Data Protection News Update 20 March 2023

IGS
March 20, 2023

United States

US Securities and Exchange Commission (SEC) fines Blackbaud $3 million US Dollars

Blackbaud – a South Carolina-based data management platform, is fined $3 million US Dollars for the improper disclosures to individuals affected by a 2020 ransomware attack. Overall, more than 13,000 customers were impacted.
Shortly following the ransomware attack, Blackbaud first alleged that the hackers had not accessed donor bank account information or social security numbers. This turned out to be false. This was not communicated properly to the senior management, which is why it was omitted in the quarterly report to the SEC.

US Chamber of Commerce publishes Artificial Intelligence Commission Report

US Chamber of Commerce publishes AI Commission Report, highlighting the great potential and benefits that come with the use of AI.
It is determined that at the core of AI regulation must be the following ‘five pillars’:
- Efficiency: The applicability of existing laws and regulation must be considered.
- Collegiality: A cohesive regulation of AI across the government is the goal.
- Neutrality: The laws should be technology neutral.
- Flexibility: Soft law and best practice approaches should be encouraged.
- Proportionality: A risk-based approach should be adopted.
In the report, certain areas are recommended for policymakers to address. Those areas are:
- The preparing, educating and training of the workforce;
- The bolstering of the global competitiveness;
- The protection of national security.

US House Committee to probe TikTok CEO on privacy and data security

The US House Committee on Energy and Commerce announced that a hearing will take place on the 23^rd of March 2023 with TikTok CEO Shou Chew.
The hearing will be about TikTok’s privacy and data security practices.
Cathy McMorris Rodgers said that ‘Americans deserve to know the extent to which their privacy is jeopardized and their data is manipulated’.

Europe

Amsterdam District Court finds Facebook Ireland in breach of data protection laws

The court ruled that Facebook Ireland violated the law in that personal data of Dutch Facebook users were processed for advertising purposes with no lawful basis to do so. It was further held that Facebook Ireland failed to inform the data subjects before the transfer of their personal data.

Austrian Data Protection Authority finds Meta’s tracking tools illegal

After receiving a number of complaints by Nyob, the Austrian Data Protection Authority (DSB) held that the use of tracking pixel is in breach of the GDPR and the Schrems II decision.
As many websites rely on Facebook’s tracking technology to track users and provide them with personalized advertisement, this decision will be critical for many websites operating in the EU.
Interestingly, there is no information available regarding whether a financial penalty was imposed against Meta.

Several Courts decide in favour of big companies

In the past few months, several big companies won their appeals to overturn regulatory decisions against them.
This development shows several trends:
- Big companies have developed a knack for identifying the right cases to challenge the decisions made against them, putting their time, effort and money on fighting only those decisions that they know can be overturned;
- There is a big grey area in EU data protection and privacy laws and lawyers, regulators and courts seem to differ in their understanding of what the laws allow and what they do not allow;
- These wins might very well lead to other companies challenging the regulatory decisions which again could weaken the authority of those regulators and the effectiveness of the GDPR.

EDPB launches coordinated enforcement on role of data protection officers

Its plan is that 26 Data Protection Authorities (DPAs) across the EEA region will participate in the Coordinated Enforcement Framework (CEF) 2023 on the topic of the designation and position of the DPOs.
The aim is to analyze whether the DPOs actually have the position as required in Article 37-39 GDPR and have the resources necessary to fulfil their role and their tasks. To do so, the participating DPAs will implement the CEF within their territories in the following ways:
- The DPOs will receive questionnaires to establish the facts or questionnaires to see whether a formal investigation is needed;
- Formal investigations will be launched;
- Follow-up of ongoing formal investigations will be conducted.
The results will be analyzed together, and it will then be decided if further national supervision and enforcement action is needed. The EDPB is also expected to publish their findings.

CJEU Advocate General calls automated loan processing ‘profiling’

Advocate General of the CJEU, Priit Pikamae, determines in their opinion in Case C-634/21 (SCHUFA Holding) that automated processing to determine an individual’s ability of getting a loan should be considered ‘profiling’ under the EU GDPR.

International

OECD publishes report on privacy enhancing technologies

This report is part of OECD’s Digital Economy Papers series.
The report analyses the recent technological developments, the effectiveness of varying types of PETs and current regulatory and policy approaches with the aim to help privacy enforcement authorities and policy-makers to better comprehend how they can be used to enhance privacy and data protection, and to improve general data governance.

Personal Data Protection Commission Singapore fines Eatigo International

The Personal Data Protection Commission Singapore imposed a fine of $62,400 on Eatigo International – an online restaurant reservation platform.
The fine was issued due to a data breach that occurred in 2020 and affected 2.76 million data subjects. The PDPC held that Eatigo International failed to have sufficient data security measures in place to protect against unauthorized access. It is further recommended that the company build a comprehensive data inventory which classifies different risk levels for the personal data it collects.

United Kingdom

UK introduces draft data protection reform

Many of the planned changes were seemingly based on the feedback of the past few years where the GDPR was in effect. The intention was to deliver a new, ‘common-sense-led version of the GDPR’.
Some of the key proposed changes are:
- Data will only be considered as identifiable by an organization other than the controller/processor if that other organization will, or is likely to, obtain the information as a result of its data processing. Otherwise, the data will be outside of the scope of the bill.
- Organizations will no longer need to balance their legitimate interests with the data subject’s rights and interest in the case where the purpose of the processing is on the list of recognized legitimate interests. The current list consists of public interests, such as national security, defense, emergencies, preventing crime, safeguarding and democratic engagement.
- When confronted with a data subject request, data controllers will be allowed to take into account new factors when considering if they can refuse the request. Those factors are: What resources does the data controller have available? Was the request intended to cause distress? Was it made in bad faith or intended to abuse the process?

UK bans Tiktok on government phones

The British Government bans TikTok on government phones over security concerns. The ban does not include the personal devices of the individuals employed by the government.
China responded in saying that the decision was not based on facts, but on political considerations.

ICO updates its Guidance on AI and Data Protection

Following a number of requests to clarify the requirements for fairness in AI by the UK industry, the ICO updated its Guidance on AI and Data Protection on the 15^th of March 2023.
It is stated that this update ‘supports the UK governments’ vision of a pro-innovation approach to AI-regulation and more specifically its intention to embed its consideration of fairness into AI’.
Areas that were changed are mainly accountability and governance, transparency, and lawfulness. Specifically:
- New things to consider as part of a DPIA;
- Transparency in AI;
- Lawfulness in AI;
- Accuracy;
- Fairness in AI;

ICO to launch a hotline to provide guidance on emerging technologies

The ICO is planning on launching a hotline for companies to call and ask their questions on emerging technologies.
Stephen Almond, the ICO Director of Technology, Innovation and Enterprise said that the project is supposed to help companies ‘grappling with how to apply a principles-based piece of legislation to their different areas of technology’.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK