the EU member states voted in favour of the EU AI Act.

The European Council has now issued its final approval of the EU AI Act.

Read more

---

ICO Concludes Investigation into Snap's 'My AI' Chatbot

In June 2023, the ICO opened an investigation into ‘My AI’ following concerns that Snap had not met its legal obligation to adequately assess the data protection risks posed by the new chatbot. The investigation led to the issuing of a Preliminary Enforcement Notice to Snap on 6 October 2023.

The investigation resulted in Snap demonstrating that it had implemented appropriate steps to mitigate the risk. The ICO will continue to monitor the rollout of ‘My AI’ and how emerging risks are addressed.

The main takeaway is that organisations developing or using generative AI must consider data protection from the outset, before bringing the products to market.

Read more

Do You Know Your Privacy Regulations?

It is not just companies that can get fined for breaching data privacy regulations. Individuals can be prosecuted too, as in the recent case of Mr Saleem.

A former Management Trainee at Enterprise Rent-A-Car UK Limited accessed client data which he had no business need to access. After an internal investigation, he was fired for gross misconduct and reported to the ICO. He was order to pay £747 in total in personal fines.

Make sure you know and follow your company's internal regulations about accessing personal data of everyone you work with.  

Read more about the case here

Visit the ICO website for more information

---

Friday, 17th May 2024

EU Commission Launches Formal Investigation Against Meta

The Commission has opened formal proceedings to assess whether Meta may have breached the Digital Services Act (DSA) in areas linked to the protection of minors. The Commission is concerned that the systems of both Facebook and Instagram, including their algorithms, may stimulate behavioural addictions in children, as well as create so-called 'rabbit-hole effects'. There is also concern about age-assurance and verification methods put in place by Meta.

The opening of formal proceedings empowers the Commission to take further enforcement steps, such as adopting interim measures and non-compliance decisions. The Commission is also empowered to accept commitments made by Meta to remedy the issues raised in the proceedings.

Read more

---

Study Finds Unhealthy Data Practices in Female Health Apps

According to new research from King’s College London and University College London apps designed for female health monitoring are exposing users to unnecessary privacy and safety risks through their poor data handling practices.

Following an analysis of the privacy policies of 20 of the most popular female health apps available in the UK and USA, used by hundreds of millions of people, the study revealed that in many instances user data could be subject to access from law enforcement or security authorities.

Intimate data stored by health tracking apps can show details of sexual activity, contraception and when periods stop and start - with some also asking for information about abortions or miscarriages. Some apps lacked data deletion functions, or made it difficult to remove data once entered.

Key findings from the study included:

- 35% of the apps claimed not to share personal data with third parties in their data safety sections but contradicted this statement in their privacy policies by describing some level of third-party sharing.

- 50% provided explicit assurance that users' health data would not be shared with advertisers but were ambiguous about whether this also included data collected through using the app.

- 45% of privacy policies outlined a lack of responsibility for the practices of any third parties, despite also claiming to vet them.

Read more

---

ICO Reprimands Child Services in Birmingham  

The ICO have issued a reprimand to Birmingham Children's Trust Community Interest Company after the personal information of a child was revealed to another family. This information was revealed in error after being copied across from meeting minutes, and included the child's protection plan with personal information and criminal allegations.

Birmingham Children's Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information.

Read more

---

TikTok to Sue US Government Over App Ban

The bill officially known as the Protecting Americans from Foreign Adversary Controlled Applications Act was signed by President Joe Biden on 24 April and gives TikTok's Chinese parent company ByteDance until 19 January next year to sell the app to another company or face a ban. This was done due to rising concerns of users' data being monitored and  collected by China.

TikTok claims that the app ban is a breach of the First Amendment which protects free speech. It aims to fight for the right to remain in the US where it has the most amount of users - 170 million.

Read more

---

Hackers Tied with North Korea Launching Phishing Email Scams

The hacking collective known as Kimsuky, which is believed to be strongly tied to Lazarus Group, and thus, with the North Korean government, has been spotted abusing improperly configured DMARC record policies to send convincing phishing emails and gather vital intelligence from Western targets, officials have warned.

To make sure the victim responds to the phishing email the hackers will diligently prepare and thoroughly research their target, and either create fake identities, or impersonate other people when reaching out. When stealing other people’s identities, they will mostly impersonate journalists, academics, or other experts in East Asian affairs “with credible links to North Korean policy circles,” it was said.

Read More

Friday, 10th May 2024

iPadOS Classified as Gatekeeper under DMA

The European Commission has today designated Apple with respect to iPadOS, as a gatekeeper under the Digital Markets Act (DMA). iPadOS, despite not meeting the quantitative thresholds laid down in the DMA, constitutes an important gateway for business users to reach end users and therefore should be designated as a gatekeeper.

The Commission’s investigation found that Apple presents the features of a gatekeeper in relation to iPadOS, as among others:

– Apple’s business user numbers exceeded the quantitative threshold elevenfold, while its end user numbers were close to the threshold and are predicted to rise in the near future.
– End users are locked-in to iPadOS. Apple leverages its large ecosystem to disincentivise end users from switching to other operating systems for tablets.
– Business users are locked-in to iPadOS because of its large and commercially attractive user base, and its importance for certain use cases, such as gaming apps.

