Enterprises are shaking up their approach to data privacy and governance, new research shows, largely due to added risk factors created by AI adoption.

According to Cisco's 2026 Data and Privacy Benchmark Study, nearly all companies are expanding privacy programs and governance frameworks to protect their data.

AI is the main reason for 90%, with 93% saying they planned further investment to keep up with the complexity of AI systems and the expectations of customers and regulators.

The survey found that 38% spent at least $5 million on their privacy programs in the past year – marking a dramatic increase from just 14% who spent over that threshold in 2024.

Notably, these programs appear to be working well. An overwhelming 96% of organizations reported that robust privacy frameworks were helping unlock AI agility and innovation, and 95% said privacy was essential for building customer trust in AI-powered services.

One interesting change spotted by the researchers is that trust is no longer just a question of meeting regulatory requirements.

Data governance is now seen as a strategic business enabler, with 99% of organizations reporting at least one tangible benefit from their privacy initiatives, such as enhanced agility, innovation, and greater customer loyalty.

Almost half said that clear communication about how data is collected and used is the most effective way to build customer confidence.

As a result, governance is evolving – although many organizations are still working to define and establish the structures they need to manage AI responsibly.

While three-quarters report having a dedicated AI governance body in place, only 12% describe it as mature. Meanwhile, 65% of organizations struggle to access relevant, high-quality data efficiently.

"AI is forcing a fundamental shift in the data landscape, calling for holistic governance of all data – both personal and non-personal,” said Jen Yokoyama, senior vice president, legal innovation and strategy, at Cisco.

“Organizations must deeply understand and structure their data to ensure every automated decision is explainable. It’s not just for compliance, but a necessary scaling engine for AI innovation.”

Data requirements are causing headaches

While 72% of respondents were generally positive about data privacy laws, there is a growing push to streamline and update data requirements, Cisco found.

Just over eight-in-ten organizations surveyed face heightened demand for data localization and global data complexity - and 85% said this adds cost, complexity, and risk to cross-border service delivery. #

Similarly, 77% report these requirements limit their ability to offer seamless 24/7 service across markets.

On top of this, the assumption that locally stored data is inherently more secure is gradually eroding, from 90% in 2025 to 86% in 2026.

“To capture the potential of AI, organizations (83%) are advocating for a shift toward harmonized international standards,” said Harvey Jang, Cisco vice president and chief privacy officer.

“They recognize that global consistency is an economic necessity to ensure data can flow securely while maintaining the high standards of protection required for trust.”

Cisco said enterprises should invest in robust data infrastructure, prioritizing transparency, and embedding security and privacy throughout AI initiatives.

Elsewhere, they should make sure they're making informed decisions about data localization, establish strong AI governance, and kit out their teams with comprehensive training and safeguards.

FOLLOW US ON SOCIAL MEDIA

In January 2025, research from ISACA warned that organizations were deprioritizing privacy budgets and cutting funds for teams. One year on and the situation has deteriorated further, the association claims.

A confluence of challenges, including funding cuts, staff shortages, and growing regulatory compliance pressures are pushing teams to their limits.

Nearly half (44%) of European-based survey respondents told ISACA their teams are already underfunded while 54% expect budgets to be cut further across 2026.

Around four-in-ten (39%) legal privacy workers and over half (51%) of technical privacy workers also reported staff shortages across their teams.

These funding cuts could have severe consequences further down the line, the association warned, especially as organizations continue ramping up adoption of AI tools.

Nearly half (49%) of respondents revealed that managing risks associated with emerging technologies is now a major obstacle to their long-term strategies. The pace of technological change is also having a marked impact on morale and workloads, with more than one-third (68%) highlighting this as a key challenge.

Adding insult to injury, 64% identified compliance-related challenges off the back of new technologies as a key stress driver, with teams forced to pivot rapidly to accommodate for regulations.

Chris Dimitriadis, global chief strategy officer at ISACA, said the study shows privacy teams are now being asked to “manage more risk with fewer resources” – and the impact is beginning to show across Europe.

“As organizations adopt new technologies at speed, the volume and complexity of privacy obligations grow in parallel – yet many teams are still operating without the staffing, funding or training they need to keep pace,” he commented.

