Data Protection News Update 26 June 2023

IGS
June 26, 2023

United States

US senators question Amazon on Amazon Clinic

US senators Elizabeth Warren and Peter Welch sent a letter to Andy Jassy, Amazon President and CEO, about Amazon’s data protection practices regarding patient data of those using Amazon Clinic.
The senators felt compelled to write the letter after reports emerged that patients seeking to enroll in Amazon Clinic were asked to provide Amazon ‘with expansive access to their health information and authorize the company to disclose that information to other entities’. The letter further states that ‘Amazon Clinic provides no information on its website as to why the company is collecting customer health care data or for what purposes it is used’.
Amazon Clinic is an Amazon subsidiary with the purpose of providing virtual healthcare services, with a focus on the treatment of over 20 common conditions.
The company’s access to sensitive health data has already been criticized by privacy experts back in 2022.

Former Grindr CPO sues company over wrongful termination after raising privacy concerns

Ron De Jesus claims that the dating app continuously collects and retains highly sensitive data including nude photos without clear and valid consent. The former privacy head alleges that he was fired after raising these concerns over the alarming data privacy practices.
Grindr has been previously fined by the Norwegian DPA for disclosing HIV-status of users.
De Jesus claims that Grindr retained naked pictures and HIV status from users even after the users deleted their accounts. Furthermore, the information was accessible by any employee or third-party vendor.

State attorneys general urge for stronger HIPAA reproductive protections

California Attorney General Rob Bonta and New York Attorney General Letitia James led a coalition of 24 states in support of stronger protections for patients’ reproductive health data. They support the currently considered Amendment to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. If the amendment is implemented, the disclosure of protected health information (PHI) with certain criminal, civil and administrative investigations, and proceedings against a patient in connection with a legal abortion would become illegal.
‘In this post-Roe world, those seeking reproductive care need better protections against wrongful prosecution’

Europe

Nyob files complaint to Ireland’s High Court

Nyob, the European digital rights advocacy group, filed a complaint against Ireland’s Data Protection Commission claiming that it did not entirely follow through on enforcement of the GDPR violations that Meta committed. Nyob wants the High Court to force the DPC to investigate its complaints against Meta in its entirety. It is claimed that the DPC has only addressed one of 10 issues that were raised.
One of the complaints by Nyob against Meta is the claim that Meta’s platforms relied on consent to process personal data, including sensitive personal data, which could not be a valid legal basis in the case of Meta.
Nyob further alleges that the DPC even altered its draft decision, ignoring key elements of the case.

CNIL fines Criteo 40 million euros over GDPR violations

France’s Data Protection Authority (CNIL) fined Criteo, an online advertising company specialising in ‘behavioral retargeting’ (a way of tracking the navigation of Internet users in order to display personalised advertisements), a fine of 40 million euros for its GDPR violations, which include the failure to verify the individual’s consent for the data processing and for being in breach of the principles for information and transparency, the right of access and erasure.

EDPB approves cross-border complaint template and adopts recommendations for controller BCRs

The European Data Protection Board (EDPB) adopted a GDPR-compliant complaint template for cross-border exchange of information.
EDPB Chair Anu Talus states that this will ‘facilitate the cross-border exchange of information regarding complaints between data protection authorities’ and that it would ‘help DPAs save time and resolve cross-border cases more efficiently’.
Furthermore, the EDPB adopts recommendations for the use of binding corporate rules by controllers with the aim of providing an updated standard application form for the approval of controller BCRs, clarifying the necessary content of the BCRs and making a distinction between what is to be included in the controller BCRs compared to what must be presented to the BCR lead data protection authority.

International

New Zealand city council breaches privacy of individuals involved in car accidents

It is reported that Wellington City Council committed a data breach in releasing personal data of individuals that were involved in car accidents. The disclosed data involves the names of the drivers and medical details such as blood alcohol levels and drug use. A total of 4224 people is affected.
The Office of the Privacy Commissioner states that they would first focus on guiding the city council to minimize the harm that was caused by the breach. Only as a second step, it will be analyzed what the cause was of the breach and what the city council has done to prevent similar breaches from occurring in the future.

Google Chief Privacy Officer criticizes Australia’s proposed privacy law reform

Keith Enright, Google’s chief privacy officer, criticizes one key proposal of Australia’s privacy law reform, which is Australia’s version of the ‘right to be forgotten’. In its current form, the proposal would apparently specifically target online search results.
Enright says that Google does generally support the proposed reforms, but that they believe that the law should not single out search engines: ‘We feel strongly that if you are creating a legal right to remove information from the internet, those requests should be directed to the publishers of that content rather than to search engines because, of course, even if it is suppressed from a search engine, that content still exists on the internet elsewhere’.

United Kingdom

ICO publishes new guidance on Privacy Enhancing Technologies (PET)

The guidance is intended to help data protection officers and others using large personal data sets in areas on finance, healthcare, research and central and local governments.
The use of PETs is important as they help organisations comply with data protection principles, ensuring that data protection is ‘built in’ from the beginning of the project.

UK banks to share customer data with government in dirty money crackdown

More than six UK Banks such as Lloyds and Natwest are in talks with law enforcement and government agencies to ‘systematically share intelligence on major financial crimes’ in an effort to halt economic crimes such as money laundering.
Lawmakers state that economic crimes cost the economy around 350 billion pounds per year, which is why the government has an interest to tackle this issue.

Data Protection News Update 14 May 2024

United Kingdom Organisations must do more do more to combat the growing threat of cyber attacks Northern Ireland police obtained reporters’ phone data, tribunal hears

Data Protection News Update 07 May 2024

United Kingdom Information Commissioner: Persistent sensitive information breaches failing people living with HIV OnlyFans faces UK investigation into age-verification measures United States UnitedHealth CEO tells

Two Conceptions of Algorithmic Fairness: The Case of Generative AI

Algorithmic fairness is perhaps one of the most cited values when people talk about AI ethics. However, there is also deep disagreement about what it

Data Protection News Update 29 April 2024

United Kingdom ICO fines two companies a total of £340,000 for making aggressive and unwanted marketing calls Grindr facing UK data lawsuit for allegedly sharing