Data Protection News Update 21 August 2023

IGS
August 21, 2023

United Kingdom

Changes to NCSC Cyber Incident Response Scheme

UK’s National Cyber Security Centre has announced a change to its Cyber Incident Response Scheme by adding an additional level. This means that more organisations will be able to receive incident response services, including organisations from the private sector.
The Cyber Incident Response Scheme supports organisation when they have become victims of cyber-attacks by ensuring that those organisations engage providers that they can trust (those providers are called Assured Service Providers). Those providers help to recover organisations from cyber incidents and deliver a full investigation of the incident and provide recommendations as to how to prevent it from happening again in the future.

United States

Woman is awarded USD1.2 billion in damages in ‘revenge porn’ lawsuit

A woman from Texas was awarded USD1.2 billion in damages in a ‘revenge porn’ lawsuit against an ex-boyfriend who shared images with explicit content of her with family, friends and co-workers without her consent with the intent of damaging her reputation.
Furthermore, the shared content included other identifiable personal data such as her name and address.

FTC charges credit company for not offering option to opt-out marketing emails

The Federal Trade Commission is looking to charge Experian, a credit company, USD650,000 for spamming individuals who have set up an account with them with marketing emails without offering them a way to opt-out.
Offering a way to opt-out of unsolicited marketing emails is a requirement under the CAN-SPAM Act.
The complaint was filed by US Department of Justice.

Europe

Czech Republic’s DPA is assessing police’s use of facial recognition technology

Czech Republic’s DPA is currently assessing the use of facial recognition technology by local police and has requested information from them including information of the specific tech which was used on a trial basis for nearly a year.

IAPP publishes an analysis of the revised Swiss Federal Act on Data Protection

IAPP has published an article about the new Swiss Federal Act on Data Protection (FADP) which comes into force on the 1^st of September 2023.
The Act was passed in parliament in 2020 and aims at revising the original federal law on data protection which came into force in 1992.
With this revision, the ‘Swiss data protection regime will be brought into greater alignment with the GDPR’, but there are still notable differences. A helpful overview is provided in the IAPP’s article.
The FADP might be of note because with this revision, an expanded territorial scope is introduced. The FADP will apply to circumstances that have an effect in Switzerland, even if the actual activity was initiated outside of Switzerland. ‘In practice, like the GDPR, organisations targeting goods and services to Swiss individuals or monitoring their behavior will now have to comply with’ the revised Act.

International

Singapore’s Personal Data Protection Commission issues formal warning

Singapore’s Personal Data Protection Commission has issued a formal waring to a registered salesperson for not obtaining ‘clear and unambiguous consent’ from individuals and not checking the ‘Do Not Call Registry’ before making their sales calls.
A ‘Do Not Call Register’ allows people in certain countries to indicate that they do not wish to be contacted by telemarketers (https://en.wikipedia.org/wiki/Do_not_call_list). Singapore has such a registry. So does the UK, it is called ‘Telephone Preference Service (TPS)’, which allows UK residents to opt out of unsolicited marketing calls (https://www.tpsonline.org.uk/).

Australia’s government publishes ‘Tech Trends Position Statement’

Australia’s eSafety Commissioner published their ‘Tech Trends Position Statement – Generative AI’ guidance document. The paper gives an overview on the existing landscape, discusses the risks, harms and opportunities surrounding generative AI, highlights emerging good practice and safety by design measures and concludes with advice for users.

India’s Data Protection Law published in official gazette

India’s Digital Personal Data Protection Act was published in the official gazette after being approved by the President last Friday.
The Act has received some positive feedback of a couple of data protection authorities around the world, such as the DPA of Norway and South Africa, going so far as to say that the legislation offers ‘invaluable lessons on how safeguards can be applied’. See https://economictimes.indiatimes.com/tech/technology/governments-abroad-look-to-model-on-indias-landmark-data-law/articleshow/102752176.cms.

Data Protection News Update 14 May 2024

United Kingdom Organisations must do more do more to combat the growing threat of cyber attacks Northern Ireland police obtained reporters’ phone data, tribunal hears

Data Protection News Update 07 May 2024

United Kingdom Information Commissioner: Persistent sensitive information breaches failing people living with HIV OnlyFans faces UK investigation into age-verification measures United States UnitedHealth CEO tells

Two Conceptions of Algorithmic Fairness: The Case of Generative AI

Algorithmic fairness is perhaps one of the most cited values when people talk about AI ethics. However, there is also deep disagreement about what it

Data Protection News Update 29 April 2024

United Kingdom ICO fines two companies a total of £340,000 for making aggressive and unwanted marketing calls Grindr facing UK data lawsuit for allegedly sharing