#SypherPrivacyTalks - September 2023 - Week 36

by Sypher - September 06, 2023

Welcome to #SypherPrivacyTalks — Your news and article roundup. Bringing you the top privacy & compliance stories of the week.

Your Fitbit is useless – unless you consent to unlawful data sharing

noyb.eu • 3 min read

📃 NOYB filed complaints against Fitbit in Austria, the Netherlands, and Italy. The issue is that Fitbit, now under Google's umbrella, is requiring new users to consent to data transfers outside the EU. 👇 

☝️ Here are the key points:
✅ Data transfers — When creating a Fitbit account in Europe, users are forced to agree to the transfer of their data to countries with different data protection laws, including the US. 
✅ Highly personal data — Fitbit's privacy policy allows them to share a wide range of personal data, including health-related information. Users can't easily find out which specific data is shared or where it goes.
✅ Limited consent withdrawal — To withdraw consent, users have to delete their account, which means losing all their previously tracked workouts and health data. This applies even to premium subscribers.
✅ GDPR violation — Fitbit's approach doesn't comply with European privacy law, which states that consent for data transfers should be occasional and non-repetitive… read more

Swedish DPA fines Trygg-Hansa $3.2M for GDPR breaches

complianceweek.com • 1 min read

😱 Swedish insurance giant Trygg-Hansa slapped with a hefty €3M fine by the Swedish DPA for GDPR breaches. 👇 

Here's the scoop: Trygg-Hansa, which merged with Moderna Försäkringar in April 2022, got into hot water due to alleged security flaws. 🕵️‍♂️ These flaws left customer insurance info accessible online. 

The Swedish DPA uncovered that data from 650,000 Moderna Försäkringar customers was exposed from Oct 2018 to Feb 2021. A tipster noticed you could access other policyholders' docs just by tweaking a web link! 😬

☝️ What was at risk? Health, financial data, SSNs, and more. The DPA found Trygg-Hansa didn't have the right tech measures as per GDPR. 

🤷 Trygg-Hansa's response? They said Moderna Försäkringar fixed the issue pronto. But they admitted their IT security needed a boost… read more

X wants permission to start collecting your biometric data and employment history

theverge.com • 2 min read

❌ Social media giant X (Twitter) is about to embark on a journey that promises to enhance user safety and convenience. Here's the scoop: 

🤖 Biometric data collection — X is gearing up to collect biometric information with user consent. While the exact details are yet to be revealed, this typically includes fingerprints, iris patterns, or facial features. This move could pave the way for passwordless sign-ins.

📚 Employment history matters — In addition to biometrics, X is also expanding its data collection to include user employment history, educational background, skills, and job search activity. This aligns with X's plan to introduce new job search features and other functionalities.

💡The updated privacy policy comes into effect on September 29th, 2023, giving us time to understand the implications better… read more

Home Office secretly lobbied for facial recognition ‘spy’ company

theguardian.com • 5 min read

📢 Senior UK Home Office officials wanted to push controversial facial recognition technology, particularly in retail settings. 👇

🏬 Internal emails reveal the Home Office's push to influence the Information Commissioner’s Office's investigation into Facewatch, a company deploying facial recognition cameras in shops. 

🚫 This move has sparked privacy and human rights concerns, even as the EU seeks to ban such tech in public spaces… read more

OpenAI accused of string of data protection breaches in GDPR complaint filed by privacy researcher 

techcrunch.com • 5 min read

🤖 OpenAI is under scrutiny once again! A detailed GDPR complaint has been filed, alleging breaches in various dimensions, including transparency and privacy. 👇 

It's not the first time ChatGPT has faced GDPR issues, with Italy's privacy watchdog already raising concerns earlier this year.

The complaint was filed by Lukasz Olejnik, a privacy researcher, who noticed inaccuracies generated by ChatGPT when he requested a biography. Despite his efforts, OpenAI's response didn't meet GDPR requirements.

☝️ Key takeaways:
✅ Concerns about unlawful data processing.
✅ Lack of transparency in data processing.
✅ Failure to rectify inaccuracies in generated content.
✅ Violation of GDPR's data protection by design and default principle… read more

Stay tuned for more by 📌 connecting with us on LinkedIn or, better yet, by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.

Photo by Burst