Data Protection Weekly 32/2023

Aug 14, 2023

 European Union

European Commission: New logos to identify trusted EU data intermediaries introduced

The European Commission has introduced common logos to help identify trusted data intermediation service providers and data altruism organisations within the EU. As part of the implementation of the Data Governance Act, these logos will connect data holders with data users. To ensure authenticity, data intermediaries and altruism organisations that meet the conditions of the Data Governance Act must display the logos on all online and offline publications with a QR code linking to the EU public register, which will be available from 24 September 2023. This measure aims to distinguish recognised trusted services and contribute to transparency in the data market. The logos will be registered as trademarks to protect against improper use. You can read the press release here.

National Authorities

France: CNIL publishes recommendations regarding malicious use of tracking devices like AirTags

The French data protection authority (CNIL) has issued recommendations concerning the malicious use of tracking devices such as AirTags, SmartTag, and Tiles. These devices are widely used to find lost objects but can also be exploited for unauthorised tracking of individuals. CNIL’s recommendations explain how these tracking devices operate through radio waves or Bluetooth and detail precautions to take if an unknown tracking device is detected. Specific information is provided for popular brands like Apple’s AirTag. Furthermore, the CNIL emphasises that using these tracking devices for unauthorised tracking is a criminal offense in France, highlighting the importance of awareness and prevention of potential privacy risks. You can read the full article here (in French).

UK: ICO and CMA target harmful online design encouraging excessive personal data sharing

The UK data protection authority (ICO) and the UK Competition and Markets Authority (CMA) are urging businesses to cease using harmful website designs that may deceive consumers into sharing more personal data than intended. Examples include complicated privacy controls, default settings that limit control over personal information, and bundled privacy choices that push consumers to share more data. The ICO will be evaluating the cookie banners on frequently used UK websites and taking action against harmful designs. Research by the ICO revealed that 90% of individuals are concerned about unauthorised use of their personal information, and 50% are discontented with their information being used for targeted advertising. Both organisations are collaborating to end these harmful practices and will take necessary enforcement actions if required. You can read the press release here and the full blog post here.

UK: ICO investigates cyber-related incident at the Electoral Commission

The UK data protection authority (ICO) is urgently investigating a cyber-related incident reported by the UK’s Electoral Commission. Though details of the incident have not yet been released, the ICO has recognised that the news may cause concern for those potentially affected. The ICO is actively investigating into the matter and assures the public that it is treating the situation with utmost urgency. Individuals concerned about how their data might have been handled in relation to this incident are encouraged to contact the ICO or check its website for advice and support. You can read the full statement here. 

UK: ICO investigates data breach at the Police Service of Northen Ireland

The UK data protection authority (ICO) is actively investigating a reported data breach at the Police Service of Northern Ireland (PSNI). The incident, which highlights the significant consequences that even minor human errors can have, has raised serious concerns. John Edwards, the Information Commissioner, emphasised the importance of robust measures to protect personal information, especially in sensitive environments. While the ICO is working with the PSNI to establish the level of risk and necessary mitigations, the extent of personal information accessed during the breach is not yet known. The ICO expects the PSNI to take appropriate action urgently to address the potential impact on the affected individuals and families. You can read the full statement here.

Israel: PPA publishes Q&A on personal data transfers from EEA

Israel’s data protection authority (PPA) has published Questions and Answers (Q&A) on the transfer of personal data from the European Economic Area (EEA). The instructions outline several key requirements: the obligation to delete personal data, to limit the retention of unnecessary data, to ensure the accuracy of personal data, and the obligation to inform individuals. You can read the Q&A here (in Hebrew).


