DPAS Data Protection Bulletin – April 25 2024

dpas bulletin - APRIL 25

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.

What terms and conditions of Temu’s were its customers concerned about? Why did data breach incidents seem to increase by a third in 2023? And what is the new US online privacy and data protection bill being debated?

Read about all this and more in our latest DPAS Data Protection Bulletin.

Key Insights

Temu changes terms and conditions following personal data concerns

Temu, a Chinese e-retailer, has made changes to its terms and conditions following concerns around what it plans to do with users’ personal data. Previously, Temu had defended themselves, claiming that the terms and conditions causing concern were “standard”. Now, however, they have gone back on that claim, deciding that they were “overly broad”, and have made adjustments.

Worries surrounding these terms and conditions followed a free cash giveaway that involved users signing their friends up to each receive a cash reward. This made many people doubtful, wary that there must be a catch. This then led to the discovery of the concerning terms and conditions, granting Temu permission to utilise its users’ data in ways that many found questionable.

Read more about this here.

AT&T suffers data breach affecting millions of customers

Telecom giant AT&T experienced a huge data breach early this month, having discovered a data set on the dark web. This contained social security numbers, passcodes, and potentially other sensitive information such as full names, mailing addresses, and AT&T account numbers.

Reported on 1st April, this data breach affected over 7 million current AT&T account holders, over 65 million former account holders, and according to Surfshark, approximately half a million UK users.

Read more about this news here.

Westminster insiders fall victim to spear-phishing attack

Twelve men working in Westminster have come forward and told Politico that they had been the targets of unsolicited messages on WhatsApp. These messages, coming through from two suspicious phone numbers, had been attempting to gain access to compromising information for the purpose of blackmail.

A 13th recipient of suspicious messages recently announced that he had received messages from somebody under the guise of an “Abigail” or “Abi”, who had spoken to him for months, with the first message arriving in January 2023. This reveals that the phishing operation was underway for over a year.

Read more about this here.

Report shows data breach incidents increased by a third in 2023

Flashpoint recently released their 2024 Global Threat Intelligence Report, which revealed that concerningly, reported data breach incidents increased by over a third. Over 17 billion personal records were compromised throughout 2023, and a total of over 6,000 data breaches. This was a 34.5% increase from the previous year.

Read more about this report here.

ICO calls for improved practices to protect children’s privacy

The Information Commissioner’s Office (ICO) recently released a statement calling on social media and video-sharing platforms to “assess and understand the potential data harms to children on their platforms, and to take steps to mitigate them”. The ICO urged these platforms to improve their data protection practices to ensure that children are safer while they use the services, as the regulator sets out their 2024-2025 priorities for the protection of children’s personal information online.

Read more about this here.

ICO joins global data protection and privacy enforcement programme

A new international multilateral agreement has been made between the ICO and the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) so that they can “work together to tackle global data protection and privacy issues”. This cooperation will allow for more effective cross-border enforcement of data protection and privacy laws, resulting in “solutions that safeguard people’s privacy wherever they are based”.

Read more about this here.

Conservative Party officials planned to sell members’ data via ‘True Blue’ app

Leaked documents reveal that the Conservative Party originally had plans to gather the personal data of party members through their “True Blue” app and allow prominent brands to utilise it for advertising, such as targeting based on location and demographic. The app, which was set to make millions through this plan, “did not progress beyond the pitch stage”, according to a spokesperson within the party. However, emails seen by the Guardian suggest otherwise, revealing that officials “worked through last summer on the project, tailoring the proposed app’s content and requesting paperwork, including a draft contract”.

Read more about this here.

EDPB announces their view on Meta’s ‘consent or pay’ system

Meta, owner of Facebook and Instagram, has offered its EU users a “choice” between agreeing to being tracked for advertising purposes, and paying a monthly subscription fee for an ad-free experience. This has been the case since November 2013, but now, the European Data Protection Board (EDPB) has come forward with their current opinion on the matter.

The EDPB have announced their disapproval of this, stating that when online platforms use a ‘consent or pay’ model, “negative consequences are likely to occur”. Released alongside their full 42-page opinion was a press release in which the Board’s chair, Anu Talu, expressed that online platforms should “give users a real choice”.

Read more about this here.

ICO loses Upper Tribunal appeal in Experian case

In the Information Commissioner’s long-running case against Credit Reference Agency (CRA) Experian, an appeal made to the Upper Tribunal has been rejected. The ICO originally issued an enforcement notice to Experian due to concerns around the “extent and nature of Experian’s data processing in the light of the transparency requirements” of the GDPR.