Privacy teams are bracing for impact

Privacy teams are frightfully aware of the potential risks associated with understaffing and budget cuts – it’s a trend they’ve contended with for several years now, the study noted.

Notably, many teams are bracing for impact as the effects of these trends come to fruition. More than one-quarter (26%) of respondents told ISACA their organization is “likely to experience a material privacy breach” within the next year.

“Together, this highlights a growing contradiction for European organizations: privacy risk and regulatory expectations continue to rise, while investment in people and resources is being scaled back,” ISACA said in a statement.

Boards still aren’t tuned in

Despite repeated calls for heightened support, privacy professionals still feel board-level attention is “inconsistent”. Just over one quarter (26%) of respondents said their board is “failing to adequately prioritize privacy” regardless of intensified risks.

“When boards underestimate privacy, they underestimate a fundamental pillar of digital trust,” Dimitriadis said. “A single privacy breach can erode years of brand equity, damage customer relationships and trigger significant regulatory consequences.

“Prioritizing privacy is not simply a compliance requirement; it is a business imperative.”

There are positives with regard to privacy awareness, however. The potential monetary penalties associated with regulatory compliance failures mean executives are beginning to pay attention.

More than three quarters (79%) of respondents in Europe said they now use a framework or regulation such as GDPR to “guide their privacy program”.

64% now have a formal incident response plan embedded within their broader privacy strategies, a figure which ISACA said could be improved upon.

However, nearly half (44%) of respondents said the board views their privacy programs as merely “compliance-driven” and not from a holistic perspective.

ISACA warned this is a “narrow focus” which fails to fully address privacy-related risks, thereby leaving organizations exposed.

“These gaps underline a critical truth: privacy cannot be strengthened solely through controls or checklists,” Dimitriadis commented. “It demands sustained investment in people, governance and culture – and that begins at the top.”

FOLLOW US ON SOCIAL MEDIA

MEPs are calling on the European Commission to establish more robust rules on the use of algorithms in recruitment and staff management amidst concerns over privacy and discrimination.

According to recent EU research, 42% of EU workers are currently subject to algorithmic management in the workplace, a figure expected to rise to 55.5% within the next five years.

There's already legislation on artificial intelligence and data protection at EU level, including the EU AI Act and GDPR, while rules focusing more specifically on the use of AI at work are laid out in the Platform Work Directive.

However, the EU lawmakers believe that more specific legislation is required. It has now proposed a series of recommendations aimed at ensuring that the use of automated monitoring and decision-making systems in the workplace is transparent, fair, and safe.

The main thrust of the proposals is that there must be human oversight of all decisions taken or supported by algorithmic management systems.

Workers should have the right to request explanations of any decisions taken or supported by such systems - and, if a worker believes his or her rights to have been infringed, they should have the right to ask for a review.

If successful, the system in question could be modified or discontinued.

Decisions on the offer or termination of employment, the renewal or non-renewal of a contract, changes in pay, or disciplinary action should always be taken by a human and be subject to human review.

"This topic affects both employers and 200 million workers in the EU. A human-centered approach is key, and the rights, safety, and dignity of employers and employees must be strictly respected," said MEP Andrzej Buła.

"This sends a strong signal: Europe can combine competitiveness with social responsibility. It can support innovative enterprises without sacrificing high standards and employee protection."

Cracking down on ‘algorithmic management’

A key focus of the crackdown centers on the fact that workers should be informed about how algorithmic management systems impact working conditions, when they're used to take automated decisions, what type of data they collect or process, and how human oversight is ensured.

MEPs believe workers should be consulted when these systems are used to make decisions affecting pay, evaluation, task allocation or working time.

Similarly, the use of these systems should respect wellbeing and not put workers' safety or physical or mental health at risk.

To protect workers’ privacy and data, the proposed rules would ban the processing of data relating to the emotional, psychological or neurological states of employees, as well as their private communications or geolocation outside working hours.

Elsewhere, the guidelines aim to limit the use of employee data while off-duty, as well as the use of data relating to freedom of association and collective bargaining.

There were 451 votes in favour of the recommendations and 45 against, with 153 abstentions. The European Commission now has three months to respond, by either informing Parliament on the steps it plans to take, or by giving reasons for a refusal.