US: Biden-Harris Administration launches AI Cyber Challenge to enhance software security

The Biden-Harris Administration, on August 9, 2023, announced a two-year competition, named the “AI Cyber Challenge” (AIxCC), to leverage artificial intelligence (AI) in bolstering the security of critical U.S. software. Led by the Defense Advanced Research Projects Agency (DARPA) in collaboration with leading AI companies such as Anthropic, Google, Microsoft, and OpenAI, the competition aims to discover and rectify software vulnerabilities using AI. With nearly $20 million in prizes, the AI Cyber Challenge will involve multiple stages, culminating in a final competition at DEF CON 2025. Small businesses are encouraged to participate, with $7 million made available to facilitate their involvement. This initiative forms part of the administration’s broader commitment to responsible AI development and cyber protection. You can read the press release here.

Zoom clarifies terms of service for AI features amid privacy concerns

Following massive backlash over training AI with customer data, Zoom has published a blog post to clarify how its terms of service and practices apply to AI features. The company has updated its terms of service, specifically in section 10, to clearly state that Zoom does not use users’ audio, video, chat, screen sharing, attachments or other communications to train its or third-party artificial intelligence models. The changes, which will take effect in August 2023, also include updates to in-product notices to reflect this policy. The blog post details the recent changes to the terms of service and explains Zoom’s introduction of two generative AI features, Zoom IQ Meeting Summary and Zoom IQ Team Chat Compose, available on a free trial basis. Account owners and administrators have control over the activation of these AI features, and participants are notified when the generative AI services are in use. Zoom emphasises its commitment to transparency and privacy, ensuring that users have the tools they need to make informed decisions about their accounts. You can read the blog post here.


Finland: The Finnish DPA temporarily bans Yango’s data transfers to Russia

The Finnish Data Protection Authority (DPA) has ordered Yandex LLC and Ridetech International B.V. to suspend the transfer of customers’ personal data from the Yango taxi service to Russia. This temporary order will take effect on 1 September and is expected to last until 30 November 2023. The decision was prompted by an impending legislative reform in Russia, which will allow the Federal Security Service to access data processed in taxi operations, including customer location information. The Finnish DPA believes that the new law will substantially weaken personal data protection within the taxi service, making it impossible for Yango to comply with EU regulations. The order applies exclusively to Yango’s operations in Finland, and the company has the opportunity to submit additional information to the Finnish DPA if it believes that will affect the decision. The Finnish DPA may also request the European Data Protection Board (EDPB) to issue a binding order to Yango to terminate the transfer of data if the company does not intend to change its practice. You can read the press release here and the full decision here.

Norway: Datatilsynet acts against Yango’s data transfers to Russia

The Norwegian Data Protection Authority (Datatilsynet) has taken action against the Russian-owned taxi service Yango for transferring personal data about Norwegian residents to Russia. The intervention comes in response to a new Russian law set to take effect on 1 September , which could grant Russian security authorities continuous remote access to Russian taxi companies’ data, including details such as location, pick-up point, and destination. The Datatilsynet sees this as a significant privacy risk, allowing potential monitoring of Norwegian residents’ movements through Yango. Consequently, Yango has received an advance notification that the Datatilsynet will prohibit any transfer of personal data to Russia. The decision was made in collaboration with the Finnish DPA, reflecting close cooperation between data supervisory authorities in Norway, Finland, and the Netherlands. Yango has until 14 August to respond. You can read the press release here (in Norwegian) and the full decision here (in English).

Poland: Polish court upholds fine for failure to notify a personal data breach

The Provincial Administrative Court in Warsaw has upheld a decision by the President of the Polish data protection authority (UODO) of 26 April 2023 to impose an administrative fine on a data controller for failing to report a personal data breach to the supervisory authority. The case concerned the loss of an employee’s work certificate, where the controller did not report the breach, because it considered that the incident did not pose a risk to the rights and freedoms of the data subject. The Court emphasised that a potential consequence does not have to materialise and that the mere existence of a risk requires reporting. The fine imposed was almost 16,000 PLN (equivalent to €3,602). The court’s decision reinforces the obligation to promptly report data breaches and underlines the importance of personal rights and freedoms in data protection laws. You can read the press release here (in Polish)