Data Protection News Update 18 December 2023

United Kingdom

ICO fines Ministry of Defence for Afghan evacuation data breach

  • The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.
  • The MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed.
  • The email addresses could be seen by all recipients with 55 people having thumbnail pictures on their email profiles and two people who ‘replied all’ to the entire list of recipients, one of them providing their location.
  • The team did not have appropriate technical and organisational measures in place at the time of the incident and were relying on ‘blind carbon copy’ (BCC), which carries a significant risk of human error.

UK at high risk of ‘catastrophic ransomware attack,’ report says

  • The Joint Committee on the National Security Strategy warned the U.K. government could face a “catastrophic ransomware attack” due to a lack of cybersecurity measures.
  • The National Cyber Security Centre (NCSC) describes the CNI as national assets that are essential for the functioning of society, including energy supply, water supply, transportation, health, and telecommunications.
  • The committee noted the importance of stronger data protection standards and support for the National Cyber Security Centre to reduce the risk of ransomware attacks.

United States

Pharmacies share medical data with police without a warrant, inquiry finds

  • America’s largest pharmacy chains have handed over prescription records to police and government investigators without a warrant, raising concern about threats to medical privacy.
  • CVS Health, Kroger, and Rite Aid, with a combined 60,000 locations nationwide, said their policy allows pharmacy staff members to hand over customers’ medical records in the store.
  • Pharmacies records hold some of the most intimate details of their customers personal lives and pharmacy data shared with law enforcement could be especially concerning for 1 in 3 women ages 15 to 44 who live in States where abortion is fully or mostly banned.


Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage

  • The Court of Justice of the European Union ruled misuse of personal data following a cyberattack constitutes “non-material damage” under the EU General Data Protection Regulation.
  • This stemmed from a 2019 cyberattack of the Bulgarian National Revenue Agency, after which cybercriminals published “personal data concerning millions of persons.”
  • The Bulgarian Supreme Administrative Court requested the CJEU to determine the conditions for awarding nonmaterial damages and to what extent the data controller needed to demonstrate adequate security measures were in place.


Apple now requires a judge’s consent to hand over push notification data

  • Apple has rolled out a new policy change on disclosing user push notification data to law enforcement and the company will now disclose only when served a court order to do so, joining a policy position also adopted by Google.
  • This practice gives the two companies unique insight into traffic flowing from those apps to users, putting them “in a unique position to facilitate government surveillance of how users are using particular apps.”
  • Apple has updated a passage in the company’s guidelines to refer to more stringent warrant requirements.


More Posts

Send Us A Message