Our data, tech and the app-ocalypse

January 2024

In 2013, after Edward Snowden leaked thousands of secret files, the Kremlin’s security bureau did something interesting. They swapped computers for manual typewriters. Russian spooks reasoned hard copies were easier to protect than digital files. Furthermore, hackers might be able to infiltrate sensitive systems, but the old-school art of safe-cracking? It seemed to have fallen by the wayside.

As I get older, I’m beginning to think the Kremlin might have been onto something. Why?

Maybe it’s a generational issue. I’m Gen ‘X’. I grew up without mobile phones or the internet, but became familiar with the technology as it developed from the 1990s onwards. I enjoy technology. I respect it. I’m also, however, sceptical in a way many of my Millennial and Gen ‘Z’ colleagues may not be.

For me it boils down to two concerns – trust and over-reliance . Given how there’s now an app for everything, I have to ask – is the App-ocalypse Nigh ? What happens to the increasingly personal and intrusive levels of personal data entered into these ‘everything apps’.

Just because data’s aggregated into zeros and ones, it doesn’t mean it’s ‘tidy’. In fact, I suspect too many digital ‘data warehouses’ resemble the hoarder’s houses you might have seen on daytime TV, with stuff scattered everywhere.

It’s not just apps – the endless requirement to populate online forms is relentless. Now I hear more ‘frictionless facial recognition’ is planned at airports in the UK and elsewhere. And it’s making me uneasy. Technology is wonderful for creating efficiencies and streamlining processes. In my world alone, I see how clever privacy technology solutions ease the burden of data protection compliance.

But is technology always wonderful? Why am I uneasy?

An example – I needed to renew my driving licence. I went on to the Government website and duly entered a great deal of sensitive data. This included my passport number, my mother’s maiden name, my date of birth, my home address and my National Insurance number. This started me thinking… ‘How secure is this platform? What are the Government really doing to prevent my data falling into malicious hands?’

At the other end of the scale, I needed to reschedule a beautician’s appointment (much needed after eating my body weight in chocolate and cheese over Christmas). My call was met by a recorded message. I duly pressed ‘2’ to cancel/change an appointment. I was then informed I must (yes, they did say must) download the app to cancel/change appointments. A look at the app’s privacy information didn’t fill me with confidence, so I rang again, selecting ‘3’ for all other enquiries. After ten minutes of listening to promotions about fantastic rejuvenating treatments, I gave up. What if I prefer not to be forced to register and share my personal details via your app? I’m getting a face treatment, not applying for a pilot’s licence!

At this point, a shout out to the Kennel Club’s customer service. I took out their insurance for my puppy this year. They’re great. I’ve had to call twice, and each time a prompt pick-up from a lovely human. Somewhat of a rarity these days.

I recently read EasyPark Group, the owner of brands like RingGo and Park Mobile, were hacked. Yes, like many others I have RingGo. I was forced to download the app to use a station car park – there was no choice. I also have other parking apps. Oh the joys of standing in the rain in a car park trying to download yet another parking app. Handing over my data to yet another company. Will these companies protect it? What security measures and controls do they have? Did they conduct a DPIA? Was it outsourced to an app developer, possibly outside the UK/EU? Did they do any due diligence?

As well as my fears around data, I also worry for the significant minority disenfranchised by the widescale embrace of what my colleague Simon calls the ‘Mobilical Cord’. It’s so very true – I’m unable to properly function without my smartphone implanted in my paw. I use it to access the internet, my emails, messages, banking and so on. It’s also a crucial part of our company security – to authenticate I am really me.

The 2021 UK Census showed 90% of households had a home computer. 93% had access to a mobile phone. I suspect it’s higher now, but it’s still not everyone. As of 2023, according to research by Statista 98% of 16-24 year olds have a smartphone. However, this drops to 80% for the over 65s. Less tech-savvy and particularly the elderly are being left behind. My mother is 84. I got her a smartphone, but she hates it and doesn’t understand it. Apps? An enigma. She’s also terrified of online scams, knowing how the elderly are disproportionately targeted.

So, now we also face the prospect of passport-free travel. UK Border Force is set to trial an e-gate schemes similar to those rolled out in Dubai and Australia. This negates the need to show a passport, instead using facial recognition technology (FRT).

Phil Douglas, the Director General of Border Force has said “I’d like to see a world of completely frictionless borders where you don’t really need a passport. The technology already exists to support that.” He added: “In the future, you won’t need a passport – you’ll just need biometrics.”

According to the Times the biometric details of British and Irish travellers are already held after being collected in the passport application process. What does Phil Douglas feel about our personal biometrics being potentially harvested by countries with dodgy human rights records?

Too many people will shrug – an end to lengthy queues? Yes please. But who controls my facial map? How will it be used? Will it be shared? How will it be kept secure? Facial recognition tech also raises issues of bias in algorithms, and the potential for mistakes, with serious consequences.

