Under the UK GDPR, individuals have the right of access to their personal data processed by a controller. But even we were surprised by the news that Nadine Dorries has submitted a number of subject access requests to the House of Lords appointment committee, cabinet secretary and the Cabinet Office to determine why she was denied a peerage in Boris Johnson’s resignation honours. Unfortunately for Dorries, information relating to honours nominations appear to be exempt from data subject requests. Still, worth a try.
Biggest cock up
As 2022 drew to an end, all anyone in technology was talking about was the exodus going on at Twitter. In November, several top executives resigned, including the company’s head of moderation and safety, as well as other prominent members of the site’s privacy and security team. The departures prompted the Federal Trade Commission to warn they might be forced to step in, adding that it was “tracking the developments at Twitter with deep concern”. A few months later, the social media network announced it would only allow accounts that subscribed to its paid-for Twitter Blue feature to use text-message-based two-factor authentication. Terrific.
Most embarrassing privacy story
We felt bad for the Tesla drivers who had videos and images that had been recorded by their car’s cameras, shared around the manufacturer’s office for lols. Crashes and road-rage incidents were firm favourites but there was also one incident of a man approaching his vehicle while completely naked. It was also revealed Tesla’s system could track the location of recordings and could reveal where a car owner lived, despite its online customer privacy notice stating that “camera recordings remain anonymous and are not linked to you or your vehicle”.
Worst excuse of the year
It’s not uncommon for organisations to get into trouble for sharing user information with Facebook. But in Canada, the bosses at home improvement giant Home Depot used their imaginations when they were caught out. In what was a direct violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Home Depot did not get customer consent for their email addresses to be passed on after they opted for an electronic receipt. The company said they neglected to do so because of “consent fatigue”. Surely that’s better than ‘data breach fatigue’?
Biggest fine of the year
Meta again but it would be remiss of us not to mention the €1.2bn fine the tech giant received in May 2023. It’s the largest ever fine to a single business after Meta was found to have insufficiently protected people’s data when transferring it between Europe and the US. Meta has said it will appeal and the Irish High Court has granted it a ‘short stay’ before the company must suspend the transfer and storage of European citizens’ data.
Biggest let off
When Uber’s former chief of security went on trial in California over his handling of a 2016 security breach, the technology sector held its collective breath. Joe Sullivan was eventually found guilty and sentenced to three years’ probation and 200 hours of community service but he could have faced up to eight years in prison. Experts predict the case could change how security professionals and their companies handle data breaches but the biggest takeaway is surely not to hide data breaches from the regulator!
The worst product award has two winners this year. The security shortfalls of Apple’s AirTags have come under scrutiny in a US court after two women who were victims of stalking sued the company. The federal suit revealed the devices were released against the advice of privacy experts who had raised concerns. The second winner is everyone’s favourite chatbot, ChatGPT, which already appears to have had a data breach. Corporations including JP Morgan Chase and Amazon have also restricted its use among staff for fear it will inadvertently expose sensitive company information. Meanwhile Google’s challenger chatbot, Bard, isn’t even live in the EU yet, apparently because it may not be compliant with the GDPR.
The ‘we’ve finally twigged’ award
Following significant data breaches at telco Optus and health insurer Medibank in 2022, Australia is finally considering introducing widespread privacy reforms. The legislation is likely to take inspiration from the GDPR and CCPA, with citizens able to opt out of targeted ads and erase their data. An earlier review of the current Privacy Act found “very strong support for increasing the protections for personal information”, including a new requirement that “the collection, use and disclosure of personal information must be fair and reasonable in the circumstances”. Now you’re talking.