dpas bulletin - JANUARY 26
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from all around the world.
Now that the new year has begun, what 11 countries and territories did the EU deem to have adequate data protection frameworks? Why was HelloFresh fined £140,000 by the ICO? And how can hackers access Google accounts without needing a password?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Key Insights
Hackers discover exploit that allows access to Google accounts without a password
First uncovered in October 2023, a concerning exploit has been discovered that can allow hackers to gain access to Google accounts, and retain that access even if the password is changed. Hackers have found a way to retrieve Google authentication cookies (which give its users access to their accounts without requiring them to always enter their login details) to bypass two-factor authentication and therefore enter the accounts.
Following this insight, web browser Google Chrome is currently cracking down on third-party cookies, and Google has stated that they have “taken action to secure any compromised accounts detected”, advising its users to “continually take steps to remove any malware from their computer” and enabling Enhanced Safe Browsing on Chrome for protection against phishing and malware.
Read more about this here.
ICO publishes updated Opinion on age assurance
The Information Commissioner’s Office has just updated its Commissioner’s Opinion on age assurance, refreshing the original version first introduced in October 2021. Their Opinion as of 2024 takes into consideration the legislative and technological developments from over the last few years to provide up-to-date guidance on approaching age assurance in a way that meets data protection obligations while remaining compliant with the Online Safety Act 2023 (OSA).
This updated Opinion sets out to assist online services in understanding what they must do if their services are likely to be accessed by children, and how they can “respond to ongoing developments in technology, legislation, policy and attitudes”.
Read more about this here.
ICO provides new guidance on responding to FOI requests
To support organisations in responding to freedom of information (FOI) requests in an adequate and timely manner, the ICO has published more guidance, specifically for clarifying information requests.
The ICO urges that an essential part of the role is refining people’s requests, and so if there’s uncertainty about what the requester is asking for, it’s best practice to contact them to request clarification. It’s important to note that clarification should be requested as soon as possible after receiving the original request, and within 20 working days. Once the clarification has been provided (in writing), it can be treated as a new request for information, and the 20 working day timeframe now applies to this new, clarified request.
Read more about this guidance here.
ICO launches new consultation series on generative AI
In the wake of generative artificial intelligence (AI) becoming increasingly prominent and capable, the Information Commissioner’s Office has announced the launch of a new consultation series, “examining how aspects of data protection law should apply to the development and use of the technology”.
The ICO is seeking perspectives from various stakeholders for this series, which begins by looking at when it is lawful to use personal data scraped from the web to train generative AI.
Read more about this series here.
IAPP shares taxonomy of AI data privacy risks
IAPP has recently brought attention to work conducted by a research group from Carnegie Mellon University and Oxford University in “Deepfakes, Phrenology, Surveillance, and More! A Taxonomy of AI Privacy Risks”. These researchers compiled over 300 AI incidents between 2013 and 2023, with focus given to those related to privacy. With the 16 privacy risks outlined in Daniel Solove’s paper from 2006 “A Taxonomy of Privacy” as a foundation, the researchers put together a set of 12 that apply to artificial intelligence. These include surveillance, identification, exposure, and intrusion, just to name a few. These risks plainly lay out the ways that AI is capable of posing danger to our privacy and provide an eye-opening breakdown for those who may not be familiar with the specific relationship between AI and data privacy.
Read more about this research here.
Government Regulatory Activity
Police to become able to run facial recognition searches on driving licence holders
A single clause in a new criminal justice bill will enable UK police to run facial recognition searches on a database containing images of Britain’s driving licence holders – approximately 50 million in total. This means that if it was in the police’s best interest to put a name to a face captured on surveillance footage or shared on social media, this new move, being “quietly introduced” by the government, allows them to do so.
Criticisms about this legislation have been raised about the government “sneaking it under the radar” due to the intention to allow the police or National Crime Agency (NCA) to utilise UK driving licence records for this purpose not being explicitly stated.
Read more about this here.
