Data Protection News Update 09 October 2023

IGS
October 9, 2023

United Kingdom

ICO issues preliminary enforcement notice against Snapchat

Snapchat has an AI chatbot feature called “My AI”. In the UK, this feature was rolled out in April 2023. The chatbot feature is powered by OpenAI’s GPT technology.
According to Snapchat’s website, individuals can open a chat conversation with My AI. My AI can then proceed to ‘answer a burning trivia question, offer advice on the perfect gift for your BFF’s birthday, help plan a hiking trip for a long weekend or suggest what to make for dinner’.
ICO’s investigation provisionally found that Snapchat failed to adequately assess and address the data protection risks of the generative AI that is used.
This preliminary enforcement notice comes after the ICO published a reminder to companies that are developing or using generative AI that they need to consider their data protection obligations from the outset.
The ICO has published a short guide for businesses on generative AI which highlights what questions businesses need to ask when including AI in their products and services.

65 British Lawmakers call for pause in the use of live facial recognition surveillance

A joint statement from British lawmakers from different parties have called on UK police and private companies to immediately pause the use of live facial recognition for surveillance.
This statement followed the latest speech made by policing minister, Chris Philip, during the Conservative party annual conference last week in which it was suggested that a new database of British passports could be used to identify criminals through biometric surveillance data. All thieves caught on CCTV would be checked against the established passport database. See https://www.telegraph.co.uk/news/2023/10/02/police-check-thieves-caught-on-cctv-passport-database/.
‘This dangerously authoritarian technology has the potential to turn populations into walking ID cards in a constant police lineup’ says the director of Big Brother Watch.

United States

Blauckbaud agrees to pay $49.5 million

Blackbaud is ‘the leading provider of software for powering social impact’.
Back in 2020, Blackbaud has suffered a security incident when it fell victim to a ransomware attack. During the ransomware attack, a file was extracted, containing contact details, demographic information and history of the donors relationship with the company. Millions of donors were affected. See https://wlos.com/news/local/personal-donor-information-compromised-data-breach-pari-blackbaud-pisgah-astronomical-research-institute.
It was now announced that Blackbaud reached a settlement with 49 US states and will pay $49.5 million. Blackbaud has agreed to ‘ comply with applicable laws, not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements and similar matters and to implement and improve certain cybersecurity programs and tools’.

Europe

Germany’s Federal Cartel Office rules against Google

Germany’s competition regulator issued a decision that Google users must be given the ability to decide how their personal data is used across various services of the business. Users should be given greater control over their data.
The regulator hopes that by requiring Google to obtain explicit consent before using user’s information, Google will be limited in how much data it can collect.

European Commission recommends AI risk assessments

The European Commission has adopted a recommendation on critical technology areas for the EU’s economic security.
Four technology areas were identified that are considered ‘highly likely to present the most sensitive and immediate risks related to technology security and technology leakage. Those areas are: Advanced Semiconductors technologies (such as microelectronics, high frequency chips etc.), Artificial Intelligence technologies (including data analytics, language learning and object recognition), quantum technologies and biotechnologies.
The European Commission recommends that a collective risk assessment is conducted by the Member States and the European Commission together which should include the consultation of the private sector.

International

South Korea to form Artificial Intelligence Privacy Team

South Korea’s Personal Information Protection Commission has announced that an Artificial Intelligence Privacy Team is to be formed.
The goal is that the group will develop principles applicable to AI environment rather than simply reviewing existing regulation.

Courts confirm ‘right to be forgotten’ for Canadians

Canada’s Federal Court of Appeal has issued a ruling confirming that Google’s search engine is subject to Canada’s federal privacy law.
It was decided that the exemption for journalistic or artistic work is not applicable to Google searches, ultimately meaning that Canadians have the right to ask the search engine to have their names removed, opening the door for a right to be forgotten for Canadian citizen.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK