Data Protection News Update 30 January 2023

IGS
January 30, 2023

United States

Chick-Fil-A Hit With Class-Action Privacy Lawsuit Over Video Data Collection

According to a new lawsuit, Chick-fil-a has been sharing data with Meta.
Chick-fil-a has been releasing animated videos on YouTube and their own website evergreenhills.com.
The evergreenhills site was a Meta pixel, which is a tracker that sends Meta data about who is visiting the site.
It’s alleged that Chick-fil-A broke a law called the Video Privacy Protection Act (VPPA), which says you can’t share personally identifiable information about people’s video viewership without their consent. The Meta pixel gathers unique ID numbers that Meta can identify you and therefore target you with ads.
The VPPA is an obscure law from 1998 that was meant to protect information about people’s video tape rentals.
The law states that video tape service providers can’t disclose personally identifiable information about what videos you watch without your informed, written consent. But it is not clear that the internet is considered in this law.

TSA investigating how some no-fly list data was exposed on internet

The TSA is investigating a potential cyber-security incident when a hacker claimed to access an old no-fly list of suspected terrorists.
The data was on the public internet in an unsecured computer server hosted by a regional airline based in Ohio, CommuteAir.
CommuteAir said that an outdated no-fly list from 2019 was accessed and they then took the affected computer server offline. This list included names and birthdates.

Europe

French privacy chief warns against using facial recognition for 2024 Olympics

The French data protection authority has warned against using facial recognition as a part of the security for the 2024 Paris Summer Olympics.
The French government wants to increase their surveillance powers to ensure the safety of the tourists which includes AI-powered cameras but not facial recognition.
The Senate is voting on the law to introduce the new powers. Many Senators are split between those who want to add privacy safeguards and those who want to add facial recognition.
Adding facial recognition was rejected in the Senate’s law committee but could come back in the plenary session.

Regulator of algorithms established in the Netherlands

There has been a new unit established in the Netherlands data protection authority that will identify and analyse the risks and effects of algorithms.
This is a part of the Dutch government’s efforts to clarify the goals and activities of the algorithm regulator.
The data protection authority is already responsible for addressing the processing of personal data via AI and have been granted additional funding for the expansion of this unit.
As a part of this regulation government bodies in Netherlands will have to register the algorithms they use.

Data Protection Commission announces conclusion of inquiry into WhatsApp

The Irish DPC has concluded the inquiry into WhatsApp and has fined WhatsApp Ireland €5.5 million.
In inquiry concerned a complaint from May 2018, when WhatsApp informed users if they wanted to continue having access to WhatsApp, after the introduction of the GDPR, they had to “agree and continue” to indicate they accepted the new terms of service or not be able to use the service.
WhatsApp argued that this was a contract between the user and WhatsApp Ireland. They also argued that processing user’s data was necessary for the performance of that contract.
The complainant argued that this was forcing them to consent to the processing of their data.
There was no consensus reached between the CSA’s and therefore the DPC referred the matter to the EDPB.
The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, that WhatsApp was not entitled to rely on contract as a legal basis to process user’s personal data.
The DPC imposed an administrative fine of €5.5 million on WhatsApp Ireland and ordered that WhatsApp Ireland must bring its processing operations into compliance with the GDPR within a period of 6 months.

International

New data protection law to straddle individual rights, innovation: Vaishnaw

The Minister for Communications, Electronics & Information Technology (IT) Ashwini Vaishnaw said that India will draw a template for individual rights while balancing innovation through its proposed digital personal data protection law.
Vaishnaw noted the approach of the GDPR while robust, has a push-back on innovation.
The proposed law wants to enforce Indian citizens’ right to privacy as a fundamental right. The draft provides a legal framework for collecting and processing personal digital data in India.

United Kingdom

UK text and data mining copyright exception proposals set to be watered down

It seems likely that proposed changes to expand the scope of the text and data mining exception for copyright law will be watered down.
The exception allows text and data mining (TDM) of copyrighted works for non-commercial purposes if the user has lawful access to the work. The government wanted to expand the exception to allow TDM for any purpose to encourage innovation.
But this intention has drawn criticism.
UK Music is concerned as it would allow AI music to be created using copyright content that those controlling the AI don’t own with no compensation to the artists or rights holders.
The UK’s digital minister Julia Lopez said that the committee and the DCMS are aware of the importance of IP and is fairly confident that this change will not proceed.

Empowering people to foster trust in tomorrow’s technological advancements

The ICO is encouraging developers to consider privacy early when implementing technologies so that public trust is maintained.
The benefits that can come with emerging technologies could be lost if there is misuse of data.
The ICO’s Tech Horizons Report looks at these technologies and the benefits they could lose. The report analyses key technologies that are expected to impact society must consider transparency, control over data and how much data is collected.
The report has four categories: Consumer HealthTech, Next-generation Internet of Things (IoT), Immersive technology, and Decentralised finance.
The ICO continues to offer insight to Parliament, looking to the future of connected technology, safeguards for children automated decision making and data security.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK