Data Protection News Update 03 April 2023

IGS
April 3, 2023

United States

Facebook’s USD725 million settlement in the Cambridge Analytica suit gets preliminary approval

The US District Court for the Northern District of California gives preliminary approval to the ‘largest privacy class action settlement in the United States’.

California Consumer Privacy Rights Act (CPRA) is finalized and gets California Office of Administrative Law’s approval (OAL)

California Privacy Protection Agency (CPPA) announced that the first California Privacy Rights Act regulation package got approved by the OAL.
This package covers topics on data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.

Arkansas files lawsuits against TikTok and Meta

The state of Arkansas decided to sue TikTok and Meta claiming that the social media companies mislead their consumers on the safety of children on their platforms.
It is claimed that the companies are in breach of the state’s deceptive trade practices act.

Europe

The Dutch national railway has suffered a data breach affecting more than 780,000 passengers

The Dutch national railway reports that an ‘external party’ managed to gain unauthorized access through third party software provider.
The individuals affected are people participating in a satisfaction survey and might have had identifiable information revealed and compromised.
The matter has been referred to the Dutch DPA.

Meta plans to change their approach to advertising in Europe

This new privacy approach is only intended to apply to their European users.
European users will be allowed to choose a service of Meta that would only target them with ads based on broad categories.
Furthermore, apparently, Meta is considering to ban political advertising in Europe due to fears that the company might fail to abide by new EU campaigning laws.

France approves draft legislation to use ‘’intelligent’ surveillance systems for 2024 Olympics

French lawmakers approved the draft legislation to temporarily utilize ‘intelligent surveillance systems’ in the period where the 2024 Paris Olympics and Paralympics will take place.
Apparently, the system will ‘combine cameras with artificial intelligence software to flag potential security concerns’. Human involvement will take place afterwards where an operator would evaluate if a flagged security concern needs action.
This has been criticized by Privacy activists. They worry that this technology could be an assault to people’s civil liberties. Especially, since the law allows the state to use this technology on an experimental basis until the end of 2024 for all cultural events, which could make France a ‘dystopian surveillance state’.

France’s data protection authority (CNIL) fines rental scooter company over geolocation data collection

Rental scooter company Cityscoot was fined 125,000 euros for collecting and keeping a record of the geolocation data of vehicles.
The company was found in breach with the data minimization principle of the GDPR and in breach of the French Data Protection Act because it failed to inform users and obtain their consent to process their data.

Italy orders OpenAI to stop processing people’s data locally with immediate effect

The Italian data protection authority is concerned ChatGPT’s maker is in breach of the GDPR, specifically that it has unlawfully processed people’s data. Furthermore, there is no system in place to prevent children from accessing and using the technology.
OpenAI needs to respond to the order within the next 20 days.

International

Australian property Developer Meriton suffers data breach

Meriton announced that a data breach affecting 1,900 customers and staff members had occurred.
It is claimed that the breach potentially involved the disclosure of financial, health and employment information of staff members and that guest contact information might have been compromised as well.

7.9 million driver’s license numbers stolen in Australia

Latitude Group Holdings Ltd – an Australian consumer finance firm, disclosed that hackers stole the driver’s license numbers of nearly 8 million Australian and New Zealand residents.
This makes this data theft one of the biggest confirmed data breaches of Australia.

Experts urge pause in creation o f AI ‘digital minds’

More than 1000 AI experts call for an immediate pause on the creation of ‘giant’ AIs.
‘Powerful AI systems should be developed only once we are confident that their effects will be positive and their risks will be manageable.’
Elon Musk is amongst the signatories of the open letter, one of the co-founders of OpenAI.

United Kingdom

UK Government releases AI white paper

The Department for Science, Innovation and Technology published its white paper revealing its new approach to regulating AI technology.
The white paper aims to ‘drive responsible innovation and maintain public trust in this revolutionary technology’
The white paper includes 5 distinct principles which regulators should consider for a safe and innovative use of AI technologies in the UK. The principles are the following:
- Safety, security and robustness: AI should be used in a secure, safe and robust way so that potential risks are carefully managed;
- Transparency and explainability: Organizations involved in the development and use of AI technologies should communicate when and how they use it and be able to explain a system’s decision-making process in a way which is appropriate to the risks posed by the use of AI;
- Fairness: the use of AI must be compliant with the UK’s existing laws and it must be ensured that no discrimination against individuals will occur;
- Accountability and governance: appropriate oversight is necessary;
- Contestability and redress: individuals must be empowered to dispute harmful decisions generated by AI.

High Court rules immigration exemption in the Data Protection Act 2018 is unlawful

The High court ruled that the immigration exemption contained in the DPA 2018 in its current form is still unlawful.
The ruling is based on the case brought forward by the Open Rights Group and the3million.
The ICO released a statement following the ruling stating that they welcomed the decision. ‘Protecting people’s rights, particularly where those people may not even be aware those rights exist, is a key part of the role we were set up to fulfil. We are pleased to be able to offer our expertise around this case’.
Click here for the ICO’s statement.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK