News Alerts and Breach Report for Week of October 6, 2023
September News Report:
TikTok Hit With Biggest Fine Yet
Ireland’s Data Protection Commission (DPA) has levied a fine against ByteDance’s TikTok platform. It’s the biggest fine to date—$368M—and comes from the platform’s mishandling of Children’s data. The BBC notes that, according to Irish Data Protection Commissioner Helen Dixon the inquiry found TikTok failed to properly inform children about privacy settings, and that “accounts made by those aged between 13 and 17 were made public by default on registration, meaning the content they posted was visible to anyone.”
Australia Announces Reform to Privacy Act
After a two-year review of Australia’s Privacy Act, Attorney General Mark Dreyfus has released the Australian government’s response to 116 reform recommendations from the Australian Competition and Consumer Commission’s 2019 Digital platforms inquiry. Of the 116 recommendations for reform, 106 are likely to be incorporated or considered for future policy development, including a prohibition against targeted advertising directed at children and a mandate for greater transparency into how personal data is used for artificial intelligence. At this time, the reform will not contain provisions that allow adults to opt out of targeted advertising, but will likely contain a right to delete. An existing exemption for small businesses concerning data security could be eliminated, while exemptions for media organizations will likely be upheld. The Australian government has also outlined plans to broaden the definition of personal information to include cookie data and IP addresses. These proposed reforms will likely be voted on in 2024, and while subject to a comprehensive impact assessment, are aligned with the goals of several of the government’s other privacy initiatives, including the implementation of Digital ID, the Australian Cybersecurity Strategy, the National Strategy for Identity Resilience, and the promotion of Responsible AI in Australia. Read more.
Automotive Privacy in the Spotlight
Cars are less private than you might think, or so says a recent privacy report by the Mozilla Foundation. Take for example Nissan. The company’s privacy notice, according to Axios, allows the automaker to share "sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information." And Nissan is not alone, probably because cars generate about 25GB of data per hour, and the global vehicle data market is projected to be worth between $80 and $800 billion by 2030. Among 25 car brands examined, the report finds that 56 percent are willing to share data with law enforcement informally, and 84 percent share or sell personal data.
SEC and FTC Scrutinize Elon Musk
The Federal Trade Commission (FTC) is investigating Elon Musk for his alleged hindrance of privacy and security compliance at social media platform X, which is also known as Twitter. The FTC alleges that Musk created chaos that impeded his employees from complying with regulations, particularly around the hurried launch of Twitter Blue. The FTC complaint notes that under Musk’s leadership, Twitter failed to adhere to security and privacy protocols it had previously been ordered to implement following an investigation that resulted in a $150 million fine. Said investigation occurred prior to Musk’s purchase of the platform and assumption of the CEO role. Additional concerns center around Musk's reorganization of company servers without wiping them, and deep staff reductions that contributed to noncompliance. X has refrained from commenting, and Musk has labeled the investigation as the “weaponization of a government agency for political purposes.” Meanwhile, the Securities and Exchange Commission (SEC) is suing Musk for failing to appear for testimony in the ongoing investigation of his failure to disclose his financial stake in Twitter in 2022.
Delaware Passes Data Privacy Law
On September 12, Delaware governor, Governor John Carney, signed into law the Delaware Personal Data Privacy Act (DPDPA). Read ADCG’s compliance guide here.
