Data Protection News Update 21 October 2024

United Kingdom

Apple ready to pull iMessage and FaceTime from the UK if the new privacy law is passed

  • Apple has expressed concerns to planned updates to the UKs Investigatory Powers Act (IPA) 2016. These changes would require messaging services to disable their security features at the request of authorities in an effort to “protect the public from criminals, abusers child sex and terrorists”.
  • Apple has said that the new changes could jeopardize data security and information privacy and threatened to pull iMessage and FaceTime from the UK if the revised act goes ahead, saying the proposals “pose a serious and direct threat to users outside the UK”
  • The IPA is under an 8-week consultation process on proposed amendments, and analysts predict tech companies are unlikely to accept the changes.

OnlyFans Taps Orrick, Big Law as Video Site Faces Privacy Issues

  • OnlyFans Ltd., a video streaming service known for its sexually explicit content, has retained a handful of Big Law firms as outside counsel and assembled an in-house legal team as it faces novel online safety and data privacy concerns.
  • OnlyFans has a roster of outside council, including Orrick and other large firms such as Cooley; Quinn Emanuel Urquhart & Sullivan; Skadden, Arps, Slate, Meagher & Flom; and Winston & Strawn.
  • Orrick helped OnlyFans affiliate Fenix (the London-based holding company of OnlyFans) to defeat a putative class action this year, while Winston is handling a biometric privacy case for the company. Quinn Emanuel got a jurisdictional win last year for Fenix in another dispute involving performers who claimed they were incentivized to suppress traffic to social media rivals. Skadden is advising on another lawsuit concerning “chatters” (individuals pretending to be content creators on the platform).

United States

401(k) Data Use in Cross-selling Targeted by Federal Watchdog

  • The US Government Accountability Office is investigating the use of 401(k) data to market extra financial products to savers, an emerging industry practice to keep consumer costs down that has critics calling foul over privacy concerns.
  • Key questions investigators are asking include how retirement data is collected and shared, the potential benefits and risks of current practices, and how both private-sector providers and regulators protect consumer data.

Upcoming Requirements for Digital Goods and Subscription Offers in California

  • Assembly Bill 2426, going into effect January 1, 2025, extends California’s false advertising laws to address the offering for sale of licences to digital goods. The new law is intended to ensure that consumers understand when they are purchasing only a licence to (rather than an unrestricted ownership interest in) digital goods such as games, movies, music, and books. 
  • Additionally, Assembly Bill 2863, going into effect on July 1, 2025, is a significant update to the state’s law on automatic renewal and continuous service offers. The changes introduced by the new law include: addressing trial offers; limiting contradictory information; recordkeeping; misrepresentations; price changes; expanded renewal reminder notices; required disclosures; and cancellation and “save” attempts.
  • The nuanced requirements across jurisdictions are making it increasingly difficult for businesses to offer globally standardized user journeys.

Europe

Data protection law could stifle AI in Europe, master of the rolls warns

  • Sir Geoffrey Vos, master of the rolls, highlighted that the EU’s AI Act and the Council of Europe’s Treaty on AI and human rights, democracy and the rule of law could stifle the development of AI in Europe.
  • In particular, individuals’ rights under Europe’s General Data Protection Regulation not to be subject to automated decision-making, and the existence of residual rights in data used to train AI tools both threaten the development of AI.
  • Vos, in a speech to the Irish Law Society, said both problems are ‘created in part at least by regulation getting ahead of private law’. In this crafting regulation, he concluded, ‘we all need to be careful not to impede the development and adoption of new technologies, whilst also being astute to ensure that people’s basic human rights are not infringed.’

Some of the Web’s Sketchiest Sites Share an Address in Iceland

  • A Reykjavík building is the virtual home to an array of perpetrator of identify theft, ransomware and disinformation. The street address of this building is the registered address for Withheld for Privacy, a company that is part of a booming and largely unregulated industry in Iceland and elsewhere that allows people who operate online domains to shield their identities.
  • Withheld for privacy was created in 2021 by Namecheap, and shields tends of thousands of sketchy internet sites.
  • Because Withheld for Privacy uses the building’s address as a default for its clients, this address has been linked to online forums used by a white supremacist group in the United States, Patriot Front, to sell counterfeit hormone drugs to trans women; to phishing sites posing as companies such as Amazon, Coinbase and Spotify to steal money and personal information from visitors; and to Russian influence campaigns intended to spread fake narratives to unsuspecting Americans.
  • Iceland is an attractive place for proxy services largely because of its robust privacy laws, which officials said were intended to protect ordinary users from authoritarian governments — not to shelter fraudsters or other criminals.

International

OAIC creates guides to ensure privacy laws for AI projects

  • The Office of the Australian Information Commissioner (OAIC) has created two guides to help businesses navigate how Australian privacy law applies to artificial intelligence (AI), setting out the regulator’s expectations.
  • One of the guides outlines businesses privacy obligations when using commercially available AI products, and helps them to select an appropriate product. According to this guide, businesses should update their privacy policies and notifications with clear and transparent information about their use of AI.
  • The Second guide sets out privacy procedures to help developers using personal information to train generative AI models. According to the guide, developers using large volumes of information to train generative AI models should consider whether the information includes personal information, in particular where the information is from an unclear source and where it is about an identified or reasonably identifiable individual.

Share:

More Posts

Send Us A Message