Data Protection News Update 06 March 2023

IGS
March 6, 2023

United States

‘Aggressive’ national cybersecurity strategy announced

The Biden-Harris Administration announced the national cybersecurity strategy to ‘secure the full benefits of a safe and secure digital ecosystem for all Americans’.
The previous administration’s approaches to cybersecurity focused more on voluntary public-private partnerships and information-sharing practices, while Biden’s strategy is the first one to push for more aggressive and comprehensive federal cybersecurity regulation.
It is noted that ‘we must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small business and local governments and onto the organizations that are most capable and best-positioned to reduce risks for all of us. Realign incentives to favour long-term investments by striking careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future’.
The government was prompted to craft a cybersecurity strategy following a series of major cyberattacks including the 2021 Colonial Pipeline ransomware attack and the Solar Winds cyberbreach of federal government agencies in 2019.

US Federal Trade Commission reaches deal with BetterHelp over data misuse claims

The FTC reached a settlement with online therapy company BetterHelp due to the allegations brought forward that it shared customers’ sensitive health data with third parties for advertising purposes.
BetterHelp has agreed to pay $7.8 million and change a variety of its business practices. It is also required to obtain express consent from consumers to share their data for any other purposes, to implement a privacy program and to introduce limits on how long they store personal data.

US Military develops drones with facial recognition technology (FRT)

US Military is developing lethal drones implanted with FRT.
Autonomous drones using machine learning to identify potential targets of US special operations forces.
There are ethical concerns raised. Studies have found that FRT regularly misidentifies non-white people and that the use of FRT, combined with AI, could be used to target specific people, perhaps before they have even committed a crime. Therefore, the use of FRT especially integrated in lethal weapons system could be problematic.

US FTC warns Amazon

US FTC is putting the companies and the broader health-app market ‘on notice’, informing them that it intends to keep monitoring consumer health data and use its enforcement arm when needed.
FTC warned Amazon and its newly acquired health care chain One Medical that patient’s personal health information should not be used for advertising or marketing purposes. It urged the company to declare how they intend to use health data.
FTC commissioners said Amazon pledged to respect consumer’s privacy
Whether companies privacy representations are deceptive will be decided on the perspective of a reasonable consumer rather than the perspective of an expert.

Europe

Nyob files series of complaints against websites and data brokers

Nyob files a series of complaints against websites and data brokers that did not correctly address access requests using cookies as an authentication factor.
According to Nyob, the companies had shown ‘obstructive approaches when authenticating users; ranging from denying the right to access, to requiring additional information, unnecessary to authenticate the user’.

Norway’s DPA finds Google Analytics in breach with EU GDPR

Following its investigation into the use of Google Analytics, Norway’s data protection authority issued a preliminary conclusion finding the tool in breach with the EU GDPR’s data transfer provisions.
The DPA reiterated its recommendation that companies should find alternatives and said a formal decision could come at the end of April with more details.

EU Council circulates compromise text on Cyber Resilience Act

The Swedish presidency of the EU council has circulated a new compromise text of the Cyber Resilience Act, providing more information on its interplay with the AI Act, enforcement and penalties.
Text clarifies that AI systems considered high risk will comply with the AI Act’s cybersecurity measures if they meet requirements within the Cyber Resilience Act.
New text also mandates EU countries implement an appeal procedure of external audits required of certain products.

EDPB releases non-binding opinion on draft adequacy decision on EU-US Data Privacy Framework

The EDPB released a non-binding opinion on the draft adequacy decision based on EU-US Data Privacy Framework welcoming what it called substantial improvements while expressing concern and requesting clarification on several points.
In the press release, the EDPB applauded requirements of necessity and proportionality for US intelligence gathering of data as well as a new redress mechanism for EU data subjects.
However, the EDPB has concerns with regards to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.
It is recommended that more effective powers to remedy violations be introduced, including additional safeguards for data subjects.

International

Long-awaited Chinese Standard Contractual Clauses and SCC Regulations released

The long-awaited Chinese Standard Contractual Clauses and SCC Regulations were finally released by the Cyberspace Administration of China effective June 1.
According to the SCC Regulations, business organizations are only allowed to adopt the SCCs for transferring data from China abroad if all of the following requirements are met:
- Data exporter is not a critical information infrastructure operator (CIIO), a term that covers business entities in financial energy, telecom, public utility, health care, transportation, e-government and other sectors that have a concern on national security and public interest of China.
- The data exporter has not processed personal data of more than 1 million individuals
- Data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since the 1^st of January of the previous year.
- Data exporter has not made aggregated transfers of sensitive personal data exceeding 10,000 individuals since 1^st of January of the previous year.
Before entering into the cross-border data transfer agreement, the data exporter must conduct an impact assessment and prepare an impact assessment report by considering multiple factors, including: validity, necessity and appropriateness for cross-border data transfer, scope, category, volume and sensitivity of the data transferred, obligations to be undertaken by the foreign data recipient, what technical and organizational measures are to be adopted by the foreign recipient, potential risk of personal data being breached, leaked or damaged after the transfer and what remedy channels are available to data subject. Data protection laws and policies of the foreign destination countries, other aspects which may affect the cross-border data transfer
A considerable amount of the terms in China’s SCCs are similar to the GDPR SCCs in relation to the obligations of the transferor the responsibilities of the foreign data recipient and the right entitled by the data subjects. However, there are clauses with significant Chinese characteristics, for example: the Chinese SCCs impose stricter requirements on onward data transfer than the GDPR SCCs.

