Data Protection Update - August 2024

18 Sep

Data Protection Updates – We are delighted to share our Data Protection Newsletter. In the August 2024 issue, Deborah Tastiel and our Commercial team discuss #UberFine #XAI and more!

1. A LARGE FINE FOR UBER

The Dutch Data Protection Authority (DPA) fined Uber €290 million for transferring the personal data of European taxi drivers (including identity documents, photos and payment, location and medical details) to its headquarters in the US for over 2 years without a GDPR-compliant transfer mechanism.

Uber stopped using standard contractual clauses in August 2021, and failed to put in place sufficient safeguards until its self-certification to the EU-US Data Privacy Framework in November 2023.

2. CHILDREN & SOCIAL MEDIA

The Information Commissioner’s Office (ICO) continues its quest to protect children online and has issued a warning to 11 social media and video-sharing platforms, demanding that they improve their privacy practices for children or otherwise face enforcement action. 

3. GENERATIVE AI SUPPLY CHAIN

The ICO has launched a consultation on the allocation of accountability for data protection compliance in the context of the generative AI supply chain. Generative AI supply chain refers to both the development of an AI model and the processing operations necessary to maintain it. The consultation focuses on how, in this complex context, controller and processor roles and responsibilities are determined and carried out in compliance with the UK GDPR. This is the fifth and final chapter in the ICO’s consultation series on generative AI and data protection.

4. REPRIMAND FOR LABOUR PARTY 

The ICO has issued a reprimand to the Labour Party for failing to respond to 78% of the subject access requests (SAR) it received.

Following a cyber-attack on the Labour Party in 2021, it received an increase in requests from the public about what information the party held about them. Organisations must respond to a SAR within one month of receipt of the request. This can be extended by up to two months if the SAR is complex. 

5.   X AND AI TRAINING

Training its AI technologies by using the personal data of over 60 million users in the EEA. The Irish Data Protection Commission commenced proceedings against X to stop the processing.

X never asked for consent from its users to use their personal data. NYOB, Max Schrems’ non-profit organisation, has filed complaints with various data protection authorities to ensure that X is fully investigated.