Latest UK News

1. New Cyber Security and Resilience Bill. Government ministers have proposed a Cyber Security and Resilience Bill in response to recent attacks by “criminals and state actors” targeting hospitals, universities, local authorities, democratic institutions, and government departments in the UK. The legislation aims to consolidate and strengthen cyber security rules and reporting requirements, which are currently managed by 12 different regulators overseeing core infrastructure sectors and digital services like online marketplaces. The government emphasized the urgent need to update these rules to ensure that Britain’s infrastructure and economy are not more vulnerable compared to those of EU counterparts.
2. Privacy notice tool for SMEs. The ICO has introduced a new tool designed to help small businesses and sole traders easily create customized privacy notices. “We aim to simplify data protection compliance for smaller organizations and startups, which often have limited time and resources,” stated Faye Spencer, ICO Head of Business Services. This tool can swiftly generate tailored notices for various sectors, including education and childcare, finance, insurance, legal, health and social care, manufacturing, retail, and the third sector.
3. Provisional fine of £6m imposed on software provider. The ICO has provisionally decided to fine Advanced Computer Software Group Ltd £6.09 million. This decision follows an initial finding that the company failed to implement adequate measures to protect the personal information, including special category data, of 82,946 individuals. Advanced Computer Software Group Ltd provides IT and software services to the NHS and other healthcare providers, acting as a data processor for these organizations. The fine is related to a ransomware incident in August 2022, where the ICO discovered that hackers accessed several of Advanced’s health and care systems through a customer account lacking multi-factor authentication.
4. GLA launches privacy registry. The Greater London Authority (GLA) has introduced the London Privacy Registry to enhance transparency around smart city technologies in public spaces. This registry is part of the Emerging Technology Charter for London, which guides the trial and use of datagathering smart city technologies, and the Public London Charter, which outlines the rights and responsibilities of users, owners, and managers of new public spaces. “Fundamentally, this is abou transparency,” said Theo Blackwell, Chief Digital Officer at the Greater London Authority. “By publishing data protection impact assessments as open data in one place, citizens and those who serve them can see how their data is managed. This is crucial as the number of connected networks, cameras, drones, and other systems in public spaces continues to grow,” he added.
5. Cyber-attack in UK leaves thousands vulnerable to phishing scam. A cyber-attack on public authorities in Greater Manchester has exposed thousands of residents to a phishing scam. The attack targeted the software company Locata, disrupting housing websites for Manchester, Salford, and Bolton Councils. As a result, thousands of users received phishing emails asking them to “activate your tenancy options” and provide personal data. Locata, which supplies housing software to councils across the UK, stated, “We moved quickly to manage the issue and are working with third-party IT experts to investigate the matter.”
6. Concerns raised about data sharing. UK privacy campaign group MedConfidential has expressed concerns about a data-sharing agreement between the Royal National Orthopaedic Hospital (RNOH) and AI startup Naitive Technologies. In 2018, RNOH entered into a collaboration with Naitive (formerly Ortho AI) to develop AI software for data analysis in orthopaedic surgery and musculoskeletal medicine. MedConfidential argues that this agreement violates the guidance on NHS data sharing with researchers, issued by the Department of Health and Social Care and NHS England in July 2019. Sam Smith, Coordinator at MedConfidential, stated, “This agreement is so murky and contradictory that it’s impossible to know what actually happened, which clearly breaches the national data guardian’s ‘no surprises’ rule.”
7. UK citizen sentenced after “brazen” car scam. A man has been sentenced after pleading guilty to an offence under section 55 of the Data Protection Act 1998 at Cardiff Crown Court. He unlawfully accessed motorists’ details from Enterprise Rent-ACar to pursue personal injury claims for financial gain. The court fined him £10,000 and ordered him to pay £1,700 in costs.
8. UK school reprimanded after using facial recognition technology for canteen payments. The ICO has reprimanded Chelmer Valley High School in Chelmsford, Essex, for unlawfully introducing facial recognition technology. The school, which has around 1,200 students aged 11-18, began using the technology in March 2023 for cashless canteen payments. However, the school failed to conduct a Data Protection Impact Assessment (DPIA) before implementation and did not obtain clear consent to process the students’ biometric data. Additionally, students were not given the choice to opt in or out of this system. Latest European News
9. European Commission to keep the GPDR and focus on enforcement. The European Commission has announced that it does not plan to revisit the GDPR before its next scheduled report in 2028, choosing instead to focus on enforcement. MEP Birgit Sippel, Rapporteur for the ePrivacy Directive, emphasised the importance of implementing the current GDPR to ensure EU companies have access to high-quality data for training AI models. Meanwhile, MEP Axel Voss argued that accessing and processing large quantities of quality data is essential for creating non-discriminatory and gender-balanced AI models. Voss believes that the GDPR needs to be reviewed to foster innovation in the rapidly evolving digital landscape, suggesting a shift from a restrictive approach to one where “everything is allowed,” provided that citizens’ privacy is protected.
10. DPC initiates court proceedings against X. Ireland’s Data Protection Commission (DPC) has launched court proceedings against the social media platform X regarding its processing of user data for Grok, an AI model developed by xAI, a company founded by X owner Elon Musk. Grok is used as a search assistant for premium accounts on the platform. The DPC is seeking a court order to stop or limit X’s processing of user data for training its AI systems and plans to refer the issue to the European Data Protection Board for further review
11. Olympics’ venue hit with cyberattack. The IT system of the French national museum network, which encompasses around 40 museums, has been targeted by a “ransomware attack,” according to the Paris prosecutor’s office. This network includes the Grand Palais, an exhibition hall and museum in central Paris, which has been converted into a venue for fencing and taekwondo events for the Paris 2024 Summer Olympics. The prosecutor’s office confirmed that the attack has not impacted the staging of Olympic events. Outgoing French Prime Minister Gabriel Attal reported that 68 cyberattacks were thwarted in the first few days of the Olympics, including two that targeted Olympic venues.
12. Complaint filed against LinkedIn. Consumer rights organization Test Achats has lodged a formal complaint with Belgium’s Supervisory Authority, alleging that LinkedIn is exploiting personal user data. According to Test Achats, LinkedIn discreetly updated its privacy policy in March 2024 and is not transparently informing users about the use of their personal data for developing AI tools. The organization claims that LinkedIn is using personal data, including photos, searches, publications, and private messages, to train its AI without obtaining user consent. Additionally, users who oppose the policy change are advised to either close their accounts or fill out an opposition form, which Test Achats describes as ineffective due to a lack of response from LinkedIn’s help services.
13. NOYB complains about X to 8 SAs. Digital rights group NOYB has lodged complaints with eight Supervisory Authorities regarding X’s use of the AI model Grok, accusing Ireland’s Data Protection Commission (DPC) of avoiding the core issues related to X’s handling of personal data. In early August, the DPC requested an Irish court to order X to suspend or restrict the processing of personal data from EU users’ public posts for training Grok. Two days later, X agreed to halt the processing of data collected between 7th May and 1st August until the court rules on the DPC’s request. NOYB has now filed complaints in Belgium, France, Greece, Ireland, Italy, the Netherlands, Spain, and Poland, seeking a thorough investigation into X’s practices for GDPR compliance. Dr. Des Hogan, Commissioner at the DPC, stated that “the DPC, working in conjunction with our EU/EEA peer regulators, continues to examine the extent to which the processing complies with the GDPR.”
14. Uber fined €290 million. The Dutch and French Supervisory Authorities (SA) have imposed a €290 million fine on Uber for inadequate protection of driver privacy during data transfers to servers in the US. The compromised data included account details, taxi licenses, location data, photos, paymentinformation, identity documents, and in some cases, criminal and medical records of drivers. This fine resulted from a collective complaint by the French Human Rights League, representing over 170 Uber drivers. The investigation was transferred to the Dutch regulator since Uber’s EU headquarters are located in the Netherlands.
15. Legal action taken against Swedish SA. NOYB is taking legal action against the Swedish Supervisory Authority, IMY, to ensure it fulfills its obligations. Max Schrems stated, “Six years after the GDPR’s introduction, we still see authorities acting as if they can choose whether to enforce citizens’ rights. EU law mandates that every complaint be investigated and every GDPR violation remedied. IMY seems to forget that it is an enforcement authority.”
16. Complaints against European Parliament. Austria-based digital rights group NOYB has filed two complaints against the European Parliament for GDPR violations. In June 2024, the European Parliament informed up to 9,000 employees about a data breach in its recruitment application, PEOPLE, which contained sensitive information such as ID details, birth certificates, employment history, medical records, marriage certificates, and proof of work dating back 10 years. NOYB has now submitted two complaints to the European Data Protection Supervisor on behalf of four Parliament employees. The first complaint concerns a complainant whose sexual orientation was disclosed due to the leak of a certificate. The second complaint alleges that the Parliament refused to erase the personal data of a complainant after the breach, despite the individual not having worked at the institution since 2018.

