Data Protection News Update 29 January 2024

United Kingdom

South Tees Hospitals NHS Foundation Trust reprimanded for “serious, harmful” data breach

  • The Information Commissioner’s Office (ICO) has announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to an authorised family member.
  • In November 2022, a Trust employee sent a standard letter to inform the father of a patient of an upcoming appointment which was sent to the wrong address.
  • While the investigation carried out by the ICO confirmed that the disclosure was the result of human error, it also found no evidence that the Trust fully and appropriately prepared staff for their role in dealing with correspondence that was particularly sensitive.
  • South Tees Hospitals NHS Foundation Trust should now implement new standard operating procedures and provide further staff training to ensure data is adequately protected.

UK ‘complacent’ on data protection, OVH Cloud chief warns

  • The boss of French cloud provider, Michel Paulin, warns that the UK is showing more ‘complacency’ around data protection compared to its European counterparts.
  • Paulin is concerned that the US government could access UK company data without them realising due to the Data Access Agreement between the two countries, which entered into force in October 2022.
  • Paulin described the UK as an open bar, whereas in Spain, France, and Germany, laws have been passed by the European Commission address a rise in concern.

United States

Man sues Macy’s, saying false facial recognition match led to jail assault

  • Harvey Murphy Jr. is suing Macy’s after he was arrested as a result of the company’s facial recognition software falsely identified him of robbing a nearby store.
  • Murphy was 2,000 miles away when the technology identified him by scanning the stores surveillance cameras and an internal shoplifter database.
  • Retailers are increasingly using facial recognition technology to patrol their stores for shoplifters and unwanted customers, but the technology’s accuracy is highly dependent on technical factors- the camera’s video quality, a store’s lighting, the size of its face database, and a mismatch can lead to dangerous results.
  • Murphy was sexually assaulted while wrongly incarcerated and is seeking $10 million in damages.


EU, US near deal on police access to online data

  • A deal between the EU and US to allow European law enforcement to access data from US-based technology companies will likely happen by the end of 2024.
  • Concerns over this new deal are bifold, as Europe fears the US could overreach in their request for data, but civil rights defenders and others have equally warned that European countries with a poor track record on the rule of law could misuse the new powers in ways that limits freedom of speech or political opinion.
  • European Justice Commissioner, Dider Reynders, said that Brussels and Washington share similar goals for improving their police forces’ access to data in criminal investigations related to terrorism, drug trafficking and online child sexual abuse.

Employee Monitoring: the CNIL sanctions Amazon France with a fine of 32 million euros

  • France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), fined Amazon France 32 million euros for allegedly over-surveilling its warehouse employees and keeping data of their actions for longer than was deemed necessary.
  • As part of their job, each warehouse employee is equipped with a scanner which documents in real time the execution of certain tasks assigned to them (such as storing or removing an item from the shelves, putting away items, or packaging items).
  • Each scan carried out by employees results in the recording of data, which is stored and makes it possible to calculate series of indicators providing information on the quality, productivity, and periods of inactivity of each individual employee.
  • After press articles targeting certain practices implemented by the company and several complaints from employees, the CNIL carried out several inspection missions.
  • The CNIL concluded that the scanner system can be justified for management purposes but considers the retention of all this data disproportionate.


‘World’s most controversial company’ Clearview AI still being used to solve Australian police cases

  • An investigation found the Australian Federal Police (AFP) are still using Clearview AI to solve cases.
  • Clearview AI has been dubbed the “world’s most controversial company” after an article in 2020 revealed that it had built a facial recognition app based on the database of billions of illegal obtained images scraped from the internet.
  • After publicly cutting ties with the company and denying that any third parties are using the technology on their behalf, the AFP confirmed it “provided case material to an international law enforcement agency which was later analysed using Clearview AI’s technology.”
  • In 2021, Information and Privacy Commissioner Angelene Falk claimed Clearview AI had illegally gathered resident’s data.
  • The Attorney-General’s office did not answer questions about whether the AFP using a technology that preached Australia’s privacy laws through a third party was meeting its legal obligations and community expectations.

South Korea’s PIPC warns 15 businesses over CCTV noncompliance

  • South Korea’s Personal Information Protection Commission issued warnings to 15 businesses for noncompliance with the Personal Information Protection Act.
  • Article 25 of the Personal Information Protection Act states that a person who installs and operates a fixed video information processing device must take necessary measures, such as installing a sign containing the following information: installation purpose and location, shooting range and time, and contact information of the person in charge of management.
  • The 15 businesses who received a warning failed to install information boards during the operation of installed fixed video information processing devices (CCTV).
  • Fines were not imposed as they are seen to be burdensome to small businesses.


More Posts

Send Us A Message