Turkey fines TikTok 1.75 million lira

Turkey fines TikTok 1.75 million lira ($93,000) for weak data protection measures, specifically for ‘not taking all necessary measures to ensure the appropriate level of security to prevent unlawful processing of personal data’.
They further noted that TikTok should translate its Terms of Service into Turkish and update its privacy and cookies policy texts in line with the country’s regulations.
Turkey is the country with the 9^th most users of TikTok in the world with 30 million accounts.

Sweeping proposed reforms for Australia’s data protection legislation

Proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information and ensuring the Privacy Act is ‘fit for purpose in the digital age and align the Privacy Act with equivalent overseas laws, including the GDPR’.
Some of the key proposed reforms are:
- Fair and reasonable test and accountability: the processing must be fair and reasonable in the circumstances;
- Removal of exemptions for small businesses;
- Strengthening of security, data retention and data breach clarification;
- New rights for individuals such as erasure and de-indexing of search results and to an explanation about how their personal data is handled;
- Cross-border disclosures are made easier, mechanisms are to be introduced to make it easier to disclose data in a compliant way, including prescribing countries with similar protection to Australia and developing standard contractual clauses for use by entities

Nigeria Data Protection Bill moves forward

Nigeria’s federal Executive Council approved the Nigeria Data Protection Bill 2022 and transmitted it to the National Assembly for consideration.
The bill had its first draft presented in October 2022, is an implementing regulation for the Nigeria Data Protection Regulation and establishes the enforcement and oversight through the proposed Nigeria Data Protection Commission.

United Kingdom

Audit outcomes of Scottish Parliament

In 2022, the ICO carried out a consensual data protection audit of various directorates of the Scottish Government.
Areas identified for improvement include:
- Carrying out a data flow mapping exercise to fully understand how data is used across departments;
- Identifying data protection risks when undertaking new projects;
- Training information asset owner; and,
- Improving measures in place to ensure people’s data is kept secure

TikTok bans: UK at risk of lagging behind EU and US

The British government is facing scrutiny and criticism over its stance on Chinese-owned platform TikTok despite repeated warnings from security experts and many British lawmakers.
‘We run the risk of being marooned as tech security laggard among free and open nations’ said Alicia Kearns.
These concerns are raised following the recent developments with the European Commission and the Council of the EU banning their staff from using TikTok on work phones and the US decision in December to forbid the use of the app for all federal government devices.
Rishi Sunak said it is up to ‘individual ministers and departments’ to decide which social media platforms to use to communicate with the public.
TikTok is actively lobbying in and around Westminster to prevent political pushback on its app.

YouTube accused of collecting UK children’s data

Campaigner Duncan McCann has lodged an official complaint with the ICO saying that Youtube has been collecting the viewing data of children under the age of 13, in breach of UK data privacy code designed to protect children.
It is claimed that Youtube stores information on what videos children watch, their location and what device they are using. Company officials said its services are intended for persons older than 13. According to the complaint, children often use their parent’s devices and that data is stored as if an adult was the individual viewing the content.

UK pauses data protection reform

UK Government will not act on the proposed Data Protection and Digital Information Bill during the current parliamentary session.
Source said the bill will ‘sit idle as the new Department for Science, Innovation and Technology gets acclimated and devises its agenda’.

Signal threatens to leave UK

Signal President Meredith Whittaker said the messaging app would leave the UK if its Online Safety Bill weakens end-to-end encryption.
Home Office spokesperson said the bill does not ban encryption, but makes clear that technological changes should not be implemented in a way that diminishes public safety.

Updates from Regulators

Spain’s DPA (AEPD) has issued guidance on anonymization of personal data and the Catalonia DPA released a guide on privacy by design and privacy by default
ICO publishes SME Data Essentials Pilot Evaluation Report: ICO completed a pilot program with up to 60 SMEs across the UK. It is aimed at empowering organizations to become better equipped to manage their own data compliance. The pilot forms part of ICO25, the ICO’s new three-year strategic plan which details how the ICO will bring down the cost of compliance whilst enabling and supporting SMEs to invest, innovate and grow. Find the full evaluation report here: https://ico.org.uk/media/about-the-ico/documents/4024375/sme-data-essentials-final-evaluation-report.pdf
EDPB publishes a procedure for the adoption of EDPB Opinions on national criteria for certification and European Data Protection Seals

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK

Data Protection News Update 02 April 2024

United Kingdom US, Britain sanction China for broad 14-year hacking campaign UK involved in efforts to counter the proliferation of misuser of commercial spyware: joint