Data Protection News Update 27 August 2024

IGS
August 27, 2024

United Kingdom

New tool helps small businesses create privacy notices

The Information Commissioner’s Office (ICO) has launched a new tool to help small organisations and sole traders create a bespoke privacy notice, and protect people’s information rights.
The new privacy notice generator can create tailored privacy notices relevant to small organisations, with sections of the tool specific to the finance, insurance, and legal sectors; education and childcare; health and social care and charity and voluntary sectors.
Two types of privacy notice are offered: one for customer and supplier information and another for staff and volunteer information.

Forget pay to view, pay for privacy is the latest problem for people online

The ‘Pay or Consent’ or ‘Pay or OK’ privacy paywall has arrived in the UK. Some UK newspapers have implemented this model, where users can either pay with money or data for their right to privacy. This can seem to conflict with the GDPR requirement of users to give ‘freely given consent’ for their data to be collected.
Newspapers implementing this model include The Sun and Daily Mail Online, The Independent, Mirror, and Daily Express (with price tags varying from £1.99 a month to a maximum of £4.99 a month).

United States

OpenAI supports California AI bill requiring ‘watermarking’ of synthetic content

OpenAI is supporting a California bill that would require companies to label AI-generated content (content which can range from harmless memes to deepfakes aimed at spreading misinformation about political candidates). This is one of 65 bills introduced by California state lawmakers touching on AI this legislative season.
In the letter written to a California State Assembly member, OpenAI states it believes that for AI-generated content, transparency, and requirements on provenance such as watermarking are important (especially in an election year). “New technology and standards can help people understand the origin of content they find online, and avoid confusion between human-generated and photorealistic AI-generated content,” OpenAI Chief Strategy Officer Jason Kwon wrote in the letter.
This bill has already passed the state Assembly, and the senate appropriations committee. If it passes a vote by the full state Senate by August 31^st, it would advance to Governor Gavin Newsom to sign or veto by September 30^th.

Europe

Uber fined €290m for personal data transfer

Uber (a ride-hailing app) has been hit with a €290m (£245m) fine by the Dutch Data Protection Authority (DPA) for transferring the personal data of European drivers to US servers in violation of the EU’s General Data Protection Regulation (GDPR).
The DPA chairman has said the company failed to meet GDPR requirements to “ensure the level of protection to the data with regard to transfers to the US”, and failed to appropriately safeguard the data.
The information transferred included ID documents, taxi licences, photos, payment details, and location data, which was transferred to Uber’s headquarters in the US over a 2-year period. In some cases, data transferred included medical and criminal data of drivers.
Uber is planning to appeal the fine, calling the decision “flawed” and the fine “completely unjustified”.

Spain: AEPD fines UNIQLO EUROPE LTD €450,000 following a data breach

The Spanish data protection authority (AEPD) imposed a fine on UNIQLO EUROPE LTD (UNIQLO) branch in Spain, for a violation of the GDPR following a complaint. The fine was of 450,000, which was reduced to 270,000 (due to UNIQLO’s voluntary payment of the fine and acknowledgement of responsibility). The AEPD also ordered UNIQLO to adopt technical and organisational measures to guarantee the security of personal data of its workers.
The complainant (who provided services to UNIQLO) had requested their payroll, and was sent an email containing a PDF document with payroll information for the entirety of the UNIQLO workforce for July. This document contained information such as the name, surname, ID, social security membership number and bank account number.
The AEPD held UNIQLO violated Article 5(1)(f) of the GDPR by not duly guaranteeing the confidentiality and integrity of the personal data of its workers through the sharing of this data with an unauthorized 3^rd party. Additionally, Article 32 of the GDPR was violated due to the failure to adopt appropriate technical and organisational measures (that allowed a 3^rd party to access employee personal data).

International

Malawi’s digital transformation drive faces risks without data protection legislation

The Association for Progressive Communications (APCA) report has highlighted Malawi’s government should put mechanisms that provide sufficient and comprehensive data protection guarantees, following the digital transformation occurring there. A National Data Center is being constructed (with the collaboration from Huawei), biometric national ID is being implemented, and biometric SIM card identification exercise.
There is concern from the APC that whilst investments in digital schemes is a good thing for the country, “such investments necessitate concurrent commitments to robust data security, including the establishment of comprehensive data protection laws, a facet currently absent in Malawi’s governance.”
The report urges the Malawian government to enact the Data Protection and Privacy Bill (which has been in existence since 2021).

Calls for privacy law overhaul after increasing number of workers forced to undergo blood tests

The Australia Institute’s Centre for Future Work report has found employers are requesting blood tests as part of the recruitment process, without providing clear evidence as to why they are necessary. Employers have said they are using the test to check for cardiovascular risks or meet “legal obligations”. Declining to have their blood tested can remove prospective employees from the recruitment process.
Whilst some jobs legitimately require employees to undergo medical testing for safety reasons or to protect employees (in particular those working with biological hazards), an increasing number of employers were not specifying why they needed medical information. In some cases, workers were asked to sign consent forms placing no restrictions on the use of their information.
The report has found that information provided to employers was covered under the Privacy Act, but employee records were not. A spokesperson for the Attorney-General said the government has agreed in principle to enhance the privacy protections of employees as part of the review into the Privacy Act.

Data Protection News Update 12 January 2026

United Kingdom UK government launches cyber action plan to strengthen public-sector security and protect digital services Ofcom scrutinises X and Grok over non-consensual AI images United

Data Protection News Update 06 January 2026

United Kingdom EU renews adequacy decision with United Kingdom Update on the November Cyberattacks against London Councils United States Disney to Pay $10M over Alleged

Data and AI Ethics 2025: An IGS Roundup

As 2025 draws to a close, it’s a natural moment to pause and reflect on a year that has been transformative, for the data and AI ethics

Data Protection News Update 22 December 2025

United Kingdom Investigation after data breach affects thousands United States US pauses implementation of $40 billion technology deal with Britain Can law enforcement access Google