Data Protection News Update 14 February 2023

IGS
February 14, 2023

United States

Joe Biden Says Tech Needs Washington’s Parental Oversight in State of the Union

President Joe Biden took aim at Big Tech’s data collection practices, its targeting ads on young users and anti-competitive business practices during his State of the Union address.
The President highlighted a variety of tech-focused legislative proposals from surveillance advertising and antitrust reform.
President Biden said ‘it is time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.’

Europe

EU and Singapore launch Digital Partnership

The EU-Singapore Digital Partnership has been launched. This is the third signed key partnership in Asia.
Both sides have agreed to work together on semiconductors, data flows, data innovation, digital trust, standards, digital trade facilitation, digital skills for workers, and the digital transformation of businesses and public services.
Following the signing of the Partnership a Digital Partnership Council was held to set out priorities for the year ahead: exploring common approaches in e-identification and in Artificial Intelligence governance as well as working on projects to facilitate digital trade and SME’s digital transformation.

Nothing Neutral about the New Swiss Federal Act on Data Protection

Switzerland is replacing the Federal Act on Data Protection of 1992. The new revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the GDPR.
The new legislation comes with increased obligations for companies doing business in Switzerland and it comes into effect on September 1, 2023.
While there are similarities to the GDPR, there are a few key differences as well.
- There is no grace period for companies to get up to speed.
- The revFADP does not impose civil penalties.
- There is an assumption that adequate countries for data transfers will mirror the European Commission decisions but there is an expectation to use Swiss-specific SCCs for Swiss-only transfers.
- There is an emphasis that the DPO should remain separate from the other business activities of the company.

CJEU issues ruling on DPOs and conflict of interest

In a ruling on February 9 that centred on Article 38 of the GDPR the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.”
The CJEU said that this is a matter for the national court to determine on a case by case basis.
The CJEU found that Article 38, which states DPOs cannot be dismissed or penalized for performing tasks, does not prevent national laws from establishing additional protections against dismissing DPOs. But these cannot go against the principal objectives of the GDPR.

International

Nigeria Data Protection Bureau delists 19 DPCOs

The Nigeria Data Protection Bureau (NDPB) has revoked the operating licence of 19 Data Protection Compliance Organizations (DPCOs).
DPCOs are licenced to provide compliance services and guide clients to adhere to privacy guidelines in the Nigerian Data Protection Regulation.
However, many of the DPCOs have lacked the requisite professionalism and capacity to carry through with these tasks.
The 19 DPCOs were delisted as licensed operators having failed to meet the minimum requirements of the NDPR including shoddy “filing of annual compliance audit returns” on behalf of their clients.
The NDPB warned more DPCOs would be delisted if they do not become more professional.

Privacy Office Probes Banks Giving Protesters’ Info to CSIS, RCMP Under Emergencies Act

The Office of the Privacy Commissioner is currently examining Trudeau’s invocation of the Emergencies Act last winter which included the order requiring financial institutions to send information on designated persons to security agencies.
The Act was invoked last year to deal with the cross-country protests and border blockades that demanded the lifting of COVID-19 restrictions. The financial accounts of the Freedom Convoy protestors were frozen.
It is known that the RCMP provided a list of Convoy supporters to banks and credit unions to take action against there is not a lot known about the flow of data from financial institutions to the RCMP.
The Emergency Economic Measures Order said that institutions must disclose without delay to CSIS and RCMP the property owned by a designated person.
A designated person could be an individual protester or organisation in activities deemed illegal.
The OPC is examining the scope and nature of the personal information that was received and disclosed, whether reasonable steps were taken to limit the sharing of personal information, and if the information was used or disclosed for other purposes beyond the purpose of collection.
There will be a report on the matter in the spring of 2023.

Meta fined for violating personal info protection law

Meta has be fined by South Korea’s data protection watchdog for disadvantaging its customers refusing to provide personal information.
The Personal Information Protection Commission (PIPC) decided to impose a penalty of 6.6 million won (about US$5,240).
The PIPC concluded that behavioural information is not the minimum personal information required to provide Facebook and Instagram services and therefore preventing people refusing to offer behavioural information from signing up and using the online services is a violation of the Personal Information Protection Act.

United Kingdom

UK PM overhauls government departments, including focus on innovation and tech

Prime Minister Rishi Sunak has announced four new government departments including a dedicated Department for Science, Innovation and Technology focused on technical innovations.
This will remove digital and data policy responsibility from the Department for Culture, Media and Sport.
This could lead to advances in reforming the UK GDPR and secure new international data bridges.

Former RAC employee fined for stealing data of victims of road traffic incidents

A former employee of services company RAC has plead guilty and been fined for the stealing of data of victims of road traffic accidents.
Asif Iqbal Khan was a Customer Solutions Specialist, when 21 customers complained they received calls from claims management companies following accidents in which the RAC had assisted.
After a review it was found that Mr Khan was the only employee that accessed all 21 customers.
The ICO executed a search warrant and seized two phones and a customer receipt for £12,000. The phones had photos of data relating to over a hundred road incidents.
Mr Khan pleaded guilty to two counts of stealing data in breach of Section 170 of the Data Protection Act 2018 and was fined £5,000 and ordered to pay a victim surcharge and court costs.

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK

Data Protection News Update 02 April 2024

United Kingdom US, Britain sanction China for broad 14-year hacking campaign UK involved in efforts to counter the proliferation of misuser of commercial spyware: joint