Data Protection Updates - September 2024

ICO CRACKDOWN ON COOKIES 

      The ICO issued a reprimand to Sky Betting and Gaming for unlawfully processing and sharing personal data with advertising companies before giving users the option to accept or reject advertising cookies. Sky Betting and Gaming has since rectified this.

      The reprimand forms part of the ICO’s  crackdown on the use of advertising cookies. Last year it reviewed the use of advertising cookies by the UK’s top 100 websites, and issued an enforcement action warning to 53 of them. 

      CHANGES TO INTERNATIONAL DATA TRANSFER CLAUSES

      The European Commission will consult on its proposed new standard contractual clauses (SCCs) in relation to:

      •the transfer of data that is subject to the GDPR, to controllers and processors in third countries; and

      •the transfer of personal data from EU institutions and bodies to data importers in non-EU countries.

      SCCs are model data protection clauses that organisations in the EEA can incorporate into contracts involving the transfer of personal data to organisations outside of the EEA (and not subject to the GDPR) to ensure GDPR compliance.

      ICO AND NCA COLLABORATION 

      The ICO and National Crime Agency (NCA) have signed a Memorandum of Understanding (MOU) setting out how the organisations will collaborate to improve cyber resilience in the UK. The MOU includes commitments to information sharing and avoiding conflict and duplication of effort.

      PRIVACY FEATURE OR TRACKER? 

      The NYOB filed a complaint against Mozilla with the Austrian Data Protection Authority for making its “Privacy Preserving Attribution” feature, which allows Mozilla to track user behavior, a default feature on its Firefox browser.

      Mozilla claims that the feature improves user privacy by allowing ad performance to be measured without individual websites collecting personal data. 

      SOCIAL MEDIA, THE ICO & AI TRAINING  

      META has resumed its plans to train generative AI using the data of Facebook and Instagram users. META had paused AI training after receiving a request from the ICO. It has since changed its approach, including by making it simpler for users to object to processing and providing them more time to do so.

      LinkedIn is following suit, recently suspending generative AI training after the ICO raised concerns, and pending further engagement with the ICO.

      THE LOGIC OF AUTOMATED DECISIONS

      The Austrian Advocate General (AG) published an opinion about the information that Dun & Bradstreet Austria (D&B) should provide to a customer who requested information about an automated credit assessment that resulted in D&B refusing to provide the customer with a phone contract. D&B refused due to commercial sensitivity concerns.

      The AG opined that the information should include the method, criteria and weighting, so that the decision-making process is intelligible to the data subject. The AG considers that the information will not put commercially sensitive information at risk.