United Kingdom
Data protection bill leaves room for governmental abuse, campaigners warn
- Privacy campaigners from different organisations have signed a letter to data protection minister Chris Bryant and deputy prime minister Angela Rayner, warning that the new Data (Use and Access) Bill has “potential for abuse of new powers”.
- The campaigners, led by the Open Rights Group, said the new laws would give the Secretary of State “Henry VIII powers”, by giving discretion to determine how personal data was used to target political campaigning. This would also allow any future government to change the rules with minimal parliamentary oversight.
- The campaigners state that although the current government might not intend to use these powers to sneak through changes, there is no guarantee that future administrations would operate in the same way. The letter asks the government to prevent the data bill from enabling future abuses of power.
- A Department for Science, Innovation and Technology spokesperson said the use of personal data for political campaigning or engagement was “not included in the measures of the data bill”, and that regulations would be subject to “three robust safeguards”, including consultation with the ICO, approval by the UK parliament and a requirement to serve the public interest.
ICO publishes report on the use of children’s data in financial services
- The ICO has carried out a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs, and prepaid cards. The review looked primarily at the use of children’s data and the use of AI and automated decision making in financial services.
- One of the key findings is that children are considered important customers for many financial services. While most organisations had policies in place to control the use of children’s information, there was limited monitoring of compliance with these policies.
- Most of the reviewed organisations did not have effective age-appropriate privacy information for children. The approach taken by several organisations appears to have passed their own transparency responsibilities onto parents. As a result, there was a significant risk that children are recorded as agreeing to terms and conditions or privacy information that they do not actually understand.
- Consent was used for some purposes for processing. However, some organisations asked for parents to provide the consent on behalf of their child in the first instance but failed to keep this consent under review. And although nearly all organisations had policies preventing marketing to children, there was limited distinction between parents and children when communications were provided, which creates a high risk of non-compliance.
United States
FTC concerned about privacy protections in 23andMe bankruptcy
- The US Federal Trade Commission is concerned about the potential sale or transfer of Americans’ personal information by 23andMe, the ancestry testing company which recently filed for bankruptcy, according to the agency’s chairman Andrew Ferguson.
- In a letter to the US Trustee, the government office that oversees bankruptcies, Ferguson stated that any purchaser of 23andMe assets should agree to be bound by the company’s existing privacy policy and keep customer data private.
- In 2023, hackers exposed the personal data of nearly 7 million 23andMe customers over a five-month period, dealing a major blow to the company’s reputation and compounding its growth problems.
- The breach raised alarm among customers concerned about their privacy and how DNA-testing firms handle their data.
Europe
Europe’s GDPR privacy law is headed for red tape bonfire within ‘weeks’
- The European Commission plans to present a proposal to cut back the GDPR in the next couple of weeks. The move is aligned with the Commission’s current focus in slashing regulation to make businesses in Europe more competitive with rivals in the US, China and elsewhere. The GDPR is frequently seen as one of the harder regulatory instruments for smaller businesses to comply.
- The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people but will not touch the “underlying core objective of [the] GDPR regime.” Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements.
- However, the danger in the EU revising the law is that it could start a lobbying war between Big Tech companies and privacy advocates, two of the strongest public affairs forces in Brussels.
- At the same time, according to privacy activist Max Schrems, scrapping the GDPR’s core rules may not be as simple for lobbyists, since the protection of personal data is enshrined in the EU’s Charter of Fundamental Rights and any Court of Justice would annul a GDPR that doesn’t have these core elements.
TikTok faces €500 million fine for illegally shipping European user data to China – report
- TikTok’s parent company ByteDance is reportedly set to be hit with a fine of over €500 million for illegally shipping European user data to China. The privacy fine will be issued by Ireland’s Data Protection Commission (Irish DPC), according to Bloomberg, citing sources familiar with the matter.
- The report said that the fine is a result of an investigation that the GDPR was breached as data was sent to China to be assessed by engineers. The DPC, TikTok’s main regulator in Europe, is likely to impose the penalty before the end of April and TikTok can choose to appeal this decision in Irish courts.
- The fine could be one of the largest handed down by the Irish DPC, after fines of €746 million against Amazon in 2021 and €1.2 billion against Meta in 2023.
International
- The harmonization of privacy laws is becoming increasingly necessary in the global economy. No area exemplifies the complexity of global privacy regulation better than the rules on cross-border data transfers.
- Some jurisdictions do not regulate this topic at all, while others entirely prohibit the offshore transfer of personal information. Most jurisdictions establish rules for managing transfers, but the way this is done varies. For example, unlike the EU GDPR, the New Zealand Privacy Act only regulates controller-controller transfers, with the controller remaining fully liable for controller-processor transfers.
- In addition, although many jurisdictions, including New Zealand and Australia, provide for the transfer of data to “safe countries,” very few have created whitelists. Such lists are, of course, fraught with political issues and sensitivities.
- There are international efforts afoot to create more pragmatic and sensible options for safe transfers, such as the Organisation for Economic Co-operation and Development’s concept of “data free flow with trust”, which aims to promote the free flow of data while ensuring trust in privacy, security, and IP rights. However, it is a long way from being achieved, so privacy professionals still need to advocate for better ways to enable safe transfers.
