dpas bulletin - august 29
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
Why has X received complaints regarding the data it uses to train its AI model? What increased measures did Keir Starmer announce following the UK protests? And how much were UK businesses fined in 2023/24 for violating the GDPR?
Read about all this and more in our latest DPAS Data Protection Bulletin.
PM announces increased facial recognition use in light of violent protests
In response to the violent protests that broke out across the UK in recent weeks, Prime Minister Keir Starmer has announced a new programme: The National Violent Disorder Programme.
This statement claims that criminals will never be able to “hide behind their legitimate right to protest” as a means to “wreak havoc and intimidation”. This promise to crack down on this behaviour, and improve the intervention and prevention of violent disorder includes a number of proposed solutions, such as considering how the country can widely deploy facial recognition technology for the purposes of targeting and arresting criminals.
Read more about this here.
AI traffic cameras rolled out in Devon and Cornwall
Early this month, it was reported that traffic cameras powered by AI were being rolled out in Devon and Cornwall. The first of their kind in the UK, these cameras are able to detect offences being committed while driving such as not using a seatbelt, or the illegal use of mobile devices.
In practice, these cameras snap front-facing and overhead images of motorists at high speeds, and are analysed by AI to seek out any offences. Once the images have been analysed by the AI, any flagged images are then reviewed by a human.
Read more about this here.
US sues TikTok over invasion of children’s privacy
TikTok has come under fire once again, having been recently hit by a new lawsuit from the US government. The Department of Justice is investigating TikTok and its parent company ByteDance for the unlawful collection of children’s data, and failures to respond when parents try to remove their children’s accounts from the platform.
TikTok is said to be in defiance of laws requiring consent from parents for the data of anybody under the age of 13, in what is described as a “massive-scale” invasion of children’s privacy.
Read more about this here.
X/Twitter receives numerous complaints in Europe over AI training
Just days after announcing that they will be hitting the pause button on the processing of some EU users’ personal data for AI training purposes, X (formerly known as Twitter) has received a number of data protection complaints.
Nine complaints in total were filed by Noyb in Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Spain, and Poland, against X’s use of personal data to train its AI model, known as “Grok”. Noyb has filed these complaints for the purpose of having X’s practices fully investigated for compliance with the GDPR.
Read more about this here.
China’s data watchdog proposes tighter control over users’ online data
Stricter control over users’ online data has been proposed by China’s data watchdog, who suggested rolling out digital IDs in place of real names and phone numbers, for registration on online platforms.
While this idea has been met with doubt and concern due to how it could grant authorities with expanded oversight over a whole manner of online behaviour, this is envisaged as voluntary and could likely “give the police much greater insight into what people are doing online”, according to Tom Nunlist, associate director at research and advisory firm Trivium.
Read more about this here.
Biometrics and Surveillance Camera Commissioner resigns
As announced early this month, the Biometrics and Surveillance Camera Commissioner, Tony Eastaugh, has resigned from his post, effective from mid-August.
No update from the Home Office has been given as of yet regarding Eastaugh’s replacement.
Read more about this here.
ICO makes provisional decision to fine software provider £6m for NHS disruption
The Information Commissioner’s Office has recently decided to provisionally impose a fine of £6.09 million on Advanced Computer Software Group Ltd for an initial finding that the organisation failed to implement safeguarding measures to protect the data of almost 83,000 individuals.
This incident, which was a ransomware attack widely reported at the time, involved the exfiltration of names, phone numbers, and in some cases, even information on how to access individuals’ homes. The ICO is yet to completely investigate whether Advanced was in defiance of any particular data protection laws, and so a final decision will be made in due course.
Read more about this here.
Jersey Data Protection Authority appoints new data protection regulator
On 12th August, it was announced that the Jersey Data Protection Authority (JDPA) had appointed former UK Information Commissioner Elizabeth Denham as its new data protection regulator.
Denham, who begins her four-year term in October, stated that her work will be “guided by international trends alongside foundational principles such as transparency, accountability and fairness”.
Read more about this here.
UK businesses fined over £15.5m in 2023/24 for GDPR violations
A UK data breach solicitor, Hayes Connor, has analysed GDPR breaches within the 2023-24 period, and has found that in this time, a total of over £15 million in fines was imposed on businesses.
The vast majority of this total comes from 12 organisations based in London (including the Ministry of Defence) who racked up £14,282,500 for violations such as unsolicited marketing calls and inappropriate email practices.
Read more about this here.
Uber fined by Dutch DPA for violating EU personal data transfer rules
Uber has come under fire and received a fine from the Dutch Data Protection Authority (DPA) for being in contravention of personal data transfer regulations.
The transportation app had been transferring driver data – such as ID documents and location data – to its headquarters based in the US over a period of two years without meeting GDPR requirements to ensure safety of these transfers. Uber stated that this fine, totalling 290 million euros, and the third fine issued to Uber by the DPA, is “completely unjustified”.
Read more about this here.
ICO launches new tool to assist small businesses with privacy notices
The ICO has recently announced the launch of a new tool that aims to support small businesses in creating bespoke privacy notices. Offering two different kinds of privacy notice – one for customer and supplier information, and one for staff and volunteer information, this privacy notice generator includes sections relevant to various different sectors so that organisations can easily create a privacy notice tailored to them.
Read more about this here.
Man sentenced after illegally accessing data for use at his personal injury firm
An ex-employee of Enterprise Rent-A-Car has been sentenced for liaising with his former colleagues to illegally access the personal data of people involved in road traffic accidents for his own gain.
These offences began in 2009 when Jonathan Riches of Porthcawl set up his own personal injury firm upon leaving his job at Enterprise Rent-A-Car. Riches used his lasting connections with former colleagues to unlawfully access motorists’ data for the purpose of contacting them to offer his legal services. Following an ICO investigation, Riches has pled guilty to an offence under section 55 of the Data Protection Act 1998 and has been ordered to pay a fine of £10,000, in addition to costs of £1,700. Riches’s accomplices in the crime were previously sentenced.
Read more about this here.
ICO releases statement on Meta’s ad-free subscription service
The Information Commissioner’s Office has released a new statement on Meta’s proposed ad-free subscription service.
Noting their previous call for views on “consent or pay” models, the ICO has stated that they are in the process of considering the responses they received and will “set out the ICO’s position later this year”. The ICO goes on to state:
“Following engagement with Meta, we are examining how UK data protection law would apply to any potential ad-free subscription service. We will expect Meta to consider any data protection concerns we raise prior to any introduction of a subscription service for its UK users.”
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.