DPAS Data Protection Bulletin – May 22 2024

dpas bulletin - may 22

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.

What were the reasons behind ChatGPT receiving complaints? Why are hotel chains in China dropping face scanning? And what was the nature of the recent MoD data breach?

Read about all this and more in our latest DPAS Data Protection Bulletin.

Key Insights

ChatGPT receives GDPR complaint over inaccurate and irremovable information

OpenAI has found itself in some hot water with Austrian privacy group Noyb regarding ChatGPT’s recent failures to provide accurate information. Instead of providing Noyb founder – Max Schrems’ correct birthday, it seems the AI model took a guess instead, throwing out a completely inaccurate date instead of informing the user that it didn’t have the information available to provide an answer.

Noyb makes claims that ChatGPT violates GDPR in various ways, such as its failures to provide accurate information, its inability to remove or change inaccurate data, and the lack of information disclosed about the nature of the data processed, including where it comes from and who receives it.

Read more about this here.

Dell Technologies unveils expanded data protection portfolio

To address a number of concerns brought up in the 2024 Dell Global Data Protection Index (GDPI) survey, Dell Technologies has recently unveiled their new expanded data protection portfolio. According to Dell Technologies’ Director of Marketing for Data Protection Solutions, Rob Emsley, these offerings “help customers increase performance, efficiency and security, while providing deeper integration into Dell’s infrastructure portfolio.”

Read more about this expanded portfolio here.

Hotel chains in China drop face scan check-ins

As authorities in China push to better protect biometric data privacy, hotel chains across the country are starting to drop face scanning as part of the check-in process. Among these chains are Hilton, Marriott and H World, making the hotel and leisure industries some of the first to adjust their practices in response to the legislative pushback against this technology.

The hospitality sector’s use of biometric scanning had “overshot legal boundaries for purposeful use”, according to Dai Bin, president of the China Tourism Academy.

Read more about this here.

Patient data stolen in cyber attack and published on the dark web

NHS Dumfries and Galloway fell victim to a vicious cyber attack in which a significant volume of data was stolen by a ransomware group and published on the dark web. In March, the criminals released data relating to a small number of patients, threatening that more would follow.

The organisation has attempted to reassure patients, with executive officer Julie White saying that “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff”. A telephone helpline opened to the public on 7th May, with the health board urging everyone to be vigilant of any individuals attempting to access their data, or claiming to have possession of their data already.

Read more about this news here.

MoD suffers data breach allowing hacking of UK military personnel data

The Ministry of Defence was hit by a significant data breach earlier this month, resulting in the personal data of UK military personnel being hacked.

This cyber attack targeted a third-party payroll system that the MoD used. This payroll system included personal information of both current and former members of the armed forces, such as their names and bank details, and in a few cases, potentially some addresses.

Read more about this here.

Unions request investigation of Amazon’s data surveillance practices

Amazon’s data surveillance practices have been met with some concerns lately, as trade unions from 11 different European countries wrote to data protection authorities requesting investigation.

The union leaders claim that Amazon makes use of tracking technologies like hand scanners, GPS devices, and video cameras to keep tabs on their workers in a way that can negatively impact employees’ physical and mental health.

Read more about this here.

AFL players call for better protection of personal data

Following a data breach last year that led to personal information of Port Adelaide players being leaked, concerns have been raised by Australian Football League (AFL) players about the data collection and storage practices in the sport.

Fears have begun to surface of further data breaches occurring, which are somewhat affirmed by a discussion paper released in 2022 by the Australian Academy of Science that discovered an unnecessary amount of players’ data is collected by AFL clubs – more than is used – which had “tremendous implications for professional athletes”.

Read more about this here.

Government Activity

DSIT confirms second of AI Opportunity Forum meetings was held

On 8th May, the second of three planned meetings of the AI Opportunity Forum was held at 10 Downing Street, as confirmed by the Department of Science, Innovation and Technology (DSIT).

The result of this meeting was the agreement to create a product that would inspire businesses, regardless of size, to take advantage of AI.

Read more about this here.

Enforcement Action

ICO releases statement on Upper Tribunal ruling in Experian case

The Information Commissioner’s Office (ICO) has released a statement on the Upper Tribunal’s dismissal of their appeal of the First-tier Tribunal’s 20th February 2023 ruling in favour of credit reference agency Experian.

ICO Deputy Commissioner, Steven Bonner, says that “it is regrettable that the flaws identified by the Upper Tribunal did not extend to overturning the First-tier Tribunal’s judgement”, and that the ICO will now “carefully consider [their] next steps, including whether to appeal”.

Read more about this here.

ICO fines and reprimands the Central YMCA

The Central Young Men’s Christian Association have received a fine of £7,500 and a reprimand from the ICO for the all too common mistake of using the “CC” function rather than “BCC” when sending an email out to numerous recipients.

166 individuals – who were participating in a programme for people living with HIV – could be identified from their email addresses, and therefore it can be inferred that these individuals were potentially living with HIV.

Read more about this here.

ICO welcomes First-tier Tribunal ruling in Join the Triboo appeal

The ICO has expressed their support for the First-tier Tribunal’s decision to dismiss an appeal from online recruitment firm Join the Triboo.

Join the Triboo had received an enforcement notice and a fine of £130,000 in April 2023 for sending 107 million spam emails to more than 400,000 people without their consent. Due to what the Tribunal had deemed a “poorly signposted” privacy policy, the decision was made to dismiss the appeal and uphold the penalty amount.

Read more about this here.

ICO reprimands Birmingham Children’s Trust Community Interest Company

The Information Commissioner’s Office has issued a reprimand to the organisation for sending a child protection plan to one family, but which included inappropriate personal data, namely criminal allegations against a child in the neighbouring family.

These allegations were deemed irrelevant to the plan and were not authorised for the family’s view. At the time of the incident, appropriate technical and security measures were not in place, as revealed by the ICO’s investigation.

Read more about this here.


We are pleased to announce that Data Privacy Advisory Service (DPAS) is now an official training partner of the International Association of Privacy Professionals (IAPP). 

We have added the following three NEW courses which not only increases our extensive offering of certified training for all data protection, cybersecurity and information security professionals, but expands our expertise to a wider, global audience:


  • Certified Information Privacy Manager (CIPM)
  • Certified Information Privacy Professional/Europe (CIPP/E)
  • Certified AI Governance Professional (AIGP)


Commencing in July and running throughout 2024, these courses will deliver comprehensive and thorough training taught by renowned industry experts, Ralph O’Brien and Nigel Gooding.

Read more about this here.


If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.

related posts

Get a Free Consultation