FOLLOW US ON SOCIAL MEDIA

Mistral AI, the French competitor to generative AI firms like OpenAI and Anthropic, has unveiled a new set of capabilities and partners for its AI assistant, Le Chat.

The first of these enhancements is Memories, which allows Le Chat to learn from previous interactions and refer back to previous insights, decisions and references. According to Mistral AI, this will help to “ensure continuity and deeper understanding over time”.

“Users stay in full control of their data as Le Chat allows anyone to add, edit, update, or remove any entry at any time, with clear privacy settings,” the company said, going on to claim that its memory capacity is “10 times higher than competitors for paying users and five times for free users”.

In addition to Memories, the company has also added over 20 Connection Partners to Le Chat, including Atlassian, Box, Stripe, GitHub, and Cloudflare, with Salesforce, Snowflake, and Databricks joining the line-up “soon”.

The integration of these Connection Partners gives Le Chat access to all relevant internal documentation.

Mistral added that both the new features, Memories and Connection Partners, are consistent with its commitment to building “privacy-first AI products”, adding they are “designed to ensure users have full control over their data”.

“This release makes Le Chat stand out as enterprise's most well-connected AI assistant,” the company said. “Users can now get a personalized experience, and build workflow automations across commonly used enterprise platforms.”

Commenting on the announcement, Ben Kus, CTO of Box, said: “AI delivers the highest ROI for enterprises when it adapts to their needs and is enriched by their unique business content and data.”

"Our integration with Mistral's Le Chat, together with the Box MCP server, brings powerful conversational AI directly to global customers' content in Box,” Kus added.

Mistral has a penchant for privacy

While Mistral AI’s claim to make “privacy-first AI products” is clearly its own marketing line in action, there’s nevertheless a grounding in truth.

Research from Incogni carried out in May 2025 ranked Le Chat as the least privacy-invasive platform, with ChatGPT and Grok coming in second and third respectively. At the other end of the scale were Meta.ai and Gemini.

This reputation has also helped the company make a name for itself in the growing field of sovereign AI. In June 2025, at VivaTech, the company announced a collaboration with Nvidia to create sovereign AI services in Europe.

Similarly, in July of the same year it launched AI for Citizens which saw the company working “in close partnership with governments and local entities to build solutions to local needs and goals”, with an emphasis on data sovereignty.

MORE FROM ITPRO

• Is the future of business AI specialized services? | IT Pro
• New Dell AI Factory partners debuted at Dell Technologies World 2025 | IT Pro
• Microsoft’s Mistral AI partnership has EU regulators concerned - here’s why | IT Pro
• Nvidia, Deutsche Telekom team up for "sovereign" industrial AI cloud | IT Pro

SAP has announced a significant expansion of its sovereign cloud offering with a new “On-Site” solution.

The launch of the On-Site model will give customers the ability to host managed cloud infrastructure within their own facilities in a move the tech firm said provides the “ultimate level of physical control and data residency”.

Thomas Saueressig, member of the executive board of SAP SE for customer services and delivery, said the expansion is in direct response to growing enterprise calls for heightened data sovereignty controls.

“Organizations around the world are seeking greater control over their digital environments,” Saueressig said.

“With Sovereign Cloud On-Site, SAP empowers customers to define their own sovereignty boundaries while leveraging our global infrastructure expertise and partnerships.”

The new On-site option aims to offer “flexible sovereignty models” that meet the needs of organizations operating across various areas, SAP said, particularly governments and businesses in regulated sectors.

Varied deployment options mean organizations can choose between SAP-hosted infrastructure, hyperscaler-based models, or customer-site hosted options.

“With SAP Sovereign Cloud On-Site, we are redefining what sovereignty means for our customers,” said Martin Merz, president of SAP’s sovereign cloud division.

“By placing SAP-managed infrastructure directly within customers’ own facilities, we offer unmatched control, compliance, and operational assurance without compromising innovation.”

What to expect from SAP’s sovereign cloud

SAP said its sovereign cloud initiative centers around a series of “core capabilities”, which naturally includes a strong focus on data sovereignty.

Under the scheme, organizations retain full ownership and control of sensitive data, based on local regulatory requirements.

“Operational sovereignty” features allow enterprises to manage environments with SAP resources while “technical sovereignty” enables customers to run SAP workloads using deployment options based on their individual needs - this applies to those operating in regulated industries, for example.

