Police Scotland fined £66k and reprimanded following serious data mishandling
- Police Scotland was fined £66,000 for “excessive and unfair” data collection after performing a full extraction of a crime victim’s phone instead of only retrieving relevant text messages
- The substantial volume of sensitive information, including special category data like health or sexual orientation, was mistakenly shared with the accused individual during a misconduct hearing.
- The ICO found the force breached the Data Protection Act 2018 by failing to ensure data processing was lawful and adequate, and for failing to report the breach within the mandatory 72-hour window.
- While the fine was mitigated to avoid damaging public services, Police Scotland has since apologized and implemented stricter oversight and staff training to prevent future data mishandling.
ICO issues an open letter to tech firms to strengthen age checks
- The ICO is demanding that social media and video-sharing platforms stop relying on “self-declaration” (which children easily bypass) and instead use modern technology to strictly enforce minimum age requirements.
- The regulator recently fined Reddit £14.47 million and MediaLab £247,590 for failing to implement age-assurance measures and unlawfully processing children’s data.
- The ICO is specifically targeting “recommender systems” (algorithms) used by platforms like TikTok and Instagram, investigating whether these systems process data in ways that lead to addiction or exposure to harmful content.
- The ICO is working in tandem with Ofcom to align data protection with the Online Safety Act.
United States
Congress takes on surveillance pricing
- On March 5, the House Oversight Committee demanded internal documents from five major platforms, Booking Holdings, Expedia, Uber, Lyft, and Instacart, to investigate if they weaponize personal data to set individualized prices.
- Unlike dynamic pricing, which adjusts for market demand, “surveillance pricing” uses specific personal data, such as browsing history, device type, battery life, and even mouse movements, to calculate the maximum price a specific individual is willing to pay.
- All five companies have pushed back against the allegations, with firms like Uber and Instacart categorically stating they do not use personal characteristics or behavioural data to set individual prices.
Europe
MEPs reach preliminary political agreement on AI omnibus
- MEPs reached a preliminary agreement to push back high-risk AI requirements to allow more time for technical standards and national authorities to prepare.
- The agreement features a targeted ban on AI systems that generate nonconsensual sexually explicit deepfakes, though exemptions may exist for companies that implement “effective safety measures” to prevent misuse.
- The aims is to achieve clearer conditions for using sensitive personal data to detect and correct bias in high-risk systems under strict safeguards.
EU Lawmakers secure more time for a permanent CSAM solution
- The European Parliament has voted to extend a temporary exemption to EU privacy legislation that allows online platforms to voluntarily detect Child Sexual Abuse Material (CSAM).
- The Parliament explicitly stated that these detection measures must not apply to end-to-end encrypted communications, aiming to balance child safety with the fundamental right to private correspondence.
- Under the new terms, scanning is restricted to known CSAM or material flagged by trusted organizations; additionally, monitoring must be targeted at specific suspects authorized by a judicial body rather than scanning all traffic data.
- More than 800 researchers and privacy advocates have warned that current detection technologies are unreliable at scale, arguing that “Chat Control” measures produce high false-positive rates and threaten the digital security of millions.
International
South Korea just made the CEOs personally responsible for data breaches
- South Korea promulgated the most consequential rewrite of its Personal Information Protection Act (PIPA) since the law’s promulgation.
- The amendment introduces a penalty ceiling of 10% of total turnover for systemic failures or repeat violations, placing South Korea’s enforcement risk among the highest in the world.
- The law designates CEOs as the ultimate responsible person with a statutory duty to supervise compliance, while requiring board-level approval for CPO appointments.
- Moreover, companies must now notify users of a “likelihood” of a breach even before verification. Additionally, the comprehensive ISMS-P certification will become mandatory for large-scale controllers starting July 2027.
For the latest updates on ICO age checks, Police Scotland’s data breach fine, surveillance pricing investigations, EU AI regulation, CSAM detection laws, and data protection news 2026, visit our Data Protection News hub.
