Data Protection News Update 05 February 2024

IGS
February 5, 2024

United Kingdom

ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action

The UK Information Commissioner’s Office Executive Director for Regulatory Risk Stephen Almond reported that they received an ‘overwhelmingly positive response’ to its November 2023 warning to have 53 of the UK’s top 100 website change their cookie mechanisms.
38 of the 52 websites that received formal warnings changed their cookie banners, with four additional websites pledging to achieve compliance by the end of February.
Almond said the ICO will continue to issue warnings to the next 200 most popular websites.

UK Ofcom’s Online Safety Act code of practice consultation ongoing

The UK Office of Communications (Ofcom) issued a reminder regarding its stakeholder consultation.
Ofcom is currently consulting on the codes of practice which set out how online services should meet their new duties from the Online Safety Act to protect people from illegal content.
The consultation focuses on the size of the services covered and what uses are being targeted.

United States

Attorney General James sues Citibank for failing to protect and reimburse victims of electronic fraud

New York Attorney General Letitia James filed a lawsuit against Citibank for allegedly failing to protect and compensate fraud victims.
The lawsuit alleges that Citibank did not apply strong protections to prevent fraudulent takeover of customer accounts and provided misleading information to customers regarding their rights when their accounts were compromised or frozen.
James encourages all consumers who have lost money to scammers who hacked into their online or mobile banking to report their experiences to OAG’s Consumer Frauds Bureau.

Europe

CJEU rules police should not indefinitely store biometric data

The Court of Justice of the European Union ruled law enforcement storing biometric information for someone convicted of a crime indefinitely is against the spirit of the law.
The Court called for national legislation to require data controllers to periodically review stored data and decide whether it is still needed, and also give people the chance to have data erased.

Uber fined €10 million for infringement of privacy regulations

The Netherland’s data protection authority, the Autoriteit Persoonsgegevens (AP), in cooperation with France’s DPA, the Commission Nationale de l’Informatique et des Libertes, issues a 10 million euro fine to Uber.
The fine was issued for allegedly failing to disclose its data retention period for European drivers’ data, and not reporting the non-EU countries it shares data with, among other reasons.
Although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus.
France’s DPA imposed the fine after more than 170 French drivers complained to the French human rights organisation, Ligue des droits de l’Homme et du citoyen (LDH), which then submitted a complaint to the French DPA.

ChatGPT: Italian DPA notifies breaches of privacy law to OpenAI

Italy’s data protection authority, the Garante, issued a notice to OpenAI that its ChatGPT chatbot allegedly violates the EU General Data Protection Regulation.
After a temporary ban on processing which was imposed on OpenAI by the Garante on 30 March 2023 and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR.
OpenAI may submit counterclaims concerning the alleged breaches within 30 days.

International

Catering veteran pushes sector to end collection of personal data

A catering executive is working to stop food service apps from collecting personal data after Hong Kong’s Office of the Privacy Commissioner for Personal Data found that 10 out of 60 restaurants collected consumer data for direct marketing.
This collection of personal information typically occurred after customers used a QR code or mobile application to order their food.
President of the Hong Kong Federation of Restaurants and Related Trades Simon Wong Ka-wo states it is often the app company, rather than the restaurant itself, that sells customers’ data to other parties for marketing purposes.
Wong emphasized that customers have the right to refuse to provide personal data if they feel their privacy is being intruded upon during the ordering process.
The Privacy Commissioner for Personal Data, Ada Chung Lai-ling, called on restaurants to specify whether the data collected will be shared with third parties in privacy policies or information collection statements.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK