Data Protection News Update 20 May 2024

United Kingdom

Car rental manager fined after unlawfully obtaining customer data

  • A former management trainee at Enterprise Rent-A-Car UK Limited has been ordered to pay a fine after admitting he illegally obtained customer data between 18 March 2019 and 1 April 2019.
  • An internal audit found the trainee visited his workplace outside of his scheduled hours and spent 32 minutes accessing 29 records of customer data in relation to 25 different retail branches.
  • The company did not consent to him obtaining this data, stating that accessing this information fell outside of his role and there was no business need for him to do so.
  • Enterprise Rent-A-Car referred the case to the Information Commissioner’s Office (ICO), who launched a criminal investigation. The individual was ordered to pay a fine of £265, costs of £450 and a victim surcharge of £32.

Children’s services in Birmingham reprimanded after inappropriately disclosing a child’s personal information

  • The Information Commissioner’s Office (ICO) has issued a reprimand to Birmingham Children’s Trust Community Interest Company after the personal information of a child was inappropriately disclosed to another family.
  • A child protection plan was disclosed to one of two neighbouring families that contained both personal information and criminal allegations related to a child from the incorrect family.
  • The information was included in error after being copied across from meeting minutes.
  • It was found that Birmingham Children’s Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information.

United States

US charges two brothers with novel $25 million cryptocurrency heist

  • Two brothers who studied at Massachusetts Institute of Technology were arrested on Wednesday on US charges that they carried out a cutting-edge scheme to exploit the Ethereum blockchain’s integrity and steal $25 million worth of cryptocurrencies.
  • Authorities said they executed their elaborate heist in April 2023, stealing $25 million from traders in just 12 seconds by fraudulently gaining access to pending transactions and altering the movement of cryptocurrency.
  • An indictment charged them with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering.
  • Prosecutors said that after carrying out the heist, the brothers rejected requests to return the funds and instead took steps to launder and hide the stolen cryptocurrency.


Meta faces EU investigation over child safety risks

  • Meta Platforms’ social media sites Facebook and Instagram will be investigated for potential breaches of EU online content rules relating to child safety.
  • Tech companies are required to do more to tackle illegal and harmful content on their platforms under the European Union’s landmark Digital Services Act (DSA).
  • The European Commission said it had decided to open an in-depth investigation into Facebook and Instagram due to concerns they had not adequately addressed risks to children. Meta submitted a risk assessment report in September.
  • In a statement, an EU executive stated that “the Commission is concerned that the systems of both Facebook and Instagram, including their algorithms, may stimulate behavioural addictions in children, as well as create so-called rabbit-hole effects.”
  • DSA violations can lead to fines of as much as 6% of a company’s annual global turnover.

AI’s use in finance may need new rules, ECB says

  • The European Central Bank (ECB) has said that the use of artificial intelligence in finance is still in its infancy, but it needs to be monitored and possibly regulated to prevent harm to consumers and ensure the proper functioning of markets.
  • The ECB notes a number of opportunities from the use of generative AI by banks and other financial institutions, but also warned about risks including herding behaviour, over-reliance on a limited number of providers and more sophisticated cyberattacks.
  • The European Union has formulated the world’s first artificial intelligence rules, which will force general-purpose and high-risk AI systems to comply with specific transparency obligations and EU copyright laws.


Shanghai eases data-export curbs sought by Tesla, other firms

  • Shanghai has compiled a list of data that can be transferred overseas without security assessments, according to a government document.
  • Foreign firms including financials and automakers such as Elon Musk’s Tesla have been lobbying the Chinese authorities to allow cross-border sharing of information after Beijing tightened control of data generated domestically in a national security drive.
  • The government of Shanghai has compiled a first batch of “ordinary data” in three sectors – intelligent and connected vehicles, mutual funds, and biomedicine. These require the least regulation for data transfers.
  • Under a one-year pilot project, companies registered in the city’s free-trade Lingang Area may transfer data on the list overseas without needing further security assessments. This was shared with foreign companies such as Tesla, Ford, and BMW, at a government event to introduce the new scheme.
  • For the auto sector, the data includes information involving manufacturing such as procurement and stockpile, research and development including auto design and tests, after-sales services and used car sales.

Santander reports customer, employee data breach in Spain, Chile, Uruguay

  • Spanish bank Santander said on Tuesday some customer and employee data in a database hosted by an outside provider was accessed by an unauthorised party, but that the bank’s own operations and systems have not been affected.
  • In a statement, the bank said that the data was from customers in Spain, Chile, and Uruguay, as well as all current and some former employees.
  • There was no data on transactions, or any credentials that would allow to perform transactions, being stored in the database.
  • Santander has said it had “immediately implemented measures to contain the incident,” including blocking the compromised access to the database. Additional fraud prevention controls were also put in place to protect affected customers.
  • The bank declined to comment how many clients had been affected.


More Posts

Send Us A Message