Data Protection News Update 23 January 2023

IGS
January 23, 2023

United States

TikTok Tries to Win Allies in the U.S. With More Transparency

TikTok revealed details of its $1.5 billion plan to reorganise the company’s operations in the U.S.
TikTok hopes that this planned reorganisation, including new measures to ensure oversight of its content-recommendation algorithms will convince Washington that it can operate independently of China-based ByteDance Ltd.
Central to this plan is a system for third-parties to monitor the secret algorithms that powers TikTok.
These third-party monitors would check the code to see if it has been manipulated or if the Chinese government or other foreign actors have had access to it.
TikTok will also create a new subsidiary, TikTok U.S. Data Security with 2500 employees in charge with safeguarding the app and reporting to an outside board.

NSA director urges Congress to renew controversial intelligence authority

NSA director Gen. Paul Nakasone is advocating for the renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA). This law provide U.S intelligence agencies wide-ranging authority to conduct surveillance on foreign persons abroad.
Nakasone argues that this law plays a significant role in protecting the nation and saving lives.
The law has been used to counter ransomware threats against those trying to steal sensitive U.S. military information.
The law is also important in U.S. victims of foreign intelligence operations and cybercrimes.

Meta Sues Analytics Company Voyager Labs Over Data Scraping

Meta is suing Voyager Labs, a company that works with law enforcement for allegedly scraping data that users posted about themselves.
Voyager created and used over 38,000 fake Facebook user accounts and its surveillance software to scrape more than 600,000 Facebook users’ profile information.
Meta also disabled more than 60,000 Instagram and Facebook accounts associated with Voyager Labs.
Meta claims that Voyager Labs violated Meta’s terms of service by creating fake accounts and scraping. Meta is seeking an injunction and monetary damages.

Europe

EU top court rules that controllers must disclose actual identity of data recipients in response to data subject access request

An Austrian individual had requested access to his personal data from his postal service provider and asked it to identify the recipients of his data. The postal services responded that they had shared his data for marketing purposes.
The lower courts in Austria, rejected this individual’s claim to know more about the recipients of his data arguing the under Article 15(1)(c) the controller need only inform the data subject of the category of the recipients.
He appealed to the Austrian Supreme Court, which referred the case to CJEU.
The CJEU has ruled that if personal data is (or will be) disclosed to recipients, controllers must disclose the actual identity of recipients, when requested by the data subject, unless the recipients are impossible to identify or the controller can prove that the request is manifestly unfounded or excessive

ECJ: Individuals have the flexibility to choose between administrative and civil remedies under the GDPR

The ECJ says that the GDPR allows individuals to choose between administrative and civil remedies if there has been a violation of their rights under the GDPR.
Making several remedies available strengthens the objective of recital 141 of the GDPR, granting every data subject the right to an effective judicial remedy.
The remedies in Article 77 and 78 (Right to lodge a complaint with a supervisory authority) and Article 79 (Right to an effective judicial remedy against a controller or processor) can run concurrently and independently of each other.

Divergence Among EU Data Protection Authorities as Spanish DPA Rules that the Use of Google Analytics Does Not Breach the GDPR

The AEPD (the Spanish data protection authority) became the first EU data protection authority to reject one the 101 complaints filed by NOYB.
NOYB has filed 101 complaints against 101 EU companies regarding their use of Google Analytics.
This decision differs from the Austrian, French, Italian and Danish authorities.
The Spanish authority ruled that it had no evidence that the Spanish company, RAE, infringed on the GDPR.
The AEPD did not provide a detailed analysis but maybe this decision shows that there is diverging perspectives among EU data protection authorities.

International

Collection of voice data for profit raises privacy fears

With voice-assisted products, such as Alexa and Siri, on the rise in homes and workplaces there is now a trend of using this technology in private sector innovation.
Voice data collection could be great for marketing purposes but also has significant risks for data breaches.
Amazon-owned grocery chain Whole Foods agreed to pay almost $300,000 to workers in a settlement over allegations that a voice-assisted product used to track worker productivity at a Chicago warehouse had recorded employees’ voices without their consent.
There are also risks for impersonation. Deepfake audio, tricked a Hong Kong-based bank into sending $35 million to a criminal the bank thought was a corporate attorney.

China, a Pioneer in Regulating Algorithms, Turns Its Focus to Deepfakes

China is implementing rules to restrict production of deepfakes, media generated or edited by artificial intelligence.
China’s internet regulator has started to enforce regulations on deep synthesis technology that make people appear to say and do things they never did.
This is the world’s first comprehensive attempt by a major regulatory agency.
These technologies underpin applications like ChatGPT.
These regulations prohibit the use of AI-generated content for spreading “fake news,” or information deemed disruptive to the economy or national security.
The rules also include the visible labelling of AI-generated content for users as well as digitally watermarking them.
The U.S. has also tried to address the proliferation and the abuse of deepfakes but have had trouble reconciling free-speech concerns.

United Kingdom

No end in sight for major mail delivery disruptions from U.K.

Royal Mail had a cyber incident last week and are experiencing severe service disruption.
This problem has lead to a large portion of mail unable to leave the U.K.
The cyberattack affected Royal Mail’s systems to prepare letters and parcels for dispatch.
Royal Mail CEO Simon Thompson testified that there was no customer data breach.
The cyberattack was allegedly perpetrated by the ransomware gang LockBit.
A representative for LockBit denied involvement in the Royal Mail attack and laid blame on other hackers.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK