Data Protection News Update 30 May 2023

United States

Harvard Pilgrim suffers data breach

  • It is communicated that personal data from patients and provider were stolen in a massive health insurance hack, caused by a ransomware attack.
  • The compromised data includes names, addresses, social security numbers, taxpayer ID numbers and medical information and history which makes this breach very significant with possible great repercussions as the data could easily lead to identity fraud.

Biden announces additional initiatives exploring AI

  • The Biden-Harris Administration announced new initiatives that ‘will advance the research, development, and deployment of responsible artificial intelligence (AI) that protects individuals’ rights and safety and delivers results for the American people’.
  • The announcement includes an updated roadmap to focus federal investments in AI research and development, a new request for public input on critical AI issues, a new report on the risks and opportunities related to AI in education.

US Senators probe Google on data practices related to reproductive health care

  • Ten US senators contacted the Google CEO, Sundar Pichai, about the company’s collection of sensitive location data post Roe v. Wade.
  • In July 2022, Google committed itself to ‘delete entries of sensitive locations from the Location History feature’.
  • However, senators claim that Google failed to follow through on these commitments since visits to counseling centers, domestic violence shelters, abortion clinics, fertility centers, and addiction treatment facilities were among the data sets that Google held.
  • Toward that end, the senators asked Google questions on the collection, retention and deletion of data.


Italy DPA to increase AI enforcement

  • Italy’s DPA expressed their intent to review other AI platforms and to work together with AI experts in an attempt to increase its scrutiny of AI technology after its decision against ChatGPT in March 2023.
  • Agostino Ghighlia – a member of Garante’s board – states that they ‘plan to kick off a wide-scope review of generative and machine learning AI application which are available online because we want to understand if these new tools are addressing issues linked to data protection and privacy laws compliance – and we will start new probes, if needed’
  • Reuters describes the Italian DPA as being amongst the most proactive DPA in the EU as they were the first to ban AI chatbot company Replika, the first to impose fines on facial recognition software maker Clearview AI and the first to restrict TikTok in Europe.

CNIL publishes annual report for the year 2022

  • Several highlights are pointed out in the report:
    • 11 million visits to CNIL’s websites were recorded;
    • More complaints were processed (13,425) than received (12,193).

Finland’s DPA renders decision regarding Google Analytics

  • The Finnish DPA decided that Finnish Meteorological Institute should stop the EU-US data transfers using Google Analytics and Google’s reCAPTCHA.
  • It is held that the institute had no legal basis for the continuous sharing of data across to the US based on cookie consent after the invalidation of the EU-US Privacy Shield by the CJEU in July 2020.

Irish DPA fines Meta a record of 1.2 billion euros

  • The Irish DPA (DPC) fines Meta a record of 1.2 billion under the GDPR, ruling that Meta transferred data from the EU to the US unlawfully. The decision demands that Meta suspends future transfers of personal data to the US within five months of the decision and to bring its processing activities into compliance.
  • It took the Irish DPA three years to come to this decision.
  • Meta said it will appeal the ruling.
  • In the decision, there are several findings of significance:
    • The DPC holds that US law does not provide an equivalent level of protection to the EU law.
    • Both the 2010 and 2021 SCC cannot compensate for insufficient protection provided by US law.
    • Meta Ireland cannot rely on the derogations provided for at Article 49(1) GDPR when making the data transfers.
  • Collectively, this results in Meta no longer being able to rely on other GDPR transfer mechanisms to make transfers to the US.
  • It is not clear what is meant by ‘bring its processing operations into compliance’. Some argue that this should mean that Meta needs to delete the data held in the US that was transferred unlawfully, even though the deletion was not ordered explicitly. A less drastic option is the anonymization and encryption of the data held in the US.
  • Some see the record-breaking size of the fine as the ‘ushering in of a new era for GDPR enforcement’ and that ‘national regulators are seemingly not only more equipped but also more willing to issue larger fines’.


Leaders attending the G7 Summit announce collaborative effort on AI governance

  • Leaders attending the G7 summit in Hiroshima announced that they are determined to work collaboratively on advancing ‘international discussions on inclusive artificial intelligence (AI) governance and interoperability to achieve our common vision and goal of trustworthy AI, in line with our shared democratic values’.
  • They further recognize that the international governance has not kept pace with the ever so rapidly changing technology. They stress that gaps need to be identified and that they should be addressed together.

Real estate agents group opposes privacy law reform in Australia

  • Included in this bill are the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
  • The Real Estate Institute of Australia pushes back against the proposed changes to the privacy laws as they fear that it would harm small businesses.
  • The president of the group, Hayden Groves, says that an ‘additional layer of responsibility is not necessary’ and could lead to smaller agencies to shut down’.
  • These statements come after the data breaches suffered by real estate agents in 2022 (for example, Harcourts and LJ Hooker)

Hong Kong’s police and Education Bureau pave way to the use of CCTV cameras on school premises

  • Hong Kong’s Police made 21 recommendations for best practices to reduce crime in schools. An important recommendation is to install security cameras on the premises of the school.
  • Hong Kong’s Education Bureau will let the individual schools decide whether they want to install CCTV cameras on their premises.
  • Lawmakers and school principals express concerns about this development, saying that pupils and teachers will feel uncomfortable with CCTV watching lessons.

United Kingdom

ICO publishes guidance on responding to subject access requests

  • ‘What we’re seeing now is that many employers are misunderstanding the nature of subject access requests or underestimating the importance of responding to requests. […] It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests […]’.
  • Find the guidance here.

ICO issues formal reprimand to the Ministry of Justice

  • The formal reprimand (in accordance with Article 58(2)(b) UK GDPR) followed an incident where 14 bags of confidential documents, including medical and security data, were left in a prison holding area for 18 days in an unsecured manner.
  • The ICO concludes that at least 44 prisoners and staff members had access to the information over this period and that staff members ‘did nothing proactive to ensure the personal information was secured’.
  • The ICO states that the infringement in question is Article 5(1)(f) and Article 32(1)(d) and (2). The Ministry of Justice failed to implement appropriate technical and organisational measures to ensure the security of personal data. It was also held that there was a distinct lack of robust policies, as the policies did not provide the reader with specific instructions in relation to the designated storage areas for confidential waste prior to its disposal. Clarity would have likely prevented this incident from occurring.
  • See the press release here.


More Posts

Send Us A Message