Sovereign cloud in the spotlight

Data sovereignty has become a recurring talking point on both sides of the Atlantic in recent years. In May 2024, industry analysts told ITPro that sovereign cloud services are now the “bare minimum” expected from European customers.

A key factor behind this growing demand is the array of stringent regulatory requirements introduced - or currently being introduced - in Europe. Naturally, providers have acted swiftly to meet this demand.

A host of industry heavyweights, including Google Cloud, Amazon Web Services (AWS), Microsoft, and Oracle, have all since launched dedicated sovereign cloud services for European customers.

Recent months have seen new concerns arise about data sovereignty, with research showing enterprises in the UK and EU both cited worries about US interference.

These concerns came after the Trump administration issued a memorandum in early 2025 pledging to defend American tech companies from “overseas extortion”.

In the wake of the move, Microsoft president Brad Smith said the tech giant would resort to legal action to protect EU customers from US demands to shut down services.

MORE FROM ITPRO

• SAP names Augusta Spinelli as new EMEA president
• Capgemini and SAP are teaming up with Mistral – here’s why
• SAP rolls out ‘Joule for Developers’ AI coding assistant

The Data (Use and Access) Act has received royal assent and has now become law, with its various provisions coming into force over the next 12 months.

Updating the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations (PECR), it sets out how personal information can be used for research.

It loosens restrictions on some automated decision making, makes provisions for using some cookies without consent, and allows charities to send people electronic mail marketing without consent in certain circumstances. It also requires organisations to have a data protection complaints procedure and introduces a new lawful basis of recognised legitimate interests.

"For too long, previous governments have been sitting on a goldmine of data, wasting a powerful resource which can be used to help families juggle food costs, slash tedious life admin, and make our NHS and police work smarter," said technology secretary Peter Kyle.

"These new laws will finally unleash that power for hardworking people – putting cash back in pockets and boosting vital public services, all part of our Plan for Change."

The government is pushing the benefits to the NHS, saying it will ensure that healthcare information, such as a patient's pre-existing conditions, appointments, and tests, can easily be accessed in real time across all NHS trusts, GP surgeries, and ambulance services, no matter what IT system they're using.

Enabling data sharing across platforms, it said, will save NHS staff 140,000 hours a year in admin tasks.

"No longer will patients be left waiting needlessly for treatment as NHS staff battle 'computer says no' bureaucracy," said secretary of state for health and social care Wes Streeting.

"We're making it easier for GPs, nurses, and paramedics to access the information they need, when they need it, safely, securely, and at speed."

The Act gives the Information Commissioner's Office (ICO) new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under Privacy and Electronic Communications Regulations (PECR).

The ICO has published a catalogue of resources to help explain what this new legislation means for businesses.

"Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act's principles into everyday operations," said information commissioner John Edwards.

"Our goal is to ensure that data can be used confidently and responsibly to deliver better services, drive economic growth, and uphold public trust."

Organizations, said the ICO, should prepare by familiarizing themselves with the changes, making sure they're doing enough to satisfy the new explicit requirements for online services that children are likely to use and, if necessary, overhauling their complaints procedures.

There's more information from the government here.

The Data Use and Access Bill is a piece of legislation introduced by the UK government to allow for a greater level of data sharing and data exchange within both public and private sector organizations.

Introduced to parliament towards the end of 2024, the government says this bill could save millions of hours for many public sector workers as well as add an estimated £10 billion to the UK economy over a period of 10 years. The bill can be divided into seven sections according to the government, with the first centered on the enablement of “smart data” use outside the finance sector.

It would regulate the provision of digital verification services, digitalize birth and death registrations, make changes to the UK’s data protection regime, and transfer the function of the Information Commissioner’s Office (ICO) to a new Information Commission.

The bill would also make further provisions about the use of or access to data in areas such as health and social care, smart meter communication services, public service delivery, and online safety.

"With laws that help us to use data securely and effectively, this Bill will help us boost the UK’s economy, free up vital time for our front-line workers, and relieve people from unnecessary admin so that they can get on with their lives," technology secretary Peter Kyle said at the time of the bill’s announcement.

Experts from the tech sector have broadly welcomed the legislation, commending its focus on improving efficiency. Alex Laurie, senior vice president at Ping Identity, said that any legislation of this kind is a positive step.

