The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA is an assessment of the impact of the most significant and important-to-know data protection issues from around the globe. It’s not the full story, just a quick 3-minute read, collated and condensed to keep you updated with the latest news in our ever-evolving industry.
Compliance with the AI Act: What you need to know
The second instalment in our blog series - What is ‘high-risk’ activity? - explores the AI Act’s risk-based approach to the classification of artificial intelligence systems. We cover what AI systems are banned, what is considered ‘high-risk’ activity, and what systems are exempt.
High Court rules data subjects have the right to know recipient identities
On 7 June 2024, in the case of Harrison v Cameron & Another, the High Court ruled that under the UK GDPR, data subjects have the right to know the identities of the recipients of their personal data - not just the categories of recipients.
The court also determined that there must be a balance between the data subject’s right to access and the rights of other individuals who may be impacted by such disclosure. This allows data controllers to withhold recipient identities, if not doing so would cause those harassment.
The ruling focuses on the transparency and accountability principles of the GDPR, ensuring data subjects have clarity on who receives their personal information.
ICO and OPC launch joint investigation into 23andMe data breach
The Information Commissioner’s Office (ICO) and the Privacy Commissioner of Canada (OPC) are conducting a joint investigation into a data breach at 23andMe. The global, direct-to-consumer genetic testing company experienced the breach in October 2023.
The breach was caused by a hacker, who gained unauthorised access to and exposed the personal data of approximately 6.9 million users.
The investigation will examine the potential harm to affected people, whether the company had sufficient safeguards in place, and whether it provided adequate notification about the breach to regulators and affected individuals.
DPC announces decision on Meta's AI data training plans
The Irish Data Protection Commission (DPC) has announced that Meta will pause its plans to process any EU or EEA user data for undefined artificial intelligence techniques. Meta had originally planned to utilise users’ public Facebook and Instagram posts to train its large language models (LLMs).
The company said they were relying on Legitimate Interests to justify using European users’ data for the LLM training but received widespread backlash from privacy campaigners.
Earlier this month, the Austrian privacy activist group noyb filed 11 complaints to various data protection authorities across Europe, urging them to intervene with Meta’s plans. They called the latest announcement a ‘win’. Max Schrems, Chair of noyb said, ‘But Meta has every opportunity to deploy AI based on valid consent – it just chooses not to do so.’
Cybernews uncovers personal data leak affecting 10 Dutch companies
Cybernews has revealed 10 companies experienced a personal data leak after using the services of data analytics company, Rawdamental, to train artificial intelligence (AI) models to predict user behaviour. Upon using its services, client data was leaked, including names, internal project details, and IP addresses. Companies affected included Benelux’s largest auto dealer, Van Mossel.
Cybernews’s research team determined that the leak was caused by a misconfiguration on Rawdamental’s systems and a failure to anonymise user data. The service provider has since claimed it has started an investigation into the incident.
The leak highlights the importance of robust security practices and the need to assess potential vendors. Read our blog, Vendor due diligence & GDPR compliance, to learn 5 practical steps to maintain compliance.
New York passes two bills to safeguard children's personal data
On 7 June 2024, the New York legislature passed two bills to protect children online by restricting addictive feeds and keeping personal information safe.
The New York Child Data Protection Act (S.B. S7695B) aims to stop online platforms from collecting, using, sharing, or selling personal data of anyone under the age of 18 without informed consent.
The Stop Addictive Feeds Exploitation (SAFE) for Kids Act will restrict social media platforms from using recommendation algorithms for users under 18-years-old and will prohibit notifications between certain hours without parental consent.
Canada’s Commissioners to jointly investigate background check company
The Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia have launched a joint investigation into Certn (Canada) Inc. - a company offering automated background checks online.
The investigation will examine the company’s practices to ensure they comply with the consent provisions under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Act (PIPA).
The offices will also assess whether the purposes for which Certn collects information are appropriate and that any information collected is accurate, complete, and up-to-date.
Read our blog on Canadian privacy laws to learn more about PIPEDA and the privacy challenges Canadian organisations are facing.
Australian Information Commissioner sues Medibank
On 5 June 2024, the Office of the Australian Information Commissioner (OAIC) confirmed that it has taken legal action against Medibank over a data breach in 2022. The OAIC alleges that Medibank ‘seriously interfered’ with its customers’ privacy by failing to take reasonable steps to protect their personal information.
In 2022, the health insurance provider, Medibank, was subject to a ransomware attack, which affected more than 9 million customers. The hacker targeted sensitive patient information, including full names, dates of birth, contact details, and policy numbers.
Medibank potentially face the maximum potential fine, estimated at around $21 trillion.
To support our ongoing requirement to continuously grow our remarkable and extraordinary #ONETEAM, we are seeking candidates for the following positions:
Data Protection Officers (United Kingdom)
Data Protection Officers (The Netherlands)
Data Subject Access Request (DSAR) Officer (United Kingdom)
If you are looking for a new and exciting challenge, and the opportunity to work for both a Great Place to Work-Certified™ company and one of the UK's Best Workplaces in Consulting & Professional Services,apply today!
