Thursday Thoughts - 23 September 2021
Welcome back to Thursday Thoughts after a 6 week absence!
Over the last 6 weeks I have been completing the manuscript of a 1000 page book which has sadly meant I have not had time nor the brain space to write Thursday Thoughts and I have missed it. This week by way of a catch up here is a summary of some of the things that caught my eye over the last few weeks.
UK GDPR Changes
There is a lot being written at the moment about the proposed changes to UK GDPR. The proposals have two main themes: to keep to the data protection standards while at the same time providing the right conditions for growth and innovation by removing unnecessary barriers to responsible data use. Many organisations have expressed concerns here are a summary of the comments I’ve seen thus far.
The proposals include the requirement to nominate a suitable individual in the business who is responsible for data protection compliance and privacy doing away with the compulsion to have a Data Protection Officer.
Businesses would be able to re-purpose and re-use personal data for research without informing the data subjects of their plans if that would “involve disproportionate effort”. These changes are so “flexible” that it will be possible for special category and criminal offence data can be processed as part of secret research (shades of Cambridge Analytica come to mind).
Current limitations on the use of artificial intelligence for decision making could be removed. Given the issues around exam results last year and the use of algorithms to be the final arbiter of whether a person is recruited, eligible for a loan, or entitled to state benefits.
The plans include proposed changes to the role of the Information Commissioner's Office (ICO).
Data breach reporting may be streamlined with only material breaches needing to be reported rather than those that have a potential effect on an individual’s rights and freedoms.
Privacy rights and data controllers disagree over the proposals to stop data subjects abusing the right of access by reintroducing fees for Subject Access Requests. Data controllers have been increasingly concerned about the significant administrative and financial burden of DSARs and feel charging may encourage more targeted requests in future.
The often ignored need to carry out a data protection impact assessment is pretty much done away with as the privacy management role should take this into account.
Cookie requests have also been singled out as something that may change. However as they are not covered under GDPR the "pointless" cookie requests may continue until the PECR is updated.
Welcome though some of these changes may be there is a potential for the changes to negate the hard won adequacy decision from Europe and will have no effect for those UK-based businesses wishing to do business in Europe. Sadly also for most small businesses any of all of these changes will add quite a significant burden in terms of time and resource which many organisations can ill afford at this time. You can read more here: https://www.grcworldforums.com/gdpr/uk-gdpr-and-privacy-law-74-reforms-the-government-is-considering/2635.article
The consultation on the planned changes “Data: A new direction” is open until 11.45pm on 19th November: https://www.gov.uk/government/consultations/data-a-new-direction
Google Forms - a new route for Cybercriminals
Cybercriminals and malware operators are now using Google Forms in a wide range of attacks. They have found this is a way that they can avoid detection. Most of the abuse using Google Forms are low-skill phishing and fraud spam but there are indications that the platform is also being used for more sophisticated attacks”.
According to report in Tech Monitor the Amazon founder Jeff Bezos met with told Boris Johnson this week that it ”is up to governments to ensure that the company pays fair taxes”. As Amazon’s has faced increased scrutiny over its meagre tax contributions over recent years. The company’s revenue in the UK in 2020 increased by more than 50% to £20.63bn yet its UK division paid just £18.3m in direct taxes. You can read more here https://techmonitor.ai/policy/big-tech/amazon-tax-uk-jeff-bezos-boris-johnson
The Dangers of using “cc”
The MOD has suffered a large data breach when an email sent by officials in the Ministry of Defence to 250 people in Afghanistan who are seeking relocation to the UK was sent using “cc” rather than “bcc” or “to”. The email contained the interpreters’ email addresses, names, and linked profile images. The breach potentially compromises safety of Afghans many of whom are in hiding from the Taliban and some of the interpreters didn’t notice the mistake and used “reply to all” in their response in which they explained their situation.
The Next UK Information Commissioner
The UK’s next Information Commissioner will be John Edwards. Edwards is currently New Zealand’s Privacy Commissioner and is well known for his views on Facebook.
Hack on the Guntrader website
Following a hack on the gun-selling website Guntrader there are reports of animal rights activists contacting farmers to see if they are involved in shooting animals. The leaked data is included in a Google Earth-compatible file which shows the addresses’ GPS co-ordinates. The National Crime Agency is leading an investigation into the incident and has advised gun owners to increase their security.
Luxembourg - Amazon Fined €746,000,000
In a record breaking judgement the DPA in Luxembourg has fined Amazon €746Million for forcing targeted ads on the user. The decision states “the targeted ad system that Amazon forces onto us is not based on free consent”. Amazon has so far complained that there has been no data breach or risk to customer data completely missing the point being made. Amazon intend to appeal the decision so lets wait and see what the eventual fine ends up as.
UK ICO Fines
We Buy Any Car has been fined £200,000 for sending over 191 million emails and 3.6 million nuisance texts between April 2019 and April 2020. Emails were sent to people who had requested an online valuation but while initial emails about the request were made within the law, a number of subsequent emails also contained marketing information for which consent had not be given.
Saga Services Ltd (SSL) and Saga Personal Finance (SPF) were fined £150,000 and £75,000 respectively for sending emails using partner companies and their affiliates without getting consent from the data subjects to pass their details to these companies. More than 128 million emails were sent from SSL between November 2018 and May 2019, and 28 million from SPF over the same period. The companies were also issued with Enforcement Notices ordering them to stop any illegal direct marketing within 30 days or face court action.