“From my perspective, anything that makes it easier for us to do business as a citizen is massively important,” Laurie tells ITPro. “If it takes time out of people's working day I think it's an important thing.”

How will the Data Use and Access Bill affect the public sector?

This legislation has the public sector at its core, with many of the bill’s benefits noted by the government relating to heightening efficiencies in the UK’s police force or the National Health Service (NHS).

Within the NHS, for example, administrative processes can be very lengthy and time consuming, having a negative impact on the organization and the customer. Laurie expressed his own understanding of this, referring to a study his firm undertook regarding disabled parking permits.

“We did an analysis a few years ago on how many agencies and individual units were involved in getting a blue badge for someone, and it was like 35 different steps, which all needed identification, verification, proof,” Laurie says.

This bill will likely hone in on a set concept of data portability, Laurie adds, which is an important step forward in speeding up these sorts of processes. Lauren Wills-Dixon, solicitor at Gordons, tells ITPro the bill will also lay out a more coherent, straightforward idea of what data can be used and for what purposes.

“The bill introduces this concept of recognized legitimate interest to give organizations certainty,” she says.

Wills-Dixon explains that it will recognize several legitimate interests including national security processing, emergency response, and safeguarding efforts.

It will also cut red tape in the public sector, according to Richard Fayers, data and analytics practice lead at Slalom, reducing the lengths that workers have to go to in recording personal data use.

How will the Data Use and Access Bill affect the private sector?

While there’s a huge opportunity in the public sector space, Fayers is keen to point out how elements of the bill – such as the smart data schemes – will likely drive innovation across the private sector landscape.

For example, he suggests the bill could introduce a greater level of openness for UK businesses and turn attention towards open standards akin to what has been seen in the finance sector with open banking. Fayers sees massive opportunities across sectors by building on this interoperability of data.

There may also be better forecasting of public demand through a pooling of company information, Fayers adds, as well as the potential for businesses to share data to offer collaborative schemes or experiences to customers. Businesses could then give customers a unified profile that works from company to company.

Bill Wright, global head of government affairs at Elastic, echoes some of these predictions for potential advantages to the private sector. The bill will allow firms in every sector to access and analyze consumer data more effectively, Wright tells ITPro.

“Simplifying the data sharing rules are going to, maybe, break down some of those silos between industries and create some opportunities for startups to compete with some of the more established players,” Wright says.

It may even increase foreign investment into the UK, Wright says finally, by showing those outside the UK that the country has a data processing environment both predictable and innovative.

What do IT leaders need to know about compliance?

As with any new piece of legislation, the data use and access bill will require some degree of reorganization from firms when it comes to ensuring compliance. That being said, Wills-Dixon predicts companies that are already compliant with GDPR don't face serious challenges to becoming compliant with the Data Use and Access Bill.

“If you're carrying out research, statistical use of data, or processing in the public interest and things like that, then it will help, but for most commercial organizations, your obligations are going to be very similar as drafted,” Wills-Dixon adds.

That said, Fayers warns the new Information Commission will have enhanced enforcement powers and businesses will also need to ensure they can demonstrate robust security and data governance. This will demand a greater focus on compliance certification and accountability frameworks, Fayers says.

“If you're seen to be transparent – if you're providing customers with assurance and visibility of how you're managing this risk as well – that could also be seen as a benefit, whilst there's a cost,” Fayers concludes.

MORE FROM ITPRO

• What is chaos engineering and how can it benefit businesses?
• What is quiet firing?
• Why magic links should be the default password replacement

Only half of UK businesses are fully complying with all data privacy regulations and industry guidelines - an improvement, but not much of one.

Research from Zoho Digital found that the figure has risen from 2023's 42%, but that many businesses still need to improve their data practices.

On the plus side, transparency of data practices emerged as a growing strength, with 50% of respondents saying that their data privacy policies are clear, simple, and transparent, up from just 33% in 2023.

"According to Zoho’s Digital Health survey, businesses must improve transparency around data usage as a clear step toward ethical behaviour," said Sachin Agrawal, Zoho managing director.

“This will play an important role in improving customer experience, strengthening customer relationships."

The survey revealed that 47% of businesses now view data privacy as a critical part of their success, and that 46% conduct regular data privacy training for employees.

