Data Protection News Update 09 May 2023

United States

White House takes aim at AI risk mitigation

  • US President Joe Biden has announced a series of actions to “further promote responsible American innovation in artificial intelligence and protect people’s rights and safety”
  • The administration has said that the US National Science Foundation will allocate USD140 million to fund 7 new National AI Research Institutes.
  • In addition to this, the White House is set to conduct evaluations of generative AI systems independent from providers whilst federal agencies will be “leading by example on mitigating AI risks and harnessing AI opportunities”.
  • Biden has met with the likes of Microsoft and Alphabet to emphasize the “importance of driving responsible, trustworthy, and ethical innovation with safeguards”.

Tech funded groups argue child protection bills would hurt user privacy

  • Tech trade groups that represent some of the United States’ largest digital platforms are on a mission to halt legislative efforts to protect children online.
  • Federal efforts to pass children’s online safety protections have languished amid this pushback, with the tech groups blitzing statehouses around the country in their effort to stymie the bills.
  • The argument of such groups is that these measures would hurt user privacy and free speech online.

3M US citizens’ personal data stolen in ransomware attack on insurer’s software 

  • Over 3 million members of a nationwide supplemental health insurer have had their personal information stolen in a ransomware attack on its transfer software.
  • Florida-based NationBenefits previously confirmed that more than 7,100 state residents had their information stolen in a “mass ransomware attack” targeted Forta’s GoAnywhere file transfer software.
  • A spokesperson for NationBenefits has declined to say what the general nature of the content of members’ stolen data was.


CJEU rules on GDPR compensation

  • The Court of Justice of the EU has rendered a decision in a case regarding consumer rights to compensation with violations of the EU GDPR. 
  • The Court decided that compensation is determined by a three-condition standard, notably explaining that “not every infringement of the GDPR gives rise, by itself, to a right to compensation.”
CJEU rules on data subject rights
  • The Court of Justice of the EU has also ruled that compensation is not capped by the severity of non-material damages and that national courts will make their own decisions on damage assessment.
  • Furthermore, the Court ruled that a data subject’s right to obtain a copy of their personal data means that they need to be given “a faithful and intelligible reproduction” of all data. 
  • This right “entails the right to obtain copies of extracts from databases which contain those data, if that is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR”, the Court affirmed.

European Parliament reaches provision political agreement on AI Act position

  • The European Parliament continues to work on its compromise position for the draft AI Act and has reached provision political agreement.
  • This latest draft proposes making a distinction between foundational models (AI trained on broad data at scale, designed for general output yet still adaptable to an extensive range of tasks, like ChatGPT) and general purpose AI (which can be used and adapted for purposes other than the original intended purpose.
  • The proposal: foundational models would be subject to stricter requirements.
  • There are also moves to share responsibility across the AI value chain, and a proposal for the European Commission to develop non-binding SCCs for particular sectors. 


OPC deputy discusses human-centric approach enforcement
  • Brent Homan, the Deputy Privacy Commissioner of Canada, has written a blog explaining the positives of human-centric privacy enforcement that “seeks to understand and ultimately service the best interests of individuals in the most effective and impactful way”.
  • Homer discusses global initiatives focused on the human-centric approach and how tackling common issues in the same way can produce “the most effective and all-encompassing of protections to our collective global citizenry”.

OAIC to expand; regulators urge companies to ‘get back to basics’ on privacy 

  • Mark Dreyfus, Australia Attorney General, has announced that the federal government will allocate resources to restructure the Office of the Australian Information Commissioner.
  • The OAIC will move to a three-commissioner format, including a commissioner dedicated to dealing with the increasing threat of data breaches.
  • Dreyfus has said that “[t]he large-scale data breaches of 2022 were distressing millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.”
  • He continues that “Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and protect their personal information.”
  • The role of the privacy commissioner is to ensure that government agencies and large organizations (those with annual turnover of more than $3m, with some exceptions) abide by the law when handling personal information.

Chinese data exchange will pay jobseekers for turning their resumes into ‘data product’

  • The provincial government of Guizhou has announced that state entity Guiyang Global Big Data Exchange has completed the first sale of jobseekers’ personal data.
  • This sale represents an opportunity “for jobseekers to potentially earn a share of profits from the sale of data based on their resumes”.
  • Once their resumes are processed as a ‘data product’ to ensure “usability and privacy”, they can then be listed on the Guiyang data exchange where employers can purchase data from the product.

United Kingdom

BEIS Strategy Committee report on worker rights 

  • The BEIS (UK Governmental Department for Business, Energy and Industrial Strategy Committee) has published a report on workers’ rights and protection.
  • Among the recommendations made, one is that the UK government should introduce a right for workers to be consulted and notified when technology will result in their surveillance.
  • In addition to this, the report recommends that an enforceable code of practice on the use of surveillance technology be consulted upon.

Capita warns some pensions data ‘likely’ to have been taken in cyber attack 

  • Capita, one of the UK’s largest outsourcers, has written to pensions clients to confirm that some of the data it processes is likely to have been hacked during a recent cyber-attack in March.
  • Capita has told trustees that it is expected that the investigations will be finalized by the end of next week, or shortly thereafter. 
  • Further, it has expressed that there is no evidence that Capita pensions data is available on the dark web.
  • In the meantime, Capita has rebuilt its server infrastructure to reduce the risk of a similar incident reoccurring.


More Posts

Send Us A Message