United Kingdom
ICO action taken to improve access to personal information from local authorities across Scotland.
- The Information Commissioner’s Office (ICO) has issued reprimands to the Glasgow City Council and City of Edinburgh Council for repeatedly failing to respond to subject access requests (SAR) for personal information within the legal timeframe, leading to a significant backlog.
- Scottish local authorities have seen a rise in the number of SARs received, partly due to the introduction of the Redress Scotland Scheme, which allows individuals who suffered abuse while in care to apply for redress using supporting documents, such as their care records.
- These significant delays persist despite the ICO’s prior engagement with all thirty-two local authorities in Scotland to address earlier SAR request issues, with 75% of authorities improving their SAR compliance in 2023/24.
United States
US judge blocks Musk’s DOGE team from accessing Education Department, OPM data
- A U.S. federal judge has temporarily blocked Elon Musk’s “Department of Government Efficiency” (DOGE) from accessing sensitive personal data held by the U.S. Education Department and U.S. Office of Personnel Management, following a lawsuit by federal employee unions, student loan recipients, and veterans.
- The data in question includes the Social Security numbers, dates of birth, home addresses, income information, and asset information of millions of American citizens.
- U.S. District Judge Deborah Boardman ruled that both departments likely violated the Privacy Act 1974 by granting DOGE sweeping access to this sensitive personal information. “This continuing, unauthorised disclosure of the plaintiffs’ sensitive personal information to Doge affiliates is irreparable harm that money damages cannot rectify,” stated Boardman.
- The Trump administration argued that blocking DOGE’s data access would hinder the president’s ability to fulfil his agenda by restricting the information his advisors can access.
Europe
Digital rights activists file complaints in Europe over Meta’s targeted ads
- The online rights action group ‘Ekō’ has filed complaints with data protection authorities in several European countries including Norway, Germany, and Spain, regarding Meta’s targeted advertising practices and failure to comply with explicit user requests to opt out of data collection.
- A Meta representative stated that the company was unaware of the specific details of the complaints and could not respond but emphasised its commitment to protecting user data privacy.
- Tobias Judin, a spokesperson for Norway’s data protection authority, confirmed that Ekō’s complaints had been received and forwarded to the Irish Data Protection Commission, Meta’s lead supervisory authority in Europe.
- In response to European data protection laws, Meta had previously launched ad-free versions of Facebook and Instagram for European users that require a paid subscription but allow them to avoid tracking. Users who agree to be tracked can continue using the platforms for free, funded by advertising revenues. In 2024, the European Data Protection Board (EDPB) raised concerns about this policy, but no action has been taken yet.
Microsoft finalises its EU sovereign cloud project
- Microsoft has completed its multi-year EU Data Boundary project, which establishes a defined geographical area within the European Union (EU) and European Free Trade Association (EFTA) which allows European customers of Microsoft cloud services (e.g. Azure and Microsoft 265) to store and process data solely within these regions.
- Customer data, including pseudonymised data, will be stored in data centres located in the EU and EFTA, while professional service data (such as certain log data) will be stored at rest. This initiative has been introduced despite the 2023 implementation of the EU-US Data Privacy Framework, which permits EU-US data transfers under certain conditions.
- Previously, EU regulators had raised concerns about Microsoft’s data processing practices in relation to users of its cloud services, particularly regarding the legal basis for data processing and unclear language in its cloud services contracts.
- This move aims to help Microsoft cloud customers comply with European data protection laws and is part of a wider trend of technology companies offering European data residency programs. These programs ensure that data is stored within the EU and complies with local laws and policies.
International
Canada’s watchdog probing X’s use of personal data in AI models’ training
- In response to a complaint, the Office of the Privacy Commissioner of Canada has launched an investigation into X (formerly Twitter) to determine whether its use of Canadians’ personal data to train artificial intelligence (AI) models violates privacy laws. The details of this complaint have not been disclosed.
- Brian Masse, a lawmaker from the opposition New Democratic Party, confirmed that he had previously written to the privacy commissioner requesting an investigation. “I’m pleased to see the privacy commissioner agree to launch an investigation into X’s use of Canadians’ data,” said Masse in a statement. He added, “Transparency and sunlight are crucial at a time when algorithms could be manipulated to spread misinformation.”
- This investigation comes at a time of heightened tension between Canada and the United States over trade, border security and a digital services tax on U.S. technology firms.
Australia bans government use of Kaspersky software due to ‘unacceptable security risk
- Australia has become the latest country to ban government officials from using Russian cybersecurity firm Kaspersky’s software due to an “unacceptable security risk.”
- Last week, the Australian Department of Home Affairs issued a directive prohibiting government agencies from installing Kaspersky products or web services on official systems and devices.
- Kaspersky spokesperson Stefan Rojacher stated that the company was “disappointed with the decision” and that the directive was issued “without any warning or opportunity for engagement” to address the Australian government’s concerns.
- This move sees Australia become the latest member of the ‘Five Eyes’ intelligence pact of countries to announce restrictions on Kaspersky software, joining Canada, the United Kingdom, and the United States. In October 2024, Kaspersky also announced plans to shut down its UK business, stating it would be “reorienting its business in the country toward [its] partner channel”.
