DPAS Data Protection Bulletin – June 28 2024

dpas bulletin - june 28

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.

What changes are Google making to how it stores location data? What new AI training plans of Meta’s are facing heavy criticism? And whatever happened to the DPDI Bill?

Read about all this and more in our latest DPAS Data Protection Bulletin.

ICO publishes guidance for how data may be used during general election

The Information Commissioner’s Office has recently published some blog guidance to answer questions about how individuals can expect their data to be used during the election campaign.

The article outlines what should be expected from parties and campaigners. This includes being transparent about targeting in social media advertising, the appropriate handling of data by former, new and returning MPs, and for the law to be followed regarding direct marketing.

Read more about this here.

Google announces plans to delete users’ location data

Changes are being made to how Google stores the location data of its users. Google now plans to store this information locally on users’ devices, as opposed to the current practice of backing it up to the cloud.

In an email, the tech giant announced that users will have until the beginning of December to save their travel information to their mobile devices. Past this date, they’ll start to delete the old data. Going forward, this will now be linked to users’ devices as opposed to their Google accounts.

Read more about this here.

DPDI Bill dropped in lead-up to UK general election

Leading up to the general election taking place on 4th July, the Data Protection and Digital Information (DPDI) Bill was dropped due to a lack of time before dissolution of Parliament.

Despite the Bill being close to the finish line, it failed to reach completion during “wash up” and has therefore fallen. This news has been met with mixed reactions from privacy professionals – though many are relieved about the legislation’s demise due to some of the bill’s more controversial amendments.

Read more about this here.

Hong Kong releases its first data protection guidance for use of generative AI

Hong Kong’s privacy watchdog has released the city’s first data protection guidance for businesses using generative AI. While not including any mandatory requirements, this provides advice on best practices that those taking advantage of generative AI’s capabilities should follow.

This includes setting up an internal AI governance committee, conducting risk assessments, minimising how much personal data is processed for AI model training purposes.

Read more about this news here.

ICO breaks down information commonly requested from public authorities

The ICO has published a blog with their findings from a recent examination of Freedom of Information (FOI) requests. Over 150,000 requests from 2022 were analysed to discover common themes, in an effort to advise public organisations on information that they could proactively publish to reduce the number of requests they received.

Read more about this here.

Economic value of Nigeria’s data protection now over N10 billion

During an event to commemorate one year of the Nigeria Data Protection Commission (NDPC), National Commissioner Dr Vincent Olatunji announced that due to the signing of the Data Protection Act into law on June 12, 2023, Nigeria’s data protection has an economic value of over N10 billion.

Olatunji stated that the signing of the law brought a lot of attention to the NDPC not just in Nigeria, but around the world, boosting the Commission’s credibility and value.

Read more about this here.

ICO proposes £750,000 fine for PSNI for data breach through spreadsheet error

The Information Commissioner’s Office (ICO) has proposed that a fine of £750,000 be issued to the Police Service of Northern Ireland (PSNI) following a particularly dangerous data breach that took place in August 2023.

At this time, the personal information of all officers and staff (over 9,000 individuals altogether) was included in a “hidden” tab of a spreadsheet published online in response to a freedom of information request.

Read more about this here.

Data protection registration fees may rise 20% next year for Guernsey companies

Guernsey’s data supervisor, the Data Protection Authority (DPA) has proposed to raise registration fees.

If approved, the new fees would be £60 for businesses with fewer than 50 full-time staff (previously £50) and £2,400 a year for larger businesses (previously £2,000). This 20% increase has been approved by the States’ Committee for Home Affairs but can’t go ahead until regulations have been drafted.

Read more about this here.

Seven London hospitals disrupted by ransomware attack on service provider

Early this month, a major IT attack on Synnovis – a partnership between Synlab, and the Guy’s and St Thomas’ (GSTT) and King’s College trusts – caused a significant disruption to the operations of seven affected hospitals.

The hospitals’ services, particularly blood transfusions, were severely impacted by the ransomware attack on this provider, who analyses blood tests for the trusts. Hackers rendered a computer system inaccessible, extorting payment in exchange for restoring access. In a recent update, it’s been revealed that almost 1,600 appointments were cancelled as a result of this attack, and on 21st June, it was reported that the ransomware group had published data from the attack online.

Read more about this here and here.

IAPP AI Governance Global 2024 conference held in Brussels

The International Association of Privacy Professionals (IAPP) recently held its AI Governance Global 2024 conference in Brussels.

