DPAS Data Protection Bulletin - October 2024
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from all around the world.
What is the new Data (Use and Access) Bill? How much do con artists steal every day? And why have RAC employees received suspended prison sentences?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Government announces new Data (Use and Access) Bill
Months after the Data Protection and Digital Information (DPDI) Bill was dropped towards the end of the Conservative Party’s leadership, the new Government has announced a new bill: the Data (Use and Access) Bill.
While there are a few new features introduced, this new bill bears a strong resemblance to the DPDI Bill in that much of its contents have remained.
To name just a few:
However, while there are numerous similarities, there are also a multitude of amendments introduced in the DPDI Bill that have now been dropped and are excluded from this new bill – for example, the replacement of Data Protection Officers (DPOs) with Senior Responsible Individuals (SRIs).
The Government is suggesting that this new bill will “unlock the power of data to grow the economy and improve people’s lives”, with an estimated £10 billion boost over 10 years. It is hoped that the bill will harness the secure and effective use of data for the public interest, with services like the NHS and the police benefitting from data being easily transferable and less time needing to be spent on administrative tasks.
Currently, the bill has been through its first reading, with the second reading now in progress.
Read more about this here.
LinkedIn Ireland fined 310 million euros by DPC
The Data Protection Commission (DPC), the Irish data protection watchdog, has fined social media giant LinkedIn a total of 310 million euros for failing to process users’ personal data in compliance with EU law.
Following an investigation into how the platform processes personal information for the purposes of targeted advertising and behavioural analysis, it was decided that LinkedIn was not compliant in the way that this had been done. The DPC has said that the consent given by users for the processing “was not freely given, sufficiently informed or specific, or unambiguous”. As a result of this, LinkedIn has been reprimanded, ordered to bring its processing of their users’ data into compliance, and issued the aforementioned 310 million euro fine.
Read more about this here.
PSNI fined £750,000 by ICO
The Information Commissioner’s Office (ICO) has issued the Police Service of Northern Ireland (PSNI) with a fine of £750,000 for numerous infringements of the UK GDPR.
The infringements in question occurred between the 25th May 2018 (the day that the GDPR came into force) and 14th June 2024. The ICO found that the PSNI had violated Articles 5(1)(f), 32(1) and (2).
Read more about this here.
ICO launches new data protection audit framework
In a move believed to help organisations with assessing their data protection compliance, the ICO has launched a new audit framework.
An extension of the ICO’s existing Accountability Framework, this new addition is geared towards individuals across a variety of roles, such as data protection officers and those with cybersecurity responsibilities. The nine toolkits included in this framework cover the areas of:
“Our new audit framework will help build trust and encourage a positive data protection culture, as well as being flexible in targeting the most pressing areas of compliance,” says Ian Hulme, the ICO’s Director of Regulatory Assurance. “We want to empower organisations to embrace data protection as an asset, not just a legal requirement."
Read more about this here.
ICO publishes new report regarding quantum technologies
The ICO has recently published a new report detailing their “early thoughts” on how quantum technologies and data protection intersect.
They emphasise their dedication to ensuring that UK citizens’ personal information and information rights are appropriately safeguarded in a “quantum-enabled future”, encouraging those in the industry to consider and prioritise privacy from an early stage.
Read more about this here.
Former RAC employees found guilty for personal data theft
Two former customer service specialists for RAC were found guilty of unlawfully selling almost 30,000 lines of personal information related to people who had been involved in road traffic accidents.
This misconduct had been discovered and reported by RAC thanks to new security monitoring software, and involved the information being copied unlawfully and shared in a WhatsApp chat from one of the employees to the other. It was also indicated from this chat that there was a third party involved, paying for the information. Both employees were sentenced to 6 month prison sentences, suspended for 18 months, and ordered to complete 150 hours of unpaid work.
Read more about this here.
Two companies fined 120k for unlawful marketing calls
The ICO has issued a total of £120,000 in fines to two companies found guilty of making (altogether) nearly 50,000 unsolicited and predatory marketing calls.
WerepairUK Ltd (who has appealed the ICO’s decision) had made 42,688 calls, and Service Box Group Limited had made 5,361. These companies had made these calls to people who had opted out of marketing communications, and had caused significant distress by repeatedly calling older customers.
Read more about this here.
Argentina appoints first ever DPO
Argentina has officially appointed its first ever Data Protection Officer (DPO).
After much concern about the need to implement the role into public bodies to prevent repeats of previous years’ security incidents, Argentina’s Federal Public Revenue Administration (AFIP) has finally appointed a DPO.