On the basis of the findings of the investigation, the Commission concluded that iPadOS constitutes an important gateway for business users to reach end users, and that Apple enjoys an entrenched and durable position with respect to iPadOS. Apple has now six months to ensure full compliance with the DMA obligations as applied to iPadOS.

Read more

Friday, 3rd May 2024

iPadOS Classified as Gatekeeper under DMA

The European Commission has today designated Apple with respect to iPadOS, as a gatekeeper under the Digital Markets Act (DMA). iPadOS, despite not meeting the quantitative thresholds laid down in the DMA, constitutes an important gateway for business users to reach end users and therefore should be designated as a gatekeeper.

The Commission’s investigation found that Apple presents the features of a gatekeeper in relation to iPadOS, as among others:

– Apple’s business user numbers exceeded the quantitative threshold elevenfold, while its end user numbers were close to the threshold and are predicted to rise in the near future.
– End users are locked-in to iPadOS. Apple leverages its large ecosystem to disincentivise end users from switching to other operating systems for tablets.
– Business users are locked-in to iPadOS because of its large and commercially attractive user base, and its importance for certain use cases, such as gaming apps.

On the basis of the findings of the investigation, the Commission concluded that iPadOS constitutes an important gateway for business users to reach end users, and that Apple enjoys an entrenched and durable position with respect to iPadOS. Apple has now six months to ensure full compliance with the DMA obligations as applied to iPadOS.

Read more

New UK Law to Increase Security and Privacy for Tech Appliances

The UK Product Security and Telecommunications Infrastructure (Product Security) regime (PSTI) comes into effect today, on the 29th April 2024. This means that manufacturers of phones, TVs and smart doorbells are now legally required to protect internet-connected devices against access by cybercriminals by banning easy to guess passwords like ‘admin’ or ‘12345’.

Brands also have to publish contact details so that bugs and issues can be reported immediately, and must be transparent about timings of security updates.

It is hoped the new measures will help give customers confidence in buying and using products at a time when consumers and businesses have come under attack from hackers, that aim to steal personal data, at a soaring rate.

Source

Icelandic SA: Municipality of Reykjavík fined ISK 2,000,000 for the use of Google Workspace for Education

After 2022, the Icelandic SA decided to investigate the use of cloud services in elementary schools. The investigation was limited to the use of Google Workspace for Education, in the five largest municipalities in Iceland.

The Icelandic SA’s investigation revealed that students’ personal data were not only processed on the instructions of the municipality of Reykjavík, but also for Google’s own purposes. The municipality failed to demonstrate how further processing by Google was compatible with the purpose for which students’ personal data were initially collected.

The municipality of Reykjavík infringed multiple Articles of the GDPR with its use of Google’s educational system:

– Failure to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation (Articles 5, 24(1) & 28(1) GDPR)
– Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR)
– Failure to ensure that data is not further processed in a manner that is incompatible with the initial purpose (Articles 5(1)(b) & 6(4) GDPR)
– Failure to ensure data minimisation (Articles 5(1)(c) & 25 GDPR)
– Data protection impact assessment did not meet the minimum requirements (Article 35(7) GDPR)
– Data transferred to the United States without appropriate safeguards (Articles 44 & 46 GDPR)

The municipality of Reykjavik was fined EUR 13,270 (ISK 2,000,000) and ordered to bring their processing in compliance with regulations.

Read more

Friday, 10th May 2024

Social Media Makes Personal Data ‘Manifestly Made Public’

The Advocate General of the CJEU issued an opinion claiming that any personal information revealed on social media is, under GDPR law, Article 9(2)(e), ‘manifestly made public,’ and therefore does not receive the same standard of protection as other personal data. The manifestly made public personal data, may not, however, be used by social media companies for targeted ads. The clarification follow an incident whereby Max Schrems filed a complaint against Meta for providing targeted ads based on his sexuality.

Read more

ICO Fines Two Companies a Total of £340,000 for Making Aggressive and Unwanted Marketing Calls

The Information Commissioner’s Office (ICO) has fined Cardiff-based Outsource Strategies Ltd (OSL) £240,000 and London-based Dr Telemarketing Ltd (DRT) £100,000 after the companies made a total of almost 1.43 million calls to people on the UK’s “do not call” register.

People who filed complaints said the callers were aggressive and used high-pressure sales tactics to persuade them to sign up for products. The ICO investigation also found evidence that both companies were specifically targeting elderly and vulnerable people.

Read More

European Parliament Approves EU-Wide Health Data Space

In an effort to made health data more accessible and easy to transfer for people who move within the EU area, the European Parliament has approved an EU-wide health data bank. Patients’ data will be uploaded to an electronic health record, with their medical history and any medical imagery on the portal. Some of the information will be anonymised to aid in health research, and the EU reassures citizens that robust data protection mechanisms are in place.

Read More