Hello Friends,
India’s DPDP bill is set to be introduced in Parliament's monsoon session this year and seeks to balance privacy protections with industry-friendly measures. Enjoy reading!
Privacy Enforcement
ICO reprimands Police for Recording 200K Calls
The U.K. Information Commissioner's Office reprimanded Surrey and Sussex police for using an app that recorded and automatically saved more than 200,000 phone calls without individuals' knowledge. The ICO said the app was downloaded onto the work phones of 1,015 staff members and it was highly likely it captured a large variety of personal data, the processing of which the ICO determined was unfair and unlawful. The ICO issued the reprimand instead of a 1 million GBP fine per department.
Garante fines Marketing Company 300K Euros
Italy's data protection authority, the Garante, fined a digital marketing services company 300,000 euros for allegedly illegally processing users' personal data for marketing purposes. The Garante said the company's online portals used dark patterns to entice users to pay consent to the processing of data for marketing purposes and to the communication of data to third parties always for the same purpose. The company was also unable to demonstrate obtained consent for sending promotional messages, the Garante said.
Privacy in Spotlight
AI Voice and Video Tool creates Convincing Replicas
Audio and video artificial intelligence tool Synthesia from ElevenLabs was able to replicate Wall Street Journal technology columnist Joanna Stern's voice. Stern wrote the tool fooled both her family and bank phone login system. She said for quick sentences, the avatar can be quite convincing. The longer the text, the more her bot nature comes through. Additionally, Stern said the potential for misuse was a real problem, and all users have to do is check a box agreeing they wouldn't use the technology for fraudulent purposes.
ChatGPT resolves Garante’s Data Protection concerns
Italy's data protection authority, the Garante, removed its limited block of OpenAI's ChatGPT after the company rectified alleged data protection issues. The regulator ordered limits on the popular generative artificial intelligence tool's data collection 31 March and gave OpenAI a 30 April compliance deadline over EU General Data Protection Regulation allegations concerning legal bases for processing data and children's data protection. It's unclear how the data processing claims were addressed, but OpenAI recently added an age verification and parental consent process.
Regulations
Government receives more than 20K Submissions on India’s proposed DPDP Bill
Officials have received more than 20,000 public submissions on India's draft Digital Personal Data Protection Bill, the Hindustan Times reports. In a submission, Supreme Court of India Advocate and Cyber Saathi founder N.S. Nappinai said, “To formulate a draft that neither protects individuals from corporate nor Government excesses does not spell out a robust privacy legislation." The Internet Freedom Foundation also raised concerns that the bill allows for the non-consensual processing of personal data. The bill is on track to be introduced in Parliament's monsoon session.
Ireland’s DPC issues Employee Data Protection Guidance
Ireland's Data Protection Commission announced fresh employer guidance on handling the data of current, former, and prospective employees. The DPC said the guidance is aimed at standard data collection, including employees' names and contact information, but added employers need to also consider nontraditional data like information on occupational health, sick leave, performance reviews, or disciplinary actions. The guidance also includes guidelines for employee monitoring and tracking.
Data Localisation Provisions removed from Draft DPDP Bill
India's Minister of State for Electronics and Information Technology, and Skill Development and Entrepreneurship Rajeev Chandrasekhar said data localization provisions were changed in the recent version of the proposed Digital Personal Data Protection Bill. We want to create a framework for every legislation that allows it to evolve and we certainly will not impose hardcore data localisation as a condition, Chandrasekhar said. Localization provisions were previously a requirement for cross-border transfers of sensitive and critical personal data.