Data Protection News Update 27 March 2023

United States

Amazon sued for allegedly failing to comply with NYC biometrics law

  • A New York resident is suing Amazon in federal court for allegedly failing to publicize its use of biometric cameras and scanners in its Amazon Go stores located around the city. 
  • According to law, companies are required to “notify consumers via a ‘clear and conspicuous sign’ near the entrance if they collect biometric information on them. 
  • This law is the city’s Biometric Identifier Information Law, which allows consumers to collect five thousand USD for every violation. 

Industry lobbyists influencing privacy law discussions

  • Industry lobbyists are increasingly seeking to influence the debate on data privacy legislation, with Virginia’s privacy law turning out to be industry’s favourite. 
  • In response to a proposed privacy bill in Kentucky, a coalition of industry groups has said that “they cannot support a bill that has a private right of action”.
  • The group furthers notes that “it is untenable to have 50 jurisdictions where litigation of any type can be initiated”.

Report highlights background for FISA Section 702 reauthorization 

  • The U.S. Congressional Research Service issued a report that outlines details of the Title VII of the Foreign Intelligence Surveillance Act ahead of potential reauthorization.
  • This report explains the authority and practices carried out under Section 702 of FISA, which has been a key point of controversy in EU-U.S. Data Privacy Framework negotiations. 
  • Interestingly, the report indicates the Office of the U.S. Director of National Intelligence estimated that 232,432 non-U.S. people were subject to digital communications checks during the calendar year of 2021. 
  • The surveillance program is due to expire December 31st. 

Potential tweaks for ‘clearer’ ADPPA framework

  • In a blog post for The Information Accountability Foundation, Groman Consulting Group Principle and former U.S. Federal Trade Commission Chief Privacy Officer Marc Groman outlined his recent analysis and recommendations for a “clearer” version of the proposed American Data Privacy and Protection Act. 
  • Groman has said that the current draft proposal is “an impressive bipartisan effort”, but it “deviates from basic standards for sound legislative drafting, producing an incoherent framework.”
  • In the meantime, Peter Harrell, the former U.S. National Security Council Senior Director, and Tim Wu, the Special Assistant to the President, touted the proposed ADPPA and the preferred legislation to protect consumers and national security. 


EU digital identity bill moves on to trilogue negotiations

  • The European Parliament has approved the eIDAS Regulation.
  • This is a piece of legislation that creates a continent-wide digital identity framework.
  • The bill now heads to final trilogue negotiations between Parliament, the European Commission and the Council of the European Union. 
  • The bill would require online platforms with more than 45 million European users to accept the digital identity as a logon credential. 

EU high court braces for DMA challenges

  • The General Court of the Court of Justice of the EU expects legal challenges to the EU Digital Markets Act by the end of 2023.
  • President of the General Court Marc van der Woude has said that the court anticipates questions regarding how the DMA classifies “gatekeepers” and the subsequent obligations that fall on them.
  • He has expressed that “(p)robably the end of the this year, beginning of next year we might see the first cases and I don’t think it will stop”.

EU seeks global recognition of digital regulations

  • The EU is currently seeking recognition of the bloc’s digital regulations globally via the United Nation’s Global Digital Compact.
  • The U.N. initiative aims to establish shared digital principles on a global scale. 
  • In a submission to this digital compact, a technical group of the Council of the European Union touted the EU GDPR and the proposed Artificial Intelligence Act as worthy of global use.
  • The group characterized the legislation as “new standard-setting rules that aim to create a safer and more trustworthy online space for users and consumers.”


Child monitoring apps used by daycares could be vulnerable to breaches 

  • More childcare centers are utilizing apps allowing parents to monitor their children while they are at daycare, to facilitate billing and to communicate with caretakers.
  • Nonetheless, as Alexis Hancock, Director of Enigneering at Electronic Frontier Foundation, has discovered, “there is really no regulatory body for privacy and security” of the apps that the childcare centers have been using. 
  • Moreover, Hancock has found a handful of apps to be lacking two-factor authentication. 
  • With a lack of regulation of apps used by childcare centers, there could be three contact points where a child’s data can be leaked.
  • These contact points are teachers, administrators and parents. 