Latest International News

1. UN approves cyber-crime treaty amid privacy concerns. A UN Committee has adopted a treaty aimed at combating cross-border cyber-crime, but critics caution that it could be misused by repressive regimes to target journalists, researchers, and protesters. After three years of negotiations, the Ad Hoc Committee on Cyber-crime has agreed on the draft text of the Convention Against Cyber-crime, which is expected to be adopted by the General Assembly later this year. This would mark the first globally agreed framework for addressing cybercrime. However, NGOs, policy experts, human rights advocates, and tech companies warn that the treaty’s broad language could enable authoritarian regimes to suppress political opposition and infringe on human rights.
2. Hackers leak 2.7 billion data records with Social Security numbers. Nearly 3 billion records containing the Personally Identifiable Information (PII) of an unknown number of US, Canadian, and British citizens, including Social Security numbers and criminal records, have been leaked on a hacking forum. The data reportedly originates from National Public Data, a company that collects and sells personal data for background checks, criminal record searches, and private investigations. In response, several class action lawsuits have been filed, marking this as the largest breach of such information on record.
3. US sues TikTok over children’s privacy breach. The US Department of Justice and the Federal Trade Commission have filed a lawsuit against TikTok and its parent company ByteDance, alleging they failed to protect children’s privacy. The lawsuit claims that TikTok violated the Children’s Online Privacy Protection Act, a federal law that prohibits the collection, use, or disclosure of personal information from children under 13 without parental consent. It is alleged that TikTok knowingly allowed children to create standard accounts, share short videos and messages with adults and others on the platform, and collected personal information from these children without obtaining parental consent.
4. Australian regulator drops pursuit of Clearview AI. The Australian privacy regulator has controversially decided to end its pursuit of Clearview AI regarding the use of Australians’ facial images in its facial recognition service. In 2021, the Office of the Australian Information Commissioner determined that Clearview AI had violated Australians’ privacy by collecting these images without consent and ordered the company to stop collecting the images and delete those on record within 90 days. Clearview initially appealed the decision but withdrew its appeal in August 2023. Privacy Commissioner Carly Kind stated, “Considering all the relevant factors, I am not satisfied that further action is warranted in the particular case of Clearview AI at this time.” However, it remains unclear whether Clearview has
   complied with the 2021 order.

To find out more about Moore ClearComm and how our team of industry specialists can help our organisation, contact us today: info@mooreclear.com

DOWNLOAD AND READ THE FULL ARTICLE HERE