I suspect, one day, there’ll be the kind of disaster one sees in movies, where the Internet collapses for a significant period. What then? I also wonder if, eventually, ambulance-chasers will identify companies using apps to disproportionately harvest data – and playing fast and loose with the safeguards set up to protect us. Will this become the next big Personal Indemnity Insurance (PII) style business opportunity?

What I do know is businesses who put all their eggs in one basket without contingencies, or fail to anticipate risk, are those likeliest to suffer when the app-ocalypse (however it manifests itself) is nigh!

Now, did I mention AI…?

Data protection reflections and predictions

2023 highlights and what’s in store for 2024?

December 2023

What’s been most significant in the world of data protection in past year? And what do we think will be taxing our minds in the year to come? We’ve asked some friends to share their thoughts. Grab a cuppa, sit back and enjoy our musings.

Christopher Whitewood, Privacy and Data Protection Officer, Direct Line Group

2023 was the year that AI got real! AI moved from a debate among subject matter experts to becoming boardroom concern. The risks of AI have been widely publicised from your Terminator/Matrix doomsday scenarios, but many businesses have successfully deployed AI to streamline burdensome processes and generate efficiencies.

AI will remain a hot topic throughout 2024 and beyond. Organisations will need to consider how they can build privacy and security into model designs; explain any model deployments and ensure customer outcomes remain fair. Privacy professionals will need to develop their knowledge of AI to have meaningful conversations with interested business areas and aim to enhance their Data Literacy skills. Privacy support will be crucial to help design processes and governance that permit effective, but controlled innovation.

Businesses will need to keep a watchful eye on regulatory developments, following agreement of the EU AI Act and progress of the UK Government’s approach to AI regulation. 2024 will certainly not be dull!

Dominic Batchelor, Head of IP and Privacy, Royal Mail Group

Whilst the implications of AI will continue to feature prominently during 2024, the new year is also likely to bring first proper post-Brexit divergence of UK data protection laws from the EU. This is both in terms of the substantive changes proposed by the Data Protection and Digital Information (No.2) Bill – notably, the loosening of accountability requirements – and the UK’s potential establishment of ‘data bridges’ to countries the EU does not consider adequate.

How this impacts the UK’s adequacy from an EU perspective remains to be seen, but concerns are bound to be raised, with questions resurfacing about the need to bolster EU-UK data transfers. We should also expect the ICO to use any increased scope for issuing fines for PECR breaches and consequently for organisations to focus more on PECR compliance.

Redouane Serroukh, Head of Information Governance & Risk, NHS Integrated Care Board of Herts and West Essex

2023 has been a record-breaking year for GDPR fines with Ireland’s Data Protection Commission (DPC) leading the way with a whopping €1.2 billion fine after it found Meta to be in violation of GDPR when transferring personal data from the EU to the US. The DPC also found time to fine Meta €390 million earlier in the year, for falling foul of the requirements of consent for advertising. Meta was not the only company on the DPC’s radar, with TikTok also receiving a €345 million euros fine for its handling of underage users’ data.

Here in the UK, the ICO’s highest fine in 2023 was also handed to TikTok to the tune of £12.7 million for illegally processing the data of children under the age of 13.

The ten highest fines issued under the UK or EU GDPR have been focused on many of the tech companies with WhatsApp, Spotify and Clearview AI also making it on to the list. It would appear the regulators are not afraid to go for the big companies with equally big fines and are hoping that these will serve as reminders to other companies, big or small, that GDPR compliance is just as important as it has ever been.

Robert Bond, Senior Counsel, Privacy Partnership

For UK/EU to US transfers, we have had Safe Harbour, then Privacy Shield, and in 2023 we got the Data Privacy Framework and the UK Data Bridge. The EU and UK seemed to judge US as an adequate jurisdiction…. but Max Schrems and NOYB have other ideas.

Max Schrems, has said “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests.”

Personal data constantly moves internationally, and businesses need solutions. The EU Standard Contractual Clauses are influencing other jurisdictions such as the Middle East, South America, Africa and the Far East. In due course, we may get international data transfer conventions such as the OECD initiative, Data Free Flow with Trust (DFFT).

In my view the DFFT will be a major influence on a global solution, but I think we will see more bilateral agreements in the meantime. Also the EU is likely to speed up the “adequacy” approach, particularly as more and more countries are implementing GDPR-influenced privacy laws.

Sara Howers, Data Protection Officer UK, CGI

2023 has been a frustrating year, waiting to see what/when/if the UK Data Protection and Digital Information Bill (DPDI) will ever see the light of day. Now it’s going through yet another round, with some hat tipping to PECR changes and some AI musings. Until it’s finalised, who knows where it will really land with adequacy rulings, especially now there’s some discussion around revising Human Rights and Equality Bills.

