Data Protection News Update 12 August 2024

United Kingdom

Starmer’s live facial recognition plan would usher in national ID, campaigners say

  • Civil liberties campaigners have said Starmer’s live facial recognition technology would amount to introducing a national ID card system based on people’s faces. Starmer suggested the technology be deployed more widely in response to the violent disorder in the country following the stabbing and murder of three girls in Southport, Lancashire.
  • Live facial recognition can scan over 100 faces a minute, and has been used by the UK Metropolitan police and South Wales police to help officers detect and prevent crime in real time. Currently there is no specific law regulating the use of facial recognition software in the UK, and its implementation is defined by police forces.
  • Daragh Murray, senior lecturer at Queen Mary University of London said: “There is a clear danger than in responding to a tragedy and public unrest we expand and entrench police surveillance without appropriate scrutiny. Given that the police have responded to disorder and riots for decades, why is facial recognition needed now?”
  • Disparities in the accuracy of live facial recognition have been identified, with black people more likely to be misidentified than other racial groups. Whilst the facial matching algorithm can be returned to eliminate demographic discrepancies, Big Brother Watch has said doing so makes it less effective overall.

Provisional decision to impose £6m fine on software provider following 2022 ransomware attack that disrupted NHS and social care services

  • Following an initial finding the Advanced Computer Software Group Ltd (Advanced) failed to implement measures to protect the personal information of 82,946 people (including some sensitive personal information), the Information Commissioner’s Office (ICO) has provisionally decided to fine them £6.09m. Advanced provides IT and software services to organisations including the NHS, and handles personal data as a processor.
  • The fine related to a ransomware incident in August 2022, where hackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. The data included phone numbers, medical records and details on how to gain entry to people’s houses (who were receiving care at home). Those involved have been notified, and no evidence has been found the data was published on the dark web.
  • The provisional decision highlighted that whilst data processors act on the instructions of data controllers (who have overall control over how and why the personal information is used), data processors have their own obligations to implement appropriate technical and organisational measures to ensure personal information is secure.

United States

New Jersey defends privacy law shielding judges, prosecutors

  • New Jersey’s Attorney General is urging a federal judge not to declare a law barring the disclosure of the home addresses and other personal information of judges and prosecutors unconstitutional. The constitutional challenge argues the law restricts companies’ free speech rights under the 1st Amendment of the U.S. Constitution.
  • The law is known as Daniel’s Law and is a response to the fatal shooting of the son of the U.S.  District Judge Esther Salas at her home by a disgruntled lawyer. 
  • The New Jersey Attorney General’s office argued the law achieves an important public-safety goals and “reflects the venerable tradition of safety and privacy in one’s home”

Microsoft blames Delta for its struggle to recover from global cyber outage

  • Following the software update by cybersecurity firms CrowdStrike that triggered issues for Microsoft customers, Microsoft has said that Delta Air Lines (unlike its competitors) had not modernized its IT infrastructure, and this was the reason why disruption has taken longer to resolve.
  • The delays to Delta are estimated to have cost $500m, and Delta is also facing an investigation from the U.S. Transportation Department for the disruptions. Delta has hired a prominent litigator to seek damages from CrowdStrike and Microsoft.
  • Microsoft has said their software did not cause the CrowdStrike incident, but still offered to help Delta following the outage (which Delta refused).  Microsoft also accused Delta of using other technology providers for crew tracking and scheduling, and that this may be why Delta refused help.

In landmark Google ruling, a warning to companies about preserving evidence

  • U.S. District Judge, Amit Mehta, criticized Google for failing to preserve internal chats and abusing protections for legal communications, but did not formally sanction the company.
  • While Mehta found it was not necessary to rule on Google’s evidence handling to decide if the company violated antitrust law. Mehta said “the court is taken aback by the lengths to which Google goes to avoid creating a paper trail for regulators and litigants”. Google has a practice of automatically deleting employees’ chat messages after 24 hours, unless a specific history button is pressed.
  • Google’s “communicate with care” initiative was also criticized as this involved employees adding lawyers to messages and marking them “attorney/client privileged”
     

Europe

European Commission forces TikTok rewards program to shut down on the continent

  • European data privacy regulators announced TikTok’s Lite Rewards program will not operate in the EU due to concerns it causes addictive behaviour, and TikTok failed to provide a risk assessment before the feature was launched.
  • The Lite Rewards program allows users to collect points if certain tasks are completed, such as liking content, following others, viewing videos or getting friends to join TikTok. These points can be exchanged for Amazon vouchers or Paypal gift cards.
  • TikTok is also at risk of stiff fines from an ongoing investigation probing into the platform’s rules for protecting children and compliancy with transparent advertising regulations

International

INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore

  • INTERPOL has devised a “global stop-payment mechanism”, used to facilitate the recovery of funds defrauded in a business email compromise (BEC) scam. In these scams, a malicious actor poses as a trusted figure and emails targets, tricking them into sending money or confidential company information.
  • A Singaporean company fell for one of these scams, transferring $42.3m to a non-existent supplier, realising days after when the actual supplier said it had not been paid.
  • Using INTERPOL’s Global Rapid Intervention of Payments mechanism, authorities in Singapore detected $39m and froze the counterfeit bank account. $2m was also recovered separately.
  • INTERPOL is encouraging businesses to take preventative steps to prevent falling for these scams.

Share:

More Posts

Send Us A Message