Experian then appealed against this to the First-Tier Tribunal (FTT), which was allowed. The ICO then advanced five grounds of appeal before the Upper Tribunal in an attempt to combat their decision.

Now, the ICO’s appeal has been dismissed by the Upper Tribunal on all grounds.

Read more about this here.

Government Activity

US introduces draft American Privacy Rights Act

Early this month, a draft of the American Privacy Rights Act, a bipartisan, bicameral federal privacy bill, was released by two key members (Committee Chairs Cathy McMorris Rodgers and Sen. Maria Cantwell) of US Congress. This legislation, which aims to give people more control over their privacy, gives consumers the right to “opt out of targeted advertising and view, correct, export or delete their data”.

The bill, if implemented, will preempt state privacy laws and introduce a federal law making privacy a consumer right. This, in place of the current laws which differ from state to state, would provide, what Committee Chair Rodgers has described as “privacy protections that are stronger than any state law on the books”.

Read more about this here.

European regulators discuss AI Act enforcement during GPS 2024

Enforcing the newly unveiled EU Artificial Intelligence (AI) Act may be more complicated than we expected, according to top European regulators. During a breakout session at the IAPP Global Privacy Summit (GPS) 2024 earlier this month, regulators expressed concerns about a number of obstacles and challenges.

Guido Scorza, board member of the Garante – Italy’s data protection authority – stated that due to a multitude of factors, including a lack of resources, they are “not ready”.

Read more about this here.

Peers urge Lords to make amendments to international data transfer laws

Earlier this month, parliamentarians expressed concerns that the current regulations for international data transfers are not “fit for purpose” and therefore have sought to encourage the government to strengthen these. A group of peers offered a number of amendments that they believe are an improvement on the present laws surrounding the transfer of data overseas, in an attempt to urge the government to prioritise this issue.

For example, one of these amendments (laid by Lord James Bethell, Lord Timothy Kirkhope, and Lord Tim Clement-Jones) looks at preventing the UK from transferring data to any countries with “no credible means to enforce data subject rights or obtain legal remedies”.

Read more about this here.

Software engineers and barristers call for changes to DPDI bill

Following a miscarriage of justice regarding the Post Office, wherein the organisation was urged by an external law firm to withhold vital evidence, a group of software engineers and barristers affected by the case have called for changes to the DPDI bill in response.

Their suggestion for the bill is that it should be amended to “require that a person seeking to rely on computer evidence should have to declare on oath that, having made the necessary inquiries, they know of no reason why it should not be relied on”.

Read more about this here.

Enforcement Action

ICO reprimands University Hospital of Southampton NHS Foundation Trust

The ICO has issued a reprimand to University Hospital of Southampton NHS Foundation Trust for failing to respond to all subject access requests (SARs) within the required time limit. Of all incoming SARs, the Trust only responded to 59% in the statutory timeframe between 1st August 2022 and 1st July 2023.

Read more about this here.

Dating app Grindr facing lawsuit for sharing users’ personal information

Grindr is looking at a mass data protection lawsuit after it shared users’ sensitive information with third parties – including their HIV status and date of their last HIV test – for commercial purposes. According to Austen Hays, thousands of UK users of the app may have been affected by this breach.

In a statement, Grindr has said that they plan to “respond vigorously to this claim, which appears to be based on a mischaracterisation of practices from more than four years ago”. Austen Hays claimed that over 600 people had signed up to the lawsuit regarding alleged breaches occurring between 2018 and 2020, and that number may now increase by thousands.

Read more about this here.

ICO reprimands housing association for exposing personal data on online portal

Clyde Valley Housing Association, based in Lanarkshire, has received a reprimand from the Information Commissioner’s Office for exposing personal information to other residents on an online portal. When this portal first launched in 2022, it didn’t take a resident long to realise that through it, they could view personal information about other residents – including their names, addresses, and dates of birth. Also available to access were documents relating to anti-social behaviour cases.

Despite the resident flagging this breach, the personal information remained available for five days, and this new system was only suspended once four more residents had reported this breach.

The ICO’s investigation concluded that the incident was down to a combination of the organisation not appropriately testing the portal first, nor providing adequate training to its staff, who weren’t clear on the procedure to escalate a breach.

Read more about this here.


If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.

related posts

Get a Free Consultation