Telecom data breaches highlight cyberattack vulnerabilities

  • A recent data breach of a third-party marketing vendor that exposed the information of 9 million AT&T customers shines a light on the telecommunications sector’s vulnerability to cyberattacks.
  • Chief Technology Officer of Palo Alto Networks’ Unit 42 research lab, Michael Sikorski, noted that there has been a massive increase in telecom attacks, saying “(t)hey tend to have pretty large security budgets, but if you think about how much outsourcing those entities are doing, it’s significant.”

Trinidad and Tobago minister: Work on data laws ongoing with ‘urgency’

  • Trinidad and Tobago’s Ministry of Digital Transformation Executive Legal Advisor Rudyard Davidson said work is ongoing to fully operationalize the country’s Data Protection Act aswell as its Electronic Transaction Act.
  • Davidson has noted that “(w)e want to do it as a matter of urgency.”
  • He continues to say that ongoing consultations with stakeholders on various regulations associated with the acts could be finalized in the fiscal year 2024. 
  • The Data Protection Act passed the House and Senate in 2011 and various sections of it were proclaimed into law in 2012 and 2021.

Regulator probes ‘cracked’ Chinese mobile apps

  • China’s Ministry of Industry and Information Technology has announced that investigations are underway into the alleged data protection violations regarding versions of mobile apps that have broken protection, otherwise known as “cracked apps”.
  • The MIIT probed claims against cracked versions of distribution platforms, e-commerce and search platforms under general and sectoral data privacy law, of which the Personal Information Protection Law is included.
  • The regulator urged apps to improve their internal insight of potential data protection issues and to increase system testing and inspections. 

United Kingdom

‘We feel awful about this’ – OpenAI fixes ChatGPT bug that may have breached GDPR 

  • OpenAI could be in breach of the GDPR after the titles assigned to users’ ChatGPT conversations were randomly exposed to other users without consent. 
  • The issue has since been fixed.
  • A legal expert has said that any action would depend on the level of harm caused by the titles appearing in the account of another user, and what that information includes.
  • Since its launch in November 2022, ChatGPT has become one of the fastest-growing consumer apps in history, hitting 100 million unique monthly users in January alone. 

Scottish case confirms legal proceedings exemption as possible defense for GDPR claims 

  • A ruling by a sheriff court in Scotland has provided a rare analysis on how the legal proceeings exemption could be used as  a defence in allegations of data protection breaches.
  • The case relates to a claim brought by a former employee of a student housing company against his employer, who he alleged had breached the UK GDPR when processing his personal data in the context of defending employment tribunal proceedings brought by another employee. 
  • The claim was dismissed due, as the claimant’s allegations against the employer were found to be “lacking in specification” and “irrelevant”.
  • However, a data protection law specialist said the decision “makes it clear that the intention of the data protection laws is not to stand in the way of a fair trial or for controllers to ‘shoot themselves in the foot’ by deleting personal data or withholding personal data for fear of breaching the data protection laws”
  • The specialist, Kathryn Wynn of Pinsent Masons, states that the decision “provides an interesting analysis of how legal proceedings exemption can be relied upon to disclose personal data without specifically notifying the affected data subject ahead of that disclosure.”

Emergency alert phone test on 23 April will not ‘breach GDPR’ 

  • Emergency Alerts is a new government service designed to warn people via their phones or tablets if there’s a nearby “danger to life”, such as extreme weather or severe flooding. 
  • The system is due to be tested across the UK on Sunday 23 April, appearing on devices that use 4G or 5G newtorks as a notification and loud siren like sound for up to 10 seconds. 
  • While there has been confusion as to whether Emergency Alerts constitutes a use of people’s personal data, this is not the case. The system uses the cell tower people’s phone is connected to, and so when an alert is triggered, all towers in the area will broadcast the alert. 
  • “To do this the Government does not need to know the specific location or personal data on your device”. Phone network providers have not breached the GDPR by giving people’s numbers to agencies outside of those people’s persmission. 

ICO takes action against Lewisham Council for failing to respond to hundreds of Freedom of Information requests 

  • The ICO has issued an enforcement notice to the London Borough of Lewisham Council for failing to respond to hundreds of overdue requests made under the Freedom of Information Act 2000.
  • At the end of 2022, the Council had a total number of 338 overdue requests for information, 221 of which were over a year old. The oldest unanswered request had been submitted over two years ago. 
  • The enforcement notice requires the Council to respond to all outstanding requests over 20 working days old, not later than six months from the date of the notice. 


More Posts

Send Us A Message