The biggest privacy heroes and villains of 2022/23

Who’s made our blood boil this year and who is long overdue a pat on the back? Let’s find out…

By Emma Sheppard


June 2023

Brass-neck award

Under the UK GDPR, individuals have the right of access to their personal data processed by a controller. But even we were surprised by the news that Nadine Dorries has submitted a number of subject access requests to the House of Lords appointment committee, cabinet secretary and the Cabinet Office to determine why she was denied a peerage in Boris Johnson’s resignation honours. Unfortunately for Dorries, information relating to honours nominations appear to be exempt from data subject requests. Still, worth a try.

Biggest cock up

As 2022 drew to an end, all anyone in technology was talking about was the exodus going on at Twitter. In November, several top executives resigned, including the company’s head of moderation and safety, as well as other prominent members of the site’s privacy and security team. The departures prompted the Federal Trade Commission to warn they might be forced to step in, adding that it was “tracking the developments at Twitter with deep concern”. A few months later, the social media network announced it would only allow accounts that subscribed to its paid-for Twitter Blue feature to use text-message-based two-factor authentication. Terrific. 

Most embarrassing privacy story

We felt bad for the Tesla drivers who had videos and images that had been recorded by their car’s cameras, shared around the manufacturer’s office for lols. Crashes and road-rage incidents were firm favourites but there was also one incident of a man approaching his vehicle while completely naked. It was also revealed Tesla’s system could track the location of recordings and could reveal where a car owner lived, despite its online customer privacy notice stating that “camera recordings remain anonymous and are not linked to you or your vehicle”.

Worst excuse of the year

It’s not uncommon for organisations to get into trouble for sharing user information with Facebook. But in Canada, the bosses at home improvement giant Home Depot used their imaginations when they were caught out. In what was a direct violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Home Depot did not get customer consent for their email addresses to be passed on after they opted for an electronic receipt. The company said they neglected to do so because of “consent fatigue”. Surely that’s better than ‘data breach fatigue’? 

Biggest fine of the year

Meta again but it would be remiss of us not to mention the €1.2bn fine the tech giant received in May 2023. It’s the largest ever fine to a single business after Meta was found to have insufficiently protected people’s data when transferring it between Europe and the US. Meta has said it will appeal and the Irish High Court has granted it a ‘short stay’ before the company must suspend the transfer and storage of European citizens’ data. 

Biggest let off

When Uber’s former chief of security went on trial in California over his handling of a 2016 security breach, the technology sector held its collective breath. Joe Sullivan was eventually found guilty and sentenced to three years’ probation and 200 hours of community service but he could have faced up to eight years in prison. Experts predict the case could change how security professionals and their companies handle data breaches but the biggest takeaway is surely not to hide data breaches from the regulator! 

Worst product

The worst product award has two winners this year. The security shortfalls of Apple’s AirTags have come under scrutiny in a US court after two women who were victims of stalking sued the company. The federal suit revealed the devices were released against the advice of privacy experts who had raised concerns. The second winner is everyone’s favourite chatbot, ChatGPT, which already appears to have had a data breach. Corporations including JP Morgan Chase and Amazon have also restricted its use among staff for fear it will inadvertently expose sensitive company information. Meanwhile Google’s challenger chatbot, Bard, isn’t even live in the EU yet, apparently because it may not be compliant with the GDPR

The ‘we’ve finally twigged’ award

Following significant data breaches at telco Optus and health insurer Medibank in 2022, Australia is finally considering introducing widespread privacy reforms. The legislation is likely to take inspiration from the GDPR and CCPA, with citizens able to opt out of targeted ads and erase their data. An earlier review of the current Privacy Act found “very strong support for increasing the protections for personal information”, including a new requirement that “the collection, use and disclosure of personal information must be fair and reasonable in the circumstances”. Now you’re talking.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Most shocking statistic

A review by IBM has found the average cost of a data breach reached $4.35 million (£3.4m) in 2022. That’s more than 12% higher than two years ago. Ransomware payments have gone up too – the average payment in 2021 was approximately $1.85m (£1.4m), more than double what it was the year before. That’s just the direct costs of course. You also have to account for the loss of revenue during business disruption, the loss of customers, the impact on your reputation, and any subsequent fines or legal proceedings. Those are much harder to quantify. 

Regulator of the year

It’s the second year in a row we’ve recognised Spain as the regulator of the year but it continues to impress. The Spanish Data Protection Authority (known as the AEPD) has handed down 679 fines over the five years the GDPR has been in place, totalling €60.6m. The UK, in contrast, has only issued 13 fines, although the total is higher (€75.1m). Where the countries differ is it appears that the AEPD doesn’t just take action against remote tech giants but smaller companies for everyday breaches. That means organisations of all sizes should really care about complying with privacy law.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Snooper of the year

Everyone’s favourite facial recognition tech company, Clearview AI, is still causing trouble. Its database now consists of more than 30 billion images that have been scraped off the internet without users’ permission. A few months ago, it was revealed the database has been searched nearly 1 million times by US police. Over in the UK, South Wales Police was criticised for its plans to use live facial recognition cameras to scan fans attending a recent Beyoncé concert in Cardiff. You’d think they would have learned their lesson – the force was found to have breached privacy rights by the Court of Appeal back in 2020 for its use of the technology. 

Privacy bad guy of the year

It’s given the world more viral dance routines than you could ever count, but TikTok fell firmly out of favour this year thanks to its links to China. First the US Congress passed a ban of TikTok on all federal devices, then a number of American universities followed suit (cue loud cries of indignation from frustrated teenage content creators). In April, Montana passed the first State TikTok ban, blocking downloads of the app from January 2024. In the UK, the government and BBC have also banned TikTok from corporate devices. This isn’t hyperbole – a former executive of the TikTok parent company ByteDance has claimed that the Chinese Communist Party has maintained supreme access to its data.

More to watch and read