Data Protection News Update 05 August 2024

United Kingdom

ICO slams Electoral Commission over security failures

  • The UK Information Commissioner’s Office has criticised the Electoral Commission for basic security failings exposing the personal data of 40m voters. According to the ICO, the Electoral Commission failed to keep servers up to date with security measures, and has inadequate password policies in place.
  • Hackers accessed the Electoral Commission Microsoft Exchange Server two years ago, by impersonating a user account and exploiting software vulnerabilities. These hackers have had access to personal information on the register for over a year (including names and addresses), and information was accessed on several occasions without the knowledge of the Electoral Commission.
  • The Electoral Commission has since taken steps to improve security, including planning to modernize its infrastructure, password policy controls and multi-factor authentication.

Elon Musk’s X under pressure from regulators over data harvesting for Grok AI

  • Users of X have been consenting to their posts being used to build artificial intelligence systems through a default setting on the app, a practice that violates UK and EU GDPR rules.
  • The UK GDPR does not allow companies to use “pre-ticked boxes” or “any other method of default consent”. However, the setting on X comes with an already ticked box, allowing posts, “interactions, inputs and results” to be used for training and fine-tuning of Grok AI.
  • The ICO stated platforms seeking to use users’ data for their AI foundation models should be transparent about their activities; should proactively notify users in advance of using data this way and allow people to object to having their data used this way.

United States

US court blocks Biden administration net neutrality rules

  • The U.S. appeals court blocked the Federal Communications Commission’s reinstatement of landmark net neutrality rules, instead scheduling oral arguments for late October/early November on the issue. This comes after the FCC voted to reassume regulatory oversight of broadband internet and reinstate the rules after Donald Trump had rescinded them when he was president.
  • Net neutrality rules require service providers to treat internet data and users equally (which means no restriction of access, slowing of speeds or blocking content for certain users). Favourable arrangements for certain uses is also prohibited, such as improved network speeds or access to favoured users.
  • The appeals court considers net neutrality “a major question requiring clear congressional authorization”.
  • The FCC Chair has said “The American public wants an internet that is fast, open, and fair. Today’s decision by the Sixth Circuit is a setback but we will not give up the fight for net neutrality”.

US Senate passes major online child safety reforms, House fate unclear

  • Two bills, the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and the Kids Online Safety Act (KOSA) have been approved by the senate in a bipartisan vote.
  • The bills target different age ranges, and put in place different data privacy measures. COPPA 2.0 would prohibit targeted advertising to minors and data collection without their consent; and KOSA would make explicit a “duty of care” social media companies have when it comes to minors (with a focus on design of the site and regulation of the companies).
  • Executives of social media sites have had opposing views, with executives at Snap and X speaking in support of KOSA at a congressional hearing in January, and the CEO of Meta Mark Zuckerberg and the TikTok CEO Shou Zi Chew said they disagreed with parts of it.

Europe

US, EU, Allies Commit to Address Privacy Risks in Connected Cars

  • The U.S., EU, and other US-allied countries (including Canada, Japan, Germany and Australia) have agreed to address the inherent cybersecurity and data privacy risks in connected vehicles continuous communication with other vehicles, telecommunications networks and other infrastructure.
  • The U.S. State department has stated that options for advancing affirmative cybersecurity standards and mitigating risks will be explored

International

Malaysia: Personal Data Protection (Amendment) Bill 2024

  • The Personal Data Protection (Amendment) Bill 2024 has been made publicly available. It includes introducing obligations for data processors; mandatory data breach notifications; requirements to appoint data protection officers (DPOs); expanding the definition of sensitive personal data; general legal basis for cross-border transfers and new data subjects rights on data portability.
  • The bill introduces higher penalties than before for non-compliance with personal data protection principles. Penalties for data controllers reach a MYR one million fine and/or three years imprisonment. Directors, CEOs, managers or those responsible for the management of the data controller also may be held jointly or severally liable with the corporate body for the offence, unless proven otherwise.
  • Under the bill, biometric data would be considered sensitive data, and subject to a separate set of legal basis.
  • In terms of the changes to cross-border transfers, transfers would now be allowed if there is a law substantially similar to the PDPA in that place, or if that place ensures an adequate level of protection that is at least equivalent to the level of protection by PDPA.

Ransomware attack forces hundreds of small Indian banks offline, sources say

  • A ransomware attack, affecting C-Edge Technologies ( a technology service provider, has forced payment systems across almost 300 small Indian local banks to shut down temporarily.
  • The National Payment Corporation of India advised on Wednesday it had “temporarily isolated C-Edge Technologies from accessing the retail payments operated by NPCI” and “customers of banks serviced by C-Edge will not be able to access payment systems during the period of isolation”.
  • As most of the banks affected were small banks, a source at the regulatory authority has said only about 0.5% of the country’s payment system volumes would be impacted.

Share:

More Posts

Send Us A Message