Data Protection News Update 07 August 2023

United Kingdom

ICO issues reprimand to NHS Lanarkshire due to patient information being shared by staff

  • The ICO has given NHS Lanarkshire a formal reprimand after 26 members of staff were part of a WhatsApp group where patient information was exchanged from 2020 -2022.
  • After the organisation became aware of the breach, they reported it to the ICO which found that NHS Lanarkshire lacked the necessary policies and procedures needed when WhatsApp was first utilised for communication between staff during the pandemic.

United States

US state legislatures consider proposals to use biometric data to verify age for alcohol purchases

  • New York and Washington state legislatures are considering bills proposing that an individual’s age be verified via fingerprints, voice recognition or retinal scans for sales of alcoholic beverages and products containing tobacco.
  • Currently, companies such as Amazon and CLEAR sell biometric ID systems which have been used in sports stadiums to allow attendees to order alcoholic beverages using the facial recognition capabilities of smart phones.
  • While those in favour of the Bill point to the convenience of using biometric verification compared to physical ID, concerns have been raised due to studies which found bias and racial discrimination within facial recognition systems.

Department of Health and Human Services considers a proposed rule to extend privacy protection for reproductive services

  • The rule in question would apply to identifiable health data that falls under the Health Insurance Portability and Accountability Act 1996 (HIPAA) and would prevent medical staff and health insurance providers from sharing information that relates to reproductive services.
  • Advocates for the rule view it as necessary protection for individuals’ access to reproductive services following the 2022 Supreme Court decision in Dobbs v Jackson Women’s Health Organization which saw the Supreme Court rule striking down the federal right to abortion.
  • Those against the rule claim that it would hinder law enforcement authorities collecting data relevant to criminal cases and argue that the rule goes against state laws which place limitations on reproductive services.

Former employee brings class action lawsuit against Pepsi

  • The plaintiff is claiming that Pepsi collected employees’ voiceprints without their consent in violation of the Illinois Biometric Information Privacy Act.
  • The lawsuit alleges that Pepsi required employees to use their voiceprint to clock in and out of work on a daily basis, and that it was also used when allocating assignments among employees.


France’s Data Protection Authority publishes results for ‘sandbox’ projects

  • France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL) has published the results of their digital health ‘sandbox’ projects and EdTech ‘sandbox’ projects which were run in collaboration with research institutions.
  • Sandbox projects included setting up “personal cloud” server for students to facilitate ‘digital workspaces’ and looking at federated learning systems for multiple ‘health data warehouses’.
  • The CNIL has is currently calling for projects within an ‘artificial intelligence’ sandbox which will investigate the use of AI for public service.

Meta will begin seeking permission from EU data subjects before processing data for advertising

  • Following decisions issued by the EU Court of Justice and the Irish Data Protection Commission earlier this year, Meta has released a statement explaining that they will be moving from ‘legitimate interest’ to ‘consent’ as the legal basis used to process data for advertising within the EU, EEA and Switzerland.
  • This marks a shift from Meta’s longstanding model of relying on legitimate interest to process data and run personalised ads.
  • Last year, 97% of Meta’s revenue was generated via advertising.
  • The ICO has released a statement highlighting the fact that this change does not apply to UK users and announced their intention to evaluate how UK data subjects are affected before formulating their response.

Norway’s Data Protection Authority releases guidance on collecting website analytics and tracking tools

  • Norway’s data protection authority (Datatilsynet) has advised firms to minimise data being collected where possible and warns against transferring data to countries with lower levels of protection.
  • The advice also highlights the need to provide website users with information that is clear and easy to understand regarding how personal data is collected, and warns companies against relying on standard cookie banners to seek permission for processing personal data.


India introduces ‘Digital Personal Data Protection Bill’, 2023

  • The Bill imposes obligations on ‘Data Fiduciaries’’, who are the entities that are “determining the purpose and means of processing” personal data and will be required to obtain consent except for where a narrow set of ‘legitimate uses’ apply.
  • The draft has been criticised for giving the government the power to decide the list of countries who can receive cross border data transfers, as well as the specific circumstances in which such a transfer can be facilitated.
  • The Internet Freedom Foundation (IFF) has also criticised the latest version of the Bill on the basis that there is no obligation for Data Fiduciaries to let individuals know about the third parties who might be receiving their data.

Singapore announces collaboration with Google for a Privacy Enhancing Technologies (PETS) Sandbox

  • The Infocomm Media Development Authority of Singapore has announced a collaboration for a Privacy Sandbox that invites companies to participate in order to learn about ‘privacy preserving alternatives’ to accessing data on websites and utilising third party cookies.
  • The sandbox is open to any business that is registered within Singapore and is aimed at allowing businesses to enhance their privacy measures across web and mobile applications.

South Korea calls for public comments on the proposed revised certification system

  • The Personal Information Protection Commission has announced that a public consultation has begun regarding the proposed changes to the ‘information security and privacy management systems’ certification.
  • The new changes focus on data collection and pseudonymised processing.


More Posts

Send Us A Message