Although, I’m sure most of us have briefed our Senior Management Team about the need for a SRI (Senior Responsible Individual) and how this might change the DPO’s numerous reporting lines (if we still have a DPO?).

The new ICO public listing of the cases their workers are dealing with is also somewhat frustrating. There appears to be no right to query their outcomes which are public entries, especially when you have evidence their conclusions may not be correctly attributed.

I’m sure I won’t be alone when I expect 2024 to be “all about AI”, and I also expect an uptick in Data Subject Access Requests. With many more questions around ADM (automated decision making) and what algorithms are making what decisions, means time for everyone to give their Privacy Notices an overhaul.

Michael Bond, Group Data Protection Officer – News UK

Back in the summer, I wrote personally to the Public Bills Committee about the DPDI No2 Bill (as it was then). I asked Government to really grasp the opportunity to innovate in the data protection space, rather than tinker about. I am now concerned, as I am sure others are, that government has not only failed to take the opportunity to show global leadership on data protection issues, but has in fact put information rights on the backburner in the UK. An opportunity lost.

Andrew Bridges, Data Governance Manager, Sagacity

I can’t believe we celebrated five years of the GDPR in 2023. I strongly believe the GDPR was needed at the time it became a regulation but, what still amazes me is how many organisations still grapple with their core understanding of regulation …yes, five years on!

As we enter 2024, we’ll now have supplementary amends created by the Data Protection & Digital Information Bill to contend with, so it looks like another year of grappling with regulations.

Oh, did I mention AI…. we will see rapid experimentation and initiatives in the AI space in 2024. Whilst AI has the potential to be a force for good, we must remember it does come with a warning to ensure it’s used in an ethical way so we don’t see a rise in risk to privacy and potential misuse of personal data.

Charles Ping, Managing Director Europe, Winterberry Group

2024 really looks like it’ll be the year when all the posturing stops, and privacy takes a leap forward with the deprecation of cookies on Chrome. My prediction is that the sky won’t fall in and the disciples of Chicken Licken will wake up to a world that still has blue above our heads, where digital media is still planned, activated, consumed and measured for brands wanting to reach customers.

However, when we reflect on the sometimes partisan arguments of the past 3+ years and the endless posturing to be the next “universal ID”, we will note that this discussion has been hugely important. The whole process of deprecation has fuelled a much wider understanding of the features that define privacy-enabled marketing and measurement. Three years ago, differential privacy, salting and confidential computing weren’t on many marketers’ agenda. They are now.

Importantly, we now have an evolution in the landscape where policy and regulation understands how data protection rules can be used to enhance and fuel market power and sets us on a future path, where privacy and competitive markets are regulated in tandem. That is progress.

Philippa Donn, Partner, DPN Associates

In 2023, I was struck by the ICO’s decision to make it UK ‘Year of the Reprimand.’ The ICO announced, controversially, public sector organisations will routinely receive reprimands rather than fines. Around thirty five reprimands were issued; mostly to organisations in the public sector, but some in the private sector too.

I appreciate fines are the ultimate sanction and act as a deterrent. Conversely, I understand how fining publicly funded organisations only serves to hit the public purse (in effect, taxpayers shelling out for mistakes made by civil servants).

What’s interesting is these reprimands are now published. Offenders are named, with details of errors made and remedies implemented. Rich learnings for us all. Some cases involved companies which suffered sophisticated cyber-attacks. Considering how devastating these can be, and the expense involved in fixing them and implementing changes, I see why a fine might not be the ‘answer.’ In the current economic climate, a financial penalty could lead to job losses or even push a company under.

As for 2024, I’ll be watching closely the fallout from the cookie warning letters the ICO recently issued to some of the UK’s most visited websites. Much of the free content we read online is dependent on advertising. Consent for tracking isn’t going to work; I predict either a stand-off with the ICO or more content being placed behind pay walls. Can trade-offs be made between advertising standards, the law and the risk of excluding those on low incomes from accessing quality online content, particularly journalism?

Simon Blanchard, Partner DPN Associates

There have been some dreadful data breaches in 2023, not least the breach by Police Service of Northern Ireland. It’s undeniable that breaches occur far too frequently. Yet even in these uncertain times of increased global cyber threat, ransomware, social engineering and so on…. the lion’s share of data breaches reported to the ICO still arise from human error; not bad actors! And most are preventable.

In 2024, let’s provide practical information security training to our teams and get to grips with minimising the personal identifiers our teams process outside the core systems (e.g. in Excel or Sheets), where our powers to protect the data may be weaker.

We’ll be sure to keep you updated throughout 2024 on the progress of the UK DPDI Bill, AI developments, international data transfers, the future of cookies and any other surprises along the way!