Marketing to businesses: what you need to know 

The DPO Centre’s latest blog discusses data protection compliance for business-to-business marketing. If your organisation operates in, or processes the personal data of UK individuals, you must comply with the UK General Data Protection Act (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation (PECR). Discover when UK GDPR and PECR applies, and what the rules are for sending B2B marketing via electronic mail. Read Marketing to businesses: what you need to know

CMA launches initial review of AI models 

In a press release this month, the UK government confirms an initial review of the competition and consumer protection aspects of AI foundation models. With the emergence and rapid pace of growth of generative AI over the past five years, the government is keen to ensure innovation is kept within certain boundaries, while benefitting consumers, businesses, and the UK economy. Regulators, including the CMA have been asked to open the review, in line with the government’s AI white paper. The CMA is seeking views and evidence from stakeholders and welcomes submissions by 2 June 2023. Read the full press release statement 

ICO fines two companies £180k for making unlawful marketing calls 

Following more than 120 complaints, the ICO found two companies had made more than 480,000 unlawful marketing calls to businesses signed up with the Corporate Telephone Preference Service (TPS). It is against the law for any organisation to make live marketing calls to any business on the register of the TPS, unless given specific consent. Andy Curry, ICO Head of Investigations said, “These fines are a clear message to companies flouting the law – we will take action to ensure the public and UK businesses are protected”. The ICO have also launched a series of video guides to help small businesses with their marketing compliance. 

New UK legislation required for a digital pound 

The Bank of England and UK treasury are seeking further feedback on plans for designing a digital currency. Although unlikely to be decided upon for at least the next couple of years, lawyers have highlighted that a digital pound would require new legislation to update existing data protection, security, and anti-money laundering rules. Opinions are that the UK government will extend existing frameworks to include digital assets. The EU is also expected to create new regulatory policies and will be publishing a bill later this year regarding details of a digital euro. 

Latest GDPR Enforcement Tracker Report

(4th edition) 

Celebrating five years of GDPR, the fourth edition of the ET Report includes the updated list of publicly known GDPR fines between 25 May 2018 and 1 March 2023. This anniversary edition outlines 1576 fines in total, amounting to approximately EUR 2.77 billion. Not limited to “big tech”, there have been numerous fines imposed on small and medium sized companies. Spain continues to lead the list for highest number of fines per country, followed by Italy and Romania. The top violations are “insufficient legal basis for processing” and “non-compliance with general data processing principles”. 
Read the full ET Report  

Dutch Minister to appear before Data Protection Authority

The Dutch Data Protection Authority requires the Minister of Foreign Affairs, Wopke Hoekstra, to appear before the privacy regulator and explain the use of an algorithm for visa applications. After an investigation published in April by Lighthouse Reports and the NRC, it has been revealed that a potentially illegal algorithm has been used to profile visa applicants on their ethnicity. Minister Hoekstra had previously agreed to introduce changes to the system following a 2022 report about the prevalence of structural racism within the agency. He is expected to provide information to the privacy regulator and clarify the use of this algorithmic profiling system. 

Montana TikTok ban is first passed by any US state

The recent Montana bill, known as SB419, is the first TikTok ban passed within the US. The bill cites several concerns about TikTok, including alleged Chinese government surveillance and the encouragement of “dangerous activities” among users of the app. The bill passed by a vote of 54 to 43, and if signed by Governor Greg Gianforte, the ban could take effect in January 2024. The legislation makes it illegal for app stores to offer TikTok within the State but does not forbid previously downloaded versions from being used. 

More than 2 million Japanese Toyota users face risk of data leak 

On the 12th of May, Toyota Motor Corporation disclosed a data breach involving 2.15 million users of their cloud-based Connected services. Due to human error, the cloud storage was set to public instead of private. The vehicle data of individuals, including car location, has been publicly accessible in Japan since November 2013. A spokesperson from Toyota confirmed no reports had been made of any issues due to the breach. In response to why it took so long to realise the error, the company said, “There was a lack of active detection mechanisms.” Going forward, Toyota will be introducing a system to audit cloud settings and thoroughly educate employees on data handling rules. 

First meeting for potential EU-India digital and trade collaboration 

The EU-India Trade and Technology Council (TTC) held their first meeting in Brussels on the 16th of May. With hopes of a potential digital and trade collaboration, the EU is seeking to negotiate agreement in several strategic areas including digital technologies. The main issue of divergence between the two trading partners is in the approach to cross-border data flow regulation. India’s latest data protection bill offers weaker rights and protections, with less robust institutional mechanisms.