Reauthorization of Foreign Surveillance Act Stirs Privacy Debate
A new report has been released by the U.S. Privacy and Civil Liberties Oversight Board on Section 702 of the Foreign Intelligence Surveillance Act. According to Intel.gov, “Section 702 authorizes targeted intelligence collection of specific types of foreign intelligence information—such as information concerning international terrorism or the acquisition of weapons of mass destruction—identified by the Attorney General and the Director of National Intelligence (DNI). Section 702 only permits the targeting of non-United States persons who are reasonably believed to be located outside the United States.” The U.S. Privacy and Civil Liberties Oversight Board’s report, which was released on September 28, evaluates the effectiveness of Section 702, and offers 19 recommendations related to privacy and oversight for Congress when it votes to reauthorize the Section. Notably, the report's approval came through a 3-2 vote, highlighting a partisan divide, unlike a similar report in 2014 which received unanimous approval. From the report: "The Board concludes that although the Section 702 program presents serious risks to, and actual intrusions upon, the privacy and civil liberties of both Americans and non-Americans, the United States is safer with the Section 702 program than without it." The report also underscores the need to address and minimize the risks associated with Section 702 while preserving its national security advantages. It proposes actions such as obtaining court approval for searches involving the data of U.S. citizens and enhancing transparency and agency review procedures.
U.K. Joins Transatlantic Privacy Framework
Building on a June agreement in principle, the U.S. and U.K. have finalized a “data bridge” framework for transferring data between the two countries. The so-called data bridge is described by TechCrunch as being “bolted on” to the EU-U.S. Data Privacy Framework approved in July. Per the U.K.’s Department for Science, Innovation and Technology (DSIT), “The Secretary of State has determined that the UK Extension to the EU-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US.” The agreement becomes effective October 12, 2023.
California Passes Delete Act to Fill in Blanks on California Consumer Protection Act
An add-on to the 2018 California Consumer Protection Act (CCPA), The Delete Act establishes a "one-stop shop" website where consumers can request the removal of their personal data from consumer data broker databases. Though the Delete Act addresses certain gaps in the CCPA, some privacy advocates have expressed concerns that it could inadvertently result in the collection and prolonged retention of personal data. Read more here.
Class Action Data Privacy Suit Filed Against H&R Block, Google, Meta
A class action suit filed under the Racketeer Influenced and Corrupt Organizations Act (RICO), names H&R Block, Google, and Meta, alleging that H&R collaborated with the tech giants to monetize consumers’ tax return data. According to The Record, “The suit, filed in a California federal court, argues the tax preparer and tech giants failed to adequately alert consumers that their data was being sold, and established a “comprehensive program” to deceive customers and share their data “for their own financial gain, breaking an array of laws in the process.”’ This follows a July congressional report which revealed that Meta and Google collaborated with H&R Block to embed tracking pixels on the tax preparation company's website segment where customers input sensitive data.
Enforcement Action in Kenya
Kenya's Office of the Data Privacy Commissioner has announced three violations of the Data Protection Act—along with three fines amounting to KES9,375,000—for unauthorized uses of personal data. Read more.
Poland Investigates ChatGPT
OpenAI is under investigation by Poland’s Office for Personal Data Protection (UODO) for potential violations of the EU’s General Data Protection Regulation (GDPR). The investigation was initiated in response to a complaint filed by privacy and security researcher Lukasz Olejnik, which alleges several breaches of GDPR, including issues related to lawful basis, transparency, fairness, data access rights, and privacy by design. UODO expressed concerns about OpenAI's approach to European data protection principles, noting that new technologies must adhere to GDPR.
Texas Changes Breach Notification Timeline
Texas has made changes to its data breach notification law, reducing the timeframe for businesses to report breaches involving 250 or more Texas residents to the state Attorney General. Starting from September 1, businesses are required to notify the Attorney General within 30 days from the point they ascertain a breach has occurred. This marks a reduction from the previous timeframe, which allowed businesses up to 60 days to report such breaches.
BREACH REPORT:
* * * * * *
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
100 | Looking at Cyber Risk Management: the Perspective Across the Pond
Guest: Dr. Peter Trim, Reader of Marketing and Security Management at the University of London’s Birkbeck Business School.
99 | The Power of Choice for Authentication
Guest: Sabrina Gross, regional director of strategic partners at Veridas.
98 | The Importance of Digital Asset Inventories in Incident Response
Guest: Ken Westin, Field CISO for Panther Labs.
97 | The Race Between AI and Laws
Guest: Scott Giordano, former vice president and general counsel for Spirion
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.