dpas data protection bulletin - OCTOBER 19
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news, and developments, from all around the world.
In the last few weeks, the ICO has cracked down on multiple organisations for unlawful marketing calls, the UK extension to the EU-U.S. Data Privacy Framework (DPF) came into effect, and Snap received a preliminary enforcement notice due to possible failure to assess risks with its AI chatbot.
So without further delay, let’s explore what’s been going on in the data protection world.
Key Insights
Join us at #RISK London
We’re exhibiting with RESPONSUM at the #RISK conference at ExCeL London on the 18th and 19th October! If you’re around, come and find us to say hello.
Recap: “The Advantages of Using a Privacy Management Software” Webinar
DPAS recently partnered with RESPONSUM to bring you a webinar on how using privacy management software can make your data protection duties much easier and more efficient. Get in touch with us to learn more or book a full demo.
Or, if you want to catch up on the webinar to find out more, we’ve uploaded the full recording online for you to view. Watch it here.
Case Law
First-Tier Tribunal (FTT) Overturns ICO’s Penalty Notice
The UK Information Commissioner has had a penalty notice of £7.5 million imposed on Clearview (CV) – a firm based in Delaware, USA – overturned by the Information Rights Tribunal. The ICO did not have the powers to issue a penalty notice against Clearview due to the alleged and inferred processing not being in scope for GDPR, as it did not meet the post-Brexit UK GDPR definition of being in territorial scope. Read more about this in our recent article.
Government Regulatory Activity
UK and US Announce UK extension to EU-U.S. Data Privacy Framework (DPF)
From 12th October 2023, UK businesses can transfer personal data to U.S. organisations self-certified under the Data Privacy Framework (DPF). On 18th September, for this very purpose, the U.S. Attorney General designated the UK a qualifying state, setting the stage for the nation to be entered into the framework.
Whilst this bridge does allow for easier transfer of data, be warned, it doesn’t apply to everybody. Organisations will need to make sure that they have checked that the recipient of the transfer is certified under the UK Extension and appears on the DPF List. This bridge also doesn’t guarantee safety and there are some shortfalls surrounding special category data and individuals rights, and as such organisations will still need to consider the impacts of transferring data to the U.S.
China Announces Changes to Cross-Border Data Transfer Requirements
The Cyberspace Administration of China (CAC) is looking at making significant changes to the country’s strict rules on the transfer of data across the border when it comes to standard business activities. These rule changes regard the requirement to submit for security reviews, with only data deemed “important data” potentially warranting this action.
More information on these developments can be found here.
ICO Warns that Data Breaches Put Domestic Abuse Victims in Danger
On 27th September, the ICO once again warned organisations to properly train their staff and implement appropriate procedures to prevent data breaches. This is due to the ICO recently having to reprimand seven organisations over the last 14 months for data breaches impacting victims of domestic abuse.
In four of these cases, the organisations revealed the victim’s safe address to their alleged abuser. One of these victims had to then seek emergency accommodation for them and their family as a result.
The ICO therefore issued a reminder of how significant an impact a simple data breach can have on a vulnerable person, and urged organisations to ensure that they have robust procedures in place and staff are well trained, to avoid this kind of incident. Most data breaches happen as a result of human error, and training is a great way to reduce this risk.
ICO Urges Public Authorities to Stop Using Spreadsheets in FOI Responses
Following on from some high profile data breaches, the Information Commissioner has called for organisations to immediately put a stop to the use of spreadsheets when responding to Freedom of Information requests. The aforementioned breaches occurred when personal information was accidentally shared within a spreadsheet. Using spreadsheets – particularly ones with hundreds or even thousands of rows – is therefore now heavily advised against.
Read the full statement here.
Court of Appeal Rules ICO Able To Determine Cases It Investigates
The Court of Appeal has confirmed that the ICO has broad discretion in making decisions on the extent to which it investigates a complaint, stating that they are able to express views on each one, without necessarily reaching a decision on whether or not an infringement has taken place. This confirmation follows a lengthy court battle over a claim that the ICO had unlawfully failed to determine a subject access request complaint. The court ultimately ruled against this claim.
Read more about this story here.
Enforcement actions
ICO Issues Numerous Monetary Penalties and Enforcement Notices for Marketing Calls
The Information Commissioner’s Office has issued a number of enforcement notices and fines to multiple organisations who were in breach of regulation 21 of the PECR in their marketing calls to individuals. Five organisations in total received these penalties for their conduct.
ICO Issues Preliminary Enforcement Notice Against Snap for Risks with Chatbot
Snap, Inc and Snap Group Limited have received preliminary enforcement notices from the ICO due to their potential failure to properly assess the risks posed by their artificial intelligence (AI) chatbot, “MyAI”. In the event of a final enforcement notice, Snap may be rendered unable to offer the product to UK users altogether, until an adequate risk assessment is carried out. The ICO has put emphasis on the importance of this risk assessment due to much of the data being processed in this instance is that of children. The ICO reiterates to all organisations the importance of considering data protection obligations right from the beginning with regards to innovative technology like generative AI.
Nottingham County Council Reprimanded for Not Redacting Sensitive Data from Child and Family Assessment Report
One of the seven aforementioned recent data breaches that affected domestic abuse victims was due to information being included in a Child and Family Assessment report – sent to a mother and her two ex-partners – that should have been redacted. This incident created a dangerous situation between those involved, putting the mother and children at risk of harm.
Following this, Nottingham County Council was reprimanded for the social worker’s mistake. Read more here.
Come to our free conference
Engage, Educate, Empower
DPAS is partnering with Responsum to bring you a free data protection and information security conference!
Featuring talks by guest speakers from organisations like Deliveroo, Pngme, and Digital Health and Care Wales (with more to be announced), this conference will bring all sorts of people together from the data protection world for an event of discussion, team-building activities, and building new connections.
Join us at the Bond in Digbeth, Birmingham at 9:00 on the 31st January – we’ll see you there!
Book your free ticket here.
How can we help you?
We provide a range of data protection and information security consultancy services, training courses, free webinars, and more.
With our help, you’ll be able to transform data protection compliance from a complicated obstacle to a value-added asset.
Visit our website here to learn more, and to see how we can help.