Read more about this here.
Meta to now limit personal data used for tailored advertising
As a result of Max Schrems’ complaints (first heard by courts in 2020) about Meta’s use of his personal data – in particular, that pertaining to his sexual orientation – the tech giant must now limit the data they use to deliver personalised ads.
The Court of Justice for the European Union (CJEU) has officially ruled in favour of Schrems, privacy campaigner who heads the group Noyb, having said:
“An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.”
Read more about this here.
Internet Archive’s “Wayback Machine” suffers data breach
One of the latest victims of a significant data breach is Internet Archive’s “Wayback Machine”, which was compromised by threat actors earlier this month. Hackers gained access to the platform (in ways unknown at this time) and stole a user authentication database, which contained over 30 million user records.
Around the same time, Internet Archive was also the target of a DDoS attack (which is believed to be unrelated) and a second data breach after hackers gained access to the Zendesk email support system. Internet Archive has carried out several measures in response to these incidents, such as scrubbing systems and upgrading security.
Read more about this here.
Statistics show con artists steal more than £3 million per day
Eye-opening new statistics have come up that reveal that con artists across the country are stealing a total of approximately £3 million every day. The total stolen in the first half of the year was around £572m.
Reported cases of fraud have risen by 16%, likely due to changing tactics employed by fraudsters to get their hands on victims’ finances, such as new ways to trick people into giving them their one-time passcodes.
Read more about this here.
ICO publishes response to Government’s NHS digital transformation plans
In response to the Government’s ambition to modernise and innovate the NHS to make it more “fit for the future”, the ICO has published a statement outlining their priorities.
This statement details how the ICO supports this ambition, and how data protection law can “help organisations to share personal information responsibly, enabling innovation while protecting people's data”.
Read more about this here.
Home Office announces plans to deploy cameras to catch people smugglers
In an effort to prevent criminals from smuggling people across the Channel, the Home Office has announced their plans to introduce automatic number plate recognition (ANPR) cameras to strategic points around common smuggling routes.
These cameras, both static and mobile, will be fixed to police cars (marked and unmarked) to analyse number plates using artificial intelligence in a bid to put a stop to the smugglers. For better area coverage and mutual benefit, an agreement has been reached with European allies to allow this surveillance to take place on foreign soil.
Read more about this here.
FIDO Alliance proposes new exchange standard for passkeys
The benefits of using passkeys over passwords have been proven, as shared by the Fast Identity Online (FIDO) Alliance when they proposed a new set of specifications for secure exchange of credentials this month.
As claimed by the FIDO Alliance in their announcement, sign-ins with passkeys “reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second factor like SMS one-time-password (OTP)”. Published on 14th October, these new draft specifications set out a standard format for transferring credentials – such as passwords and passkeys – in a credential manager (a tool that stores and manages credentials for logins).?
Read more about this here.
Join our free webinar!
Business Continuity Planning: Ensuring Resilience in Times of Crisis
(13th November, 11am - 12pm GMT)
Does your organisation have a business continuity plan (BCP) in place, should a crisis ever arise?
And if so, does this BCP include data protection as a priority?
Integrating data protection into your BCP is vital to being prepared for the unthinkable. What if your organisation fell victim to a cyber attack, putting the information of your customers and staff at risk? Only by taking into account the ways in which your data could be compromised in an unexpected incident and including a plan of remediation and recovery action into your BCP can you be truly prepared.
Join this free hour of discussion to learn:
...and more!
Panel:
Ralph O'Brien - Global Privacy, Data Protection & Security Advisor
Ademola Adekunbi - Information Governance Manager at East London NHS Foundation Trust
Engage, Educate, Empower 2025 - Free Conference
Following the roaring success of our 2024 conference, we’re thrilled to be back to bring you Engage, Educate, Empower 2025. This free data protection and information security conference is the perfect place for you to connect with new people, join the buzzing discussions about today’s challenges, and listen to a range of varying perspectives on the pressing topics and issues surrounding the modern privacy world.
Our 2025 conference will follow the same theme as previous years’ Engage, Educate and Empower events, aiming to educate colleagues across the industry on topics in data protection, information security and AI. We have a host of industry experts ready to deliver engaging sessions aimed at educating DPOs from a range of private, public and third sector organisations.
Speakers:
Read more about this conference and book your free ticket here.
Get in touch with us
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at [email protected], or visit our website at www.dataprivacyadvisory.com and fill out a contact form. Our dedicated team will get back to you as soon as possible.