Data Protection News Update 28 February 2023

United States

Medical group faces lawsuits following breach affection 3.3.M people 

  • A medical group in California – Regal Medical Group – is facing a minimum of five proposed class-action lawsuits.  
  • This comes after a ransomware attack in December 2022 that impacted 3.3. million people
  • The lawsuits allege that the group failed to protect individual’s sensitive information, violating state and federal laws including the Health Insurance and Portability and Accountability Act.  
  • The data that was potentially exposed included personally identifiable information. 

Study alleges Google ‘nutrition labels’ lack full transparency 

  • A study carried out by Mozilla claims that Google’s privacy “nutrition labels” for mobile apps don’t include all data collection practices by certain apps.
  • According to Mozilla’s “Privacy not included” series, top apps on Google Play such as TikTok and Twitter share user data with various data parties without disclosing the practices in their labels.
  • Additionally, Mozilla alleges Google is putting the burden of transparency on app developers.

US Supreme Court passes on NSA surveillance program claims

  • The US Supreme Court has declined to hear a case trying to curtail the US National Surveillance Agency’s online communications surveillance program.
  • The NSA’s program allows for warrantless collection of online communication data as it flows through telecommunication systems. 
  • Advocacy groups sought to push the case through to the Supreme Court after the Court of Appeal upheld the NSA’s practices .
  • The program is allowed under the Foreign Intelligence Surveillance Act, Section 702.


European Commission bans TikTok on corporate devices; US lawmakers renew calls for a ban 

  • The European Commission banned TikTok on corporate devices citing data protection concerns 
  • An email addressed to EU officials additionally requested employees to uninstall TikTok from personal devices using corporate applications “to protect the Commission’s data and increase its cybersecurity.” 
  • A spokesperson for TikTok has said the action is “misguided and based on fundamental misconceptions.” 
  • US lawmakers are renewing calls to ban TikTok nationwide over concerns regarding the data collection of the Chinese-owned company. 

Investigation by Netherlands’ DPA prompts changes to Tesla security cameras 

  • The Dutch DPA, the Autoriteit Persoonsgevens, has said it will not fine Tesla over potential violations in connection to their cars’ built in security cameras. 
  • The DPA said Tesla modified the Sentry Mode feature to only record when enabled by the user and diminished image storage time. 
  • It also indicated that its investigation showed that vehicle owners, not Tesla, are responsible for images recorded in their vehicles. 

Op-ed: Twitter fee for data access could be ‘at odds with EU law’ 

  • Democracy Reporting International Digital Democracy Program Officer Lena-Maria Böswald has said Twitter’s fee for access to its developer application programming interface could be “at odds with EU law.” 
  • She claimed access to platform data for eligible researchers is required to be European law – compliant, but it is uncertain whether the EU Digital Services Act explicitly required free access. 
  • She noted that, if so, Twitter’s new “barriers to data access” could “result in significant fines under the DSA.” 


Air Canada launches facial recognition option for travellers 

  • Air Canada is launching a voluntary facial recognition option for all passengers passing through its lounge at Toronto’s Pearson International Airport. 
  • Travellers can upload a facial image and a scan of their passport to the Air Canada app where it will be kept for up to 36 hours after their flight leaves.
  • Travellers will be required to grant consent each time that they wish to use their stored data for a new flight. 

Zimbabwe embarks on first stage of building cyber city outside capital 

  • Zimbabwe has begun building a “cyber city” outside of its capital city Harare, named Zim Cyber City. 
  • The first ZWD500 million stage of the development recently started following investment by Dubai-based Mulk International. 
  • Mulk has estimated that the whole project may cost upward of ZWD60 billion. 
  • Mulk has also claimed that Zim Cyber City will feature surveillance technology, including potential use of facial recognition technology to be directly connected to law enforcement. 

India’s proposed Digital Personal Data Protection Bill to cover minors under 18

  • In the proposed Digital Personal Data Protection Bill, India’s Ministry of Electronics and Information Technology defined a child as someone under 18 years.  
  • An official has said that the government will be allowed to revisit the definition after a year with a view towards extending coverage to minors under 16. 
  • The official explained “that there is no reason why (the age) cannot be lowered” as long as companies can “assure us that they have put in place a proper framework” for protection of data and prohibition of targeted advertising. 

United Kingdom

Court rules on Experian appeal of ICO enforcement notice 

  • The First-Tier Tribunal overturned portions of a 2020 enforcement notice by the UK Information Commissioner’s Office against Experian, confirming the company’s reliance on legitimate interests as a legal basis for the processing of credit reference agency information for direct marketing purposes. 
  • Deputy Commissioner Stephen Bonner, CIPP/E, CIPM, explains that marketing processes “must happen in line with the law and in an open and honest way.” 
  • The ICO noted it will consider an appeal. 
  • Experian is “very pleased” and continues “committed to transparency, safeguarding privacy and helping consumers to better understand and control the use of their data”. 

Meta to change UK terms of services, maintain data flows

  • Meta plans to change its Terms of Service and privacy notices for UK users. 
  • UK Facebook, Instagram and WhatsApp users shall keep their data rights under the UK GDPR while the company moves user data out of the EU GDPR’s jurisdiction.  
  • A spokesperson for Meta has said that the updates, which had been planned following Brexit, “don’t change the way we treat UK users’ data.”  
  • This comes as Meta also confronts a potential EU service blackout pending a data transfers ruling by the EDPB. 

Judgment on CPO application in collective damages action against Meta for alleged abuse of dominance

  • Last Monday 20th February the Competition Appeal Tribunal issued a judgment on the application for a collective proceedings order brought by Dr Liza LovdahlGormsen. 
  • This was brought under section 47B of the Competition Act 1998 against Meta Platforms, Inc, Metas Platforms, Inc, Meta Platforms Ireland Limited and Facebook UK Limited.  
  • In its judgment the Tribunal chose to stay the application for 6 months in order to allow the PRC to file additional evidence setting out a better blueprint for an effective trial of the proceedings.  
  • Should the PCR require more time, a reasoned application needs to be carried out. 
  • Absent such an application, the CAT will lift the stay and the application will be rejected. 


More Posts

Send Us A Message