By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Jordan Booth
Cybernews has reported on its researchers’ discovery of what could be the largest leaked password compilation of all time, with a record 9,948,575,739 plaintext passwords in a file called “rockyou2024.txt” (see article).
Read MoreBy: Cameron Abbott, Rob Pulham, Dadar Ahmadi-Pirshahid, and Adam Asadurian
Astonishingly (…or perhaps not, for anyone who’s answered a phone call recently), “imposter calls” are the number one offender of spam calls in the United States, amounting to 33% of all phone calls according to a recent study by QR Code Generator.
Read MoreBy Claude-Étienne Armingaud and Kenza Berrada
Digital intermediation service platforms within the sectors of chauffeur-driven transportation and goods delivery have new responsibilities since the enactment of Decree no. 2024-388 on 25 April 2024. Operating under the framework established by Article L. 7345-1 of the French Labor Code, this Decree has initiated a systematic collection and transmission protocol for data concerning platform workers’ activities to the French Employment Platforms Social Relations Authority (ARPE).
Read MoreBy: Cameron Abbott, Andrew Gaffney, Harry Kingsley, Rob Pulham, and Stephanie Mayhew
Australia’s corporate regulator, ASIC, has released new guidance on how to comply with market disclosure requirements when a listed company is in the middle of investigating and responding to a cyber incident.
Read MoreBy Paul Haswell and Sarah Kwong
In late January 2024, Hong Kong’s privacy watchdog, the Personal Data Privacy Commission (“PCPD”) raided six premises of Worldcoin, a cryptocurrency initiative co-founded by Sam Altman, that requires an iris scan from clients for identification purposes and also for earning tokens. The PCPD conducted an investigation into Worldcoin’s operations, suspecting that its sensitive personal data (i.e. iris information) collection practices might infringe the Personal Data Privacy Ordinance (Cap. 486).
Read MoreBy Claude-Étienne Armingaud & Sophie Verstraeten
The Information Commissioner’s Office (ICO) recently launched a consultation series on how data protection laws should apply to the development and use of generative AI models (“Gen AI”). In the coming months, the ICO will publish further views on how to interpret specific requirements of UK GDPR and Part 2 of the DPA 2018 in relation to Gen AI. This first part of the consultation focusses on whether it is lawful to train Gen AI on personal data scraped from the web. The consultation seeks feedback from stakeholders with an interest in Gen AI.
Read MoreBy Andrew Glass, Gregory Blase, and Joshua Durham
Effective immediately, the Federal Communications Commission (FCC) banned AI-generated phone calls with its recent Declaratory Ruling (the Ruling). Known as audio or voice “deepfakes,” AI can be trained to mimic any person’s voice, resulting in novel scams such as grandparents receiving a call from their “grandchild” and believing they have been kidnapped or need money for bail. FCC Commissioner Starks deemed such deepfakes a threat to election integrity, recalling that just recently, “potential primary voters in New Hampshire received a call, purportedly from President Biden, telling them to stay home and ‘save your vote’ by skipping the state’s primary.”
Read MoreBy Eric F. Vicente Flores and Whitney E. McCollum
On 9 January, 2024, the Federal Trade Commission (FTC) issued its first settlement prohibiting a data broker from sharing or selling sensitive location data, and required deletion of all location data collected deceptively. The FTC alleged that X-Mode Social (“X-Mode”), and Outlogic, LLC (“Outlogic”), X-Mode’s successor firm, failed to implement reasonable and appropriate safeguards on the use of such information by third parties. X-Mode/Outlogic collected personal information, including location data via its mobile applications, which it would then sell to third parties.
Read MoreIn its judgment dated 7 December 2023 (C-634/21 – Schufa) presented by the Administrative Court Wiesbaden (Germany), the court held that Article 22 of the GDPR (Art. 22 GDPR) applies also to probability values that are created by credit scoring agencies on the basis of personal data and used by third parties in order to decide whether the respective individual is eligible for a credit or establishing a contract.
Read MoreIn a judgment dated 5 December 2023 (Case C-807/21 – Deutsche Wohnen) presented by the Higher Regional Court Berlin (Kammergericht), the Court of Justice for the European Union (CJEU) held that a German law permitting administrative fines against corporate entities where an identified legal representative of that entity was proven to have committed a criminal or administrative offence, which at the same time led to the corporate entity breaching its obligations, is not in line with GDPR.
Read MoreCopyright © 2024, K&L Gates LLP. All Rights Reserved.