This event featured talks from multiple experts and leaders about the future that AI holds, noting both its potential, and its risk if proper considerations aren’t made. Keynote speaker Shannon Vallor, for example – a professor of ethics of data and AI at the Edinburgh Futures Institute – shared her optimism about AI’s medical and detection capabilities, such as predicting cancer and locating landmines. In addition to this, though, she expressed her concern that large language models trained by large volumes of data may be holding back the technology’s potential, compared to “targeted applications” which are trained using specific data.

Read more about this here.

23andMe investigated by data protection watchdogs over data breach

Genetic testing company 23andMe is being investigated by UK and Canadian data protection authorities over a breach that occurred in October last year.

The incident, which involved hackers gaining access to the personal data of almost 7 million people (such as family trees and birth years), is now being investigated by watchdogs to determine whether 23andMe had implemented adequate safeguards to protect the data. The ICO states that the public having trust in the service is “essential” due to the sensitive nature of the information they are trusted with.

Read more about this here.

First firms certified the under new LOCS:23 standard

The Legal Services Operational Privacy Certification Scheme (LOCS:23) has found its first firms to be certified.

This ICO-approved GDPR certification scheme, designed to equip law firms with a better understanding of the legislation and demonstrate their compliance, has just seen Briefed and 30 Park Place become the first firms to become officially certified for this standard following the conclusion of the pilot scheme.

Read more about this here.

Meta delays AI plans following privacy concerns

Meta, who recently shared plans to train AI models using content shared publicly by its adult users, has since announced that they’ll be putting these plans on hold. This follows a request from the Irish Data Protection Commission (DPC) and waves of complaints from European privacy groups and regulators.

The tech giant has received intense backlash for their plans, due to their intentions to rely on “legitimate interest” as their lawful basis for collecting data this way. Noyb, an advocacy group based in Austria, expressed their concerns about Meta not processing this data on the basis of consent, but rather leaving the responsibility with the user to opt out.

Now, Meta is claiming that they’ll be pausing these plans, which were originally slated to come into effect on 26th June.

Read more about this here.

TikTok privacy complaints referred to US Department of Justice

Following an investigation into potential violations of the FTC Act and the Children’s Online Privacy Protection Act (COPPA), the US Federal Trade Commission has referred a complaint against TikTok (and parent company, ByteDance) to the US Department of Justice (DOJ).

A TikTok spokesperson responded saying that they disagreed with the allegations and are disappointed that “the agency is pursuing litigation instead of continuing to work with us on a reasonable solution”.

Read more about this here.

Noyb files complaint against Google for inappropriate data collecting

Austrian advocacy group Noyb filed a complaint against Google on 13th June for allegedly collecting users’ data without the appropriate consent, and for generally failing to be transparent regarding its EU advertising practices.

One of the allegations against the corporation pertains to their Privacy Sandbox API, particularly their replacement for third-party cookies: “topics”. These still involve users’ browsing habits being tracked – despite the Privacy Sandbox being marketed as a privacy feature – and so Noyb has concluded that the misleading language could easily deceive users who won’t realise that their consent is still being requested for tracking their activity.

Read more about this here.

EU cancel vote on CSAM regulation due to encryption concerns

A draft law proposed in 2022 that would allow messaging apps to scan for, and report child sexual abuse material (CSAM) in images and links, was reportedly removed from the EU Council’s agenda earlier this month. Several countries, such as Poland, Germany, and the Netherlands, were expected to either abstain or oppose the law over cybersecurity concerns. Others, like Ireland and Spain, feel that there is a need for a “strong law” to combat the spike of CSAM that we’ve seen since the pandemic.

In the final hours, it was decided that the required majority was not going to be achieved, and so the vote was dropped.

Read more about this here.

Post Office accidentally publishes over 500 sub-postmasters’ names and addresses

The Post Office has recently apologised for accidentally disclosing the names and addresses of hundreds of sub-postmasters in a document on its website.

The data belonged to 555 postmasters in total, who had been pursued during the Horizon scandal. According to former postmaster Christopher Head, this leak has caused great distress due to many of these individuals having suffered post-traumatic stress from the incident, and have been trying to move on. The Post Office referred itself to the Information Commissioner’s Office (ICO) upon discovery of this breach, and are currently being investigated by the watchdog.

Read more about this here.

Attend our next free webinar!

We’re proud to present the latest free webinar in our series:

Navigating Data Privacy in a Post-Election Britain!

Following the result of the general election taking place on 4th July, there will be considerations to make regarding various areas of data privacy, but what are these?

In this webinar, our panel will discuss:

  • The fallen DPDI Bill
  • What we can expect in the near future
  • Considerations to make going forward

…and more!

Find out more about this event and book your free place here.


If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.

related posts

Get a Free Consultation