United Kingdom
Essex school reprimanded after using facial recognition technology for canteen payments
- School in Essex introduced facial recognition technology to take cashless canteen payments from students.
- The school failed to carry out a Data Protection Impact Assessment before starting to use facial recognition, and did not obtain clear permission to process students’ biometric information (failing to consult students and parents).
- The school relied on assumed consent, by using opt-out consent slips for parents. The reprimand noted students were old enough to provide their own consent, and opt-out consent was not a valid form of consent.
Google scraps plan to remove cookies from Chrome
- Google will continue to keep third-party cookies in the Chrome browser, despite working since 2019 on phasing them out.
- Advertisers had concerns over removing third-party cookies, as this would limit advertisers ability to collect information for ad personalisation and make advertisers dependent on Google’s user databases.
- The VP of Google-backed Privacy Sandbox, which was previously working on phasing out cookies, has said they would “introduce a new experience in Chrome that lets people make an informed choice that applied across their web browsing” instead.
- Critics have argued the move to continue to use third-party cookies “is a direct consequence of their advertising-driven business model”.
United States
US congressional panel calls on CrowdStrike CEO to testify on outage
- The CrowdStrike CEO George Kurtz has been asked to testify on the global tech outage in July by the U.S. House of Representatives Homeland Security Committee.
- The congressional panel has noted the magnitude of the incident, as possibly “the largest IT outage in history”, despite CrowdStrike’s response and coordination with stakeholders.
- The security software update by CrowdStrike crashed Microsoft-powered computers, disrupting and impacting industries (including airlines, banking and healthcare). Around 8.5m Windows devices were said to be affected.
US FTC looking into targeted pricing based on personal data
- The U.S. Federal Trade Commission has ordered Mastercard, JPMorgan Chase and other companies to provide information on targeted pricing products, data used, by whom and the effect on prices, as part of a study investigating different prices for customers based on their personal data (including location and past purchases).
- FTC chair has said the harvesting of personal data by firms “put people’s privacy at risk. Now firms could be exploiting this vast trove of personal information to charge people higher prices”.
- Online advertising has historically used browsing history and location to determine ads for consumers, and the FTC is concerned the same technology can be used to set disparate prices (“surveillance pricing”) or collude with competitors
Europe
Austrian Federal Administrative Court upholds data protection ruling
- Decision of the Austrian Data Protection Authority to impose fines on legal entities acting in breach of the EU GDPR has been upheld by the Austrian Federal Administrative Court. The court did reduce the fines proposed to 70000 € to make them “effective, dissuasive and proportionate”.
- The breach involved the running of customer loyalty programs in Austria that obtained inadmissible consent to process personal data for profiling purposes.
- The consent requests were found to be misleading, and the conditions for consent were not met, making the subsequent processing of personal data unlawful.
Meta warns EU regulatory efforts risk bloc missing out on AI advances
- Meta has warned the EU is creating a “risk” that it is cut off from cutting-edge services through its approach to regulating AI. This comes as a response to EU’s privacy watchdog requesting Meta voluntarily pause the training of its future AI models in the region, due to uncertainty over whether training AI models on consumer data was against the GDPR.
- Meta’s deputy privacy officer has said “If jurisdictions can’t regulate in a way that enables us to have clarity on what’s expected, then it’s going to be harder for us to offer the most advanced technologies in those places”.
- Meta’s AI assistant has not been implemented in the EU and UK following regulatory and data protection fears, and is available in 22 countries (including the US, Australia and Argentina).
- Meta has released a new update of its AI models (Llama 3.1) which will be available in Europe and globally, but has halted training on future models.
International
- Meta has been fined $220m by Nigeria’s Federal Competition and Consumer Protection Commission for discriminatory practices affecting Nigerian data and consumers. Meta has been ordered to comply with Nigerian laws, cease exploiting Nigerian consumers and not undermine consumer rights in the future.
- The violations by Meta include denying Nigerian consumers the right to self-determination, unauthorized transfer and sharing of personal data, discriminatory practices, disparate treatment of Nigerian consumers and other competition law issues.
- Nigeria has heightened its focus on data protection, introducing the Nigeria Data Protection Act in 2023 that established the legal framework for safeguarding personal data in Nigeria.
