Data Protection News Update 20 March 2023

United States

US Securities and Exchange Commission (SEC) fines Blackbaud $3 million US Dollars

  • Blackbaud – a South Carolina-based data management platform, is fined $3 million US Dollars for the improper disclosures to individuals affected by a 2020 ransomware attack. Overall, more than 13,000 customers were impacted.
  • Shortly following the ransomware attack, Blackbaud first alleged that the hackers had not accessed donor bank account information or social security numbers. This turned out to be false. This was not communicated properly to the senior management, which is why it was omitted in the quarterly report to the SEC.

US Chamber of Commerce publishes Artificial Intelligence Commission Report

  • US Chamber of Commerce publishes AI Commission Report, highlighting the great potential and benefits that come with the use of AI.
  • It is determined that at the core of AI regulation must be the following ‘five pillars’:
    • Efficiency: The applicability of existing laws and regulation must be considered.
    • Collegiality: A cohesive regulation of AI across the government is the goal.
    • Neutrality: The laws should be technology neutral.
    • Flexibility: Soft law and best practice approaches should be encouraged.
    • Proportionality: A risk-based approach should be adopted.
  • In the report, certain areas are recommended for policymakers to address. Those areas are:
    • The preparing, educating and training of the workforce;
    • The bolstering of the global competitiveness;
    • The protection of national security.

US House Committee to probe TikTok CEO on privacy and data security

  • The US House Committee on Energy and Commerce announced that a hearing will take place on the 23rd of March 2023 with TikTok CEO Shou Chew.
  • The hearing will be about TikTok’s privacy and data security practices.
  • Cathy McMorris Rodgers said that ‘Americans deserve to know the extent to which their privacy is jeopardized and their data is manipulated’.


Amsterdam District Court finds Facebook Ireland in breach of data protection laws

  • The court ruled that Facebook Ireland violated the law in that personal data of Dutch Facebook users were processed for advertising purposes with no lawful basis to do so. It was further held that Facebook Ireland failed to inform the data subjects before the transfer of their personal data.

Austrian Data Protection Authority finds Meta’s tracking tools illegal

  • After receiving a number of complaints by Nyob, the Austrian Data Protection Authority (DSB) held that the use of tracking pixel is in breach of the GDPR and the Schrems II decision.
  • As many websites rely on Facebook’s tracking technology to track users and provide them with personalized advertisement, this decision will be critical for many websites operating in the EU.
  • Interestingly, there is no information available regarding whether a financial penalty was imposed against Meta.

Several Courts decide in favour of big companies

  • In the past few months, several big companies won their appeals to overturn regulatory decisions against them.
  • This development shows several trends:
    • Big companies have developed a knack for identifying the right cases to challenge the decisions made against them, putting their time, effort and money on fighting only those decisions that they know can be overturned;
    • There is a big grey area in EU data protection and privacy laws and lawyers, regulators and courts seem to differ in their understanding of what the laws allow and what they do not allow;
    • These wins might very well lead to other companies challenging the regulatory decisions which again could weaken the authority of those regulators and the effectiveness of the GDPR.

EDPB launches coordinated enforcement on role of data protection officers

  • Its plan is that 26 Data Protection Authorities (DPAs) across the EEA region will participate in the Coordinated Enforcement Framework (CEF) 2023 on the topic of the designation and position of the DPOs.
  • The aim is to analyze whether the DPOs actually have the position as required in Article 37-39 GDPR and have the resources necessary to fulfil their role and their tasks. To do so, the participating DPAs will implement the CEF within their territories in the following ways:
    • The DPOs will receive questionnaires to establish the facts or questionnaires to see whether a formal investigation is needed;
    • Formal investigations will be launched;
    • Follow-up of ongoing formal investigations will be conducted.
  • The results will be analyzed together, and it will then be decided if further national supervision and enforcement action is needed. The EDPB is also expected to publish their findings.

CJEU Advocate General calls automated loan processing ‘profiling’

  • Advocate General of the CJEU, Priit Pikamae, determines in their opinion in Case C-634/21 (SCHUFA Holding) that automated processing to determine an individual’s ability of getting a loan should be considered ‘profiling’ under the EU GDPR.


OECD publishes report on privacy enhancing technologies

  • This report is part of OECD’s Digital Economy Papers series.
  • The report analyses the recent technological developments, the effectiveness of varying types of PETs and current regulatory and policy approaches with the aim to help privacy enforcement authorities and policy-makers to better comprehend how they can be used to enhance privacy and data protection, and to improve general data governance.

Personal Data Protection Commission Singapore fines Eatigo International

  • The Personal Data Protection Commission Singapore imposed a fine of $62,400 on Eatigo International – an online restaurant reservation platform.
  • The fine was issued due to a data breach that occurred in 2020 and affected 2.76 million data subjects. The PDPC held that Eatigo International failed to have sufficient data security measures in place to protect against unauthorized access. It is further recommended that the company build a comprehensive data inventory which classifies different risk levels for the personal data it collects.

United Kingdom

UK introduces draft data protection reform

  • Many of the planned changes were seemingly based on the feedback of the past few years where the GDPR was in effect. The intention was to deliver a new, ‘common-sense-led version of the GDPR’.
  • Some of the key proposed changes are:
    • Data will only be considered as identifiable by an organization other than the controller/processor if that other organization will, or is likely to, obtain the information as a result of its data processing. Otherwise, the data will be outside of the scope of the bill.
    • Organizations will no longer need to balance their legitimate interests with the data subject’s rights and interest in the case where the purpose of the processing is on the list of recognized legitimate interests. The current list consists of public interests, such as national security, defense, emergencies, preventing crime, safeguarding and democratic engagement.
    • When confronted with a data subject request, data controllers will be allowed to take into account new factors when considering if they can refuse the request. Those factors are: What resources does the data controller have available? Was the request intended to cause distress? Was it made in bad faith or intended to abuse the process?

UK bans Tiktok on government phones

  • The British Government bans TikTok on government phones over security concerns. The ban does not include the personal devices of the individuals employed by the government.
  • China responded in saying that the decision was not based on facts, but on political considerations.

ICO updates its Guidance on AI and Data Protection

  • Following a number of requests to clarify the requirements for fairness in AI by the UK industry, the ICO updated its Guidance on AI and Data Protection on the 15th of March 2023.
  • It is stated that this update ‘supports the UK governments’ vision of a pro-innovation approach to AI-regulation and more specifically its intention to embed its consideration of fairness into AI’.
  • Areas that were changed are mainly accountability and governance, transparency, and lawfulness. Specifically:
    • New things to consider as part of a DPIA;
    • Transparency in AI;
    • Lawfulness in AI;
    • Accuracy;
    • Fairness in AI;

ICO to launch a hotline to provide guidance on emerging technologies

  • The ICO is planning on launching a hotline for companies to call and ask their questions on emerging technologies.
  • Stephen Almond, the ICO Director of Technology, Innovation and Enterprise said that the project is supposed to help companies ‘grappling with how to apply a principles-based piece of legislation to their different areas of technology’.


More Posts

Send Us A Message