The season is changing and so are our data protection updates for the UK. In this article we are covering our pick of data protection news highlights from July to September 2024.
Facial recognition technology (FRT)
The ICO has reprimanded a school for its implementation of a cashless canteen system for its students, which utilised FRT (thereby processing biometric data). The school used the new system without carrying out a data protection impact assessment, consulting with parents or students, seeking opinions from its data protection officer or acquiring explicit consent to process the student’s biometric information (instead using an ‘opt-out’ system). FRT is considered high risk and so its use (and associated risks) should be carefully considered before being implemented.
Unlawful international transfer of personal data
Uber has been fined €290m by the Dutch data protection supervisory authority for breaches of the GDPR as information (including taxi licences, location data, photos, payment details, identity documents and some criminal and medical data) relating to its European drivers was transferred from the EU to Uber’s US headquarters over a two-year period, without using appropriate transfer tools (in this case the EU standard contractual clauses). Whilst an EU case, this is a useful reminder of the importance of protecting personal data when transferring internationally.
Customers’ titles
Still in the EU, an opinion from the Advocate General has found that it is not ‘necessary’ for a business to ask for a customer’s title when purchasing rail travel documents, thereby highlighting the need to consider data minimisation at all times. In this case, because the collection of the customer’s title was not necessary the controller could not rely on contract or legitimate interest as a legal basis under the GDPR for processing that data.
Criminal protection
Although fairly rare, criminal prosecutions of individuals under the Data Protection Act 2018 do occur. In September, the ICO announced a car salesman had been fined for retaining and selling data, which he unlawfully acquired from the car leasing company he worked for, to competitors.
Data protection reforms
The King’s Speech suggested that data protection reforms are back on the agenda with a new bill focusing on: (1) establishing Digital Verification Services for digital identities, (2) creating a National Underground Asset Register (a digital map of pipes and cables) and (3) setting up Smart Data schemes for secure data sharing with authorised third parties. It seems that the Labour government also plans to revive elements from the former Data Protection and Digital Information Bill, including the use of personal data for research and restructuring the ICO to introduce a national “Information Commission”, with a CEO, board and chair.
Future AI measures
There were hopes that the King’s Speech would provide clarity on the UK’s approach to AI, the development and use of which has many complex data protection implications. Whilst there was no mention of a specific AI bill, it seems that the government will consider legislation for powerful AI models, focusing on safety frameworks. Certainly we have seen this year that AI is not going away and its use is becoming more commonplace and so it is vital all organisations implement policies for appropriate AI usage.
Cyber Security
The King’s Speech suggested that a Cyber Security and Resilience Bill is to be expected, thought to be aligning UK regulations with the EU’s NIS2 Directive to mitigate cyber security risks. A more recent update confirms this Bill will move forward in 2025.
Ransomware attack
In a first of its kind in the UK, the ICO has announced that an NHS software provider (in its capacity as a processor) faces a potential £6 million fine for failing to implement sufficient security measures to safeguard personal data. The provider suffered a ransomware attack in August 2022, which resulted in a vast amount of personal data (including sensitive data) held by the NHS being disclosed.
Unlawful cookies usage
The ICO has reprimanded Sky Betting and Gaming for unlawful processing of personal data by using advertising cookies without consent (in fact the cookies started collecting personal data before consent was even requested). This action by the ICO is all part of its resolve to clamp down on websites that do not offer people a fair and informed choice about whether they want their personal information to be used for targeted advertising. As this is a clear area of focus for the ICO, all organisations should check that the design of their cookie banners, as well as the operation of their cookies in practice, are compliant.
The importance of data security and reporting personal data breaches
The last reminder today comes from another huge fine of €91 million issued to Meta by the Irish Data Protection Commission (DPC). In March 2019, Meta notified the Irish DPC that it had inadvertently stored certain passwords of its social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption). The Irish DPC found infringements of various provisions of the GDPR by Meta including: (1) failure to notify the Irish DPC of the personal data breach, (2) failure to document the personal data breach and (3) failure to implement appropriate technical and organisational measures to ensure security of the passwords.
If you have not received this article directly but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].