European Commission concludes its review of 11 adequacy decisions
11 existing adequacy decisions, first adopted by the EU data protection legislation preceding the GDPR, have just recently been successfully completed by the European Commission. Personal data transferred from 11 different countries and territories (Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) has been found to still be supported by adequate data protection safeguards, and therefore, the flow of data to these areas can freely continue.
Read more about this news here.
China issues draft guidelines for standardising artificial intelligence industry
As announced in a statement on the ministry’s website, China has recently issued draft guidelines for standardising the AI industry. The draft proposes to form over 50 national and industry-wide standards for artificial intelligence – with China also aiming to participate in forming over 20 international standards – by the year 2026. This draft aims to have over 1,000 companies adopting and promoting these standards.
Read more about this development here.
Enforcement action
ICO issues enforcement notice to Greater Manchester Police for failing to clear FOI backlog
Late last month, the Information Commissioner’s Office issued an enforcement notice to GMP for repeated failures to clear their backlog of freedom of information requests. At the time of the notice being issued, the backlog comprised 850 overdue requests, over 800 of which were over six months old, and 580 of which were more than a year old. The oldest request was over two and a half years overdue.
GMP was aiming to clear this backlog by the end of 2024, but the ICO has deemed this unacceptable, and demanded that an action plan be devised and published, detailing how it will respond to requests in a timely manner going forward, and how the existing backlog will be cleared by the end of July.
Read more about this here.
ICO fines two home improvement companies for illegal marketing calls
Two home improvement companies have been recently fined a total of £250,000 between them for making millions of illegal marketing calls to people on the UK’s “do not call” register. The ICO fined Poxell Ltd £150,000 for making more than 2.6 million illegal calls between March and July 2022 to people who had registered with the Telephone Preference Service (TPS). Skean Homes Ltd, however, was fined £100,000 for “instigating over 600,000 unsolicited marketing calls from March to May 2022” to people registered with the TPS.
These two cases resulted in a number of complaints to both the ICO and the TPS, and the ICO has issued an enforcement notice to both companies in addition to the fines they received.
Read more about these cases here.
ICO fines HelloFresh for spam texts and emails
HelloFresh has been fined by the ICO for sending 79 million spam emails and 1 million spam texts in just seven months. HelloFresh sent the messages based on an opt-in statement which was found to not have any reference to marketing via text. There was, however, reference to marketing via email, but as this was embedded in an age confirmation statement, this was found to have unfairly incentivised users to opt in without their knowledge.
The ICO concluded that the company behind HelloFresh (Grocery Delivery E-Services UK Ltd) was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) and so fined them a total £140,000 for the inappropriate use of their customers’ data.
Read more about this case here.
Report by DLA Piper shows record year for GDPR enforcement
DLA Piper’s 2024 edition of their GDPR and Data Breach Survey brings to light that there has been another record year for fines for breaches of GDPR, with EUR1.78 billion (USD1.94billion/GBP1.55 billion) in total issued by supervisory authorities since 28 January 2023. This tops the total amount fined in the year from 28th January 2022 by more than 14%.
Read more from this report here.
Our conference is just days away!
In just under one short week, our 2024 data protection and information security conference, Engage, Educate, Empower, will be kicking off at The Bond in Digbeth, Birmingham.
Thanks to our countless expert guest speakers and generous sponsors (RESPONSUM, filerskeepers, Encompass and CookieScan), this event is going to make for a thrilling and memorable day.
Details of the conference, including the agenda, parking, and accommodation, can be found on our website.
Data Privacy Day
On the 28th January 2024, it will be Data Privacy Day, dedicated to promoting the importance of data privacy and information security, and raising awareness of best practices. Since this international event was first conceived back in 2007, the data privacy landscape has changed significantly due to technological developments, the increasing digitalisation of our world, and of course, the introduction of legislation such as the GDPR.
To celebrate this day, let’s consider spreading awareness of compliance, discussing the challenges of safeguarding data with fellow practitioners, and educating ourselves further on what is a constantly evolving and increasingly complex subject.
Get in touch with us
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or visit our website at www.dataprivacyadvisory.com and fill out a contact form. Our dedicated team will get back to you as soon as possible.
