Data Protection News Update 11 March 2024

United Kingdom

ICO fines Wigan-based Pinnacle Life £80,000 for “predatory” spam call campaign

  • Wigan-based company Pinnacle Life has been fined £80,000 by the Information Commissioner’s Office (ICO) for a year-long unlawful spam phone call campaign.
  • The company made nearly 48,000 illegal calls in order to sell life insurance products between May 2021 and May 2022 to people registered on the Telephone Preference Service (TPS) to opt-out of marketing calls.
  • Members of the public told the ICO that company employees would often become insulting or aggressive during calls and continued to harass victims when they asked not to be contacted further.
  • An investigation by the ICO found evidence to suggest attempts by the company to continue to operate under another name and not comply with orders to cease contacting individuals.

ICO takes regulatory action against five public authorities under the FOI Act

  • The Information Commissioner’s Office (ICO) has taken action against five public authorities for continued failings to meet their obligations under the Freedom of Information (FOI) Act.
  • Sussex Police and South Yorkshire Police have been issued with enforcement notices for their FOI failings, with the latter’s FOI request response rate being classed as “unacceptable on any level.”
  • The Department of Education (DfE), Foreign Commonwealth and Development Office (FCDO) and the Financial Ombudsman Service (FOS) have been given practice recommendations setting out improvements they can make to better comply with their legal obligations.
  • Information Commissioner John Edwards has written an open letter to public organisations, reminding them that transparency is essential and resources must be dedicated to access to information.

United States

US announces first-ever sanctions against commercial spyware

  • The U.S. Department of the Treasury issued sanctions against spyware company Intellexa Consortium after the technology was allegedly used to track government officials.
  • The Treasury Department claimed technology from the company was “misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal.”
  • The sanctions effectively freeze all US assets and prevent any American from conducting business with Intellexa or its associated entities.
  • The Treasury has said that any financial institutions or US citizens who engage in transactions with the sanctioned entities and individuals could expose themselves to sanctions or enforcement action.

Hack forum post claims UnitedHealth paid $22 million ransom in bid to recover data

  • A post on a hacker forum popular with cybercriminals has claimed UnitedHealth Group paid $22 million a bid to recover access to data and systems encrypted by the “Blackcat” ransomware group.
  • Neither UnitedHealth or the hackers involved have commented on the alleged ransom payment but a cryptocurrency tracing firm partially corroborated the claim.
  • Blackcat claimed that it had stolen millions of sensitive records from UnitedHealth’s Change Healthcare Unit in the hack, only to quickly delete the post without explanation.
  • Change Healthcare’s billing services remained paralyzed and the American Medical Association asked the Biden administration to make emergency funds available to physicians hurt by the outage.


Genetic tests on the Internet: the CNIL calls for vigilance

  • France’s data protection authority, the Commission nationale de l’informatique et des libertés, wrote about the country’s prohibition on recreational genetic testing.
  • The CNIL highlighted the privacy risk involved in companies which sell genetic tests, as companies require large amounts of sensitive, personal data which reveals a lot of information about people and has a lot of value.
  • The agency warned such tests can only be carried out in limited circumstances and any purchases outside of those circumstances could result in a fine and prison time.

The Agency orders a precautionary measure that prevents Worldcoin from continuing to process personal data in Spain

  • Spain’s data protection authority, the Agencia Española de Protección de Datos, ordered Tools for Humanity, founder of the Worldcoin cryptocurrency project, to cease the collection and processing of personal data in Spain.
  • The AEPD reported receiving complaints regarding alleged collection of minors’ data without allowing the withdrawal of consent.
  • Tools for Humanity was also subject to official inquiries and/or enforcement actions in Hong Kong, Kenya and South Korea.


Australia fines SingTel-owned Optus over public safety rule breaches

  • The Australian Communications and Media Authority fined telecommunications firm Optus AUD $1.5 million after the local communications watchdog found large-scale breaches of public safety rules around emergency services.
  • The ACMA claimed approximately 200,000 customers of Singapore Telecommunications-owned Optus “were left at risk due to the failure of the telecommunications company to upload required customer information to a database used by emergency services.”
  • The database, known as the Integrated Public Number Database (IPND) is utilised to send emergency text messages to customers during disasters such as floods, as well as local police, fire-brigade and ambulance services.

Greater penalties needed: privacy commissioner speaks to national cyber security summit

  • New Zealand Privacy Commissioner Michael Webster said he wants steeper fines for data privacy violations.
  • The remarks at the National Cyber Security Summit came after two major research studies showed the public and businesses also believes entities should face stronger penalties for infractions.
  • “The maximum fine I can issue to an organisation for not adhering to a compliance order is $10,000- compare that to Australia where their maximum fine for serious interference with privacy is $50 million and you begin to see the issue,” stated Webster.
  • Webster recommended the following developments to the Privacy Act 2020: a civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves; A set of specific amendments to make the Privacy Act fit-for-purpose in the digital age; and Stronger requirements for automated decision making and agencies demonstrating how they meet privacy requirements.


More Posts

Send Us A Message