However, it also identified serious gaps where businesses are falling behind. Only three-in-ten businesses reported going beyond requirements to provide additional protection for customer and employee data.

This, Zoho noted, suggests that while businesses are meeting their compliance requirements, few are taking proactive steps to enhance data protection.

"In an increasingly data-driven world, organisations must prioritize data privacy throughout their operations. It is encouraging to see the growing recognition of data privacy’s role in driving business policies, but there is still a lot of progress to be made," said Agrawal.

"To unlock the full transformative potential of technologies like AI, businesses must have clear and well-defined data strategies which both protect customer and employee data but enable flexibility of use in the right way."

The report comes hot on the heels of research from ISACA, which found only a third of data privacy professionals are confident in their organization’s ability to safeguard sensitive data, and just a quarter follow Privacy by Design best practices.

Their teams underfunded, they said, and more than half told ISACA they expect budgets to decline this year.

ISACA warned that many organizations risk falling foul of GDPR and new legal frameworks such as the Digital Services Act and EU AI Act.

Recently, Charlie Bromley-Griffiths, senior legal counsel at legal document management software form Conga, told ITPro that UK businesses had made substantial strides in aligning with privacy legislation.

"Companies have implemented stronger data governance policies, enhanced security protocols and prioritized the rights of data subjects," she said. "However, challenges still remain, particularly for small and medium-sized enterprises struggling with the complexity and cost of full compliance."

Data privacy professionals think their organizations are underfunding their work, and there's no light on the horizon as budgets are set to be squeezed further in 2025.

In a recent survey, more than half told ISACA they expect budgets to decline this year, up from 41% last year. Meanwhile, only a third said they were confident in their organization’s ability to safeguard sensitive data, with just a quarter always practicing Privacy by Design.

As a result, ISACA warned many organizations risk falling short of compliance with GDPR and new legal frameworks such as the Digital Services Act and EU AI Act.

“As the threat landscape continues to evolve in complexity, privacy is becoming a sector which is increasingly difficult to operate in, but also more critical," said Chris Dimitriadis, global chief strategy officer at ISACA.

"Two-thirds of the European professionals working in privacy roles who we spoke to said their job is more stressful now compared to five years ago. This is only being exacerbated by continued underfunding. While companies may be making a short-term financial gain, they are putting themselves at long-term risk."

Half of technical data privacy teams in Europe remain understaffed, the survey found, much the same as last year, while a third struggle to retain qualified privacy professionals.

Those that do always practice Privacy by Design do rather better, with 43% saying their technical data privacy teams are appropriately staffed. Six-in-ten said they were highly confident in their technical privacy teams as a result.

"Practicing Privacy by Design and embedding privacy across an entire enterprise is key to long-term data protection," Dimitriadis said.

"Such a comprehensive approach fosters trust with stakeholders and safeguards against ever-evolving threats – but this isn’t possible without skilled privacy teams who feel prepared and able to drive privacy practices from a technology, business and compliance point of view."

The data privacy skills gap is growing

Skills gaps were also highlighted as a key issue for data privacy professionals, ISACA found. The biggest reported skills gaps were experience with different types of technologies and/or applications, cited by 63% of respondents.

A lack of technical expertise and IT operations knowledge and skills were also flagged as major concerns. As a result of this shortfall, nearly half of organizations said they offer training to allow staff from non-privacy backgrounds to move into roles in this domain.

However, it’s experience that’s key to plugging this skills gap, the study noted.

Nearly all respondents said they consider compliance and legal experience an important factor in determining if a privacy candidate is qualified. Nine-in-ten also consider industry credentials as important, while only 54% said the same about a university degree.

"There are several ways to plug the skills gap," said Dimitriadis.

"Providing training and continuous support for privacy staff on emerging technologies, privacy-enhancing technologies, and cybersecurity and data protection architectures on top of legal compliance knowledge is essential for managing their stress and maintaining organizational resilience."

It's been four years since the UK General Data Protection Regulation (GDPR) came into force after the UK left the European Union (EU).

However, while the UK legislation remains aligned with that of the EU, it gives the UK the independence to keep the framework under review.

Like the EU GDPR, the UK version places requirements on organizations that process personal data, based on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality and accountability.

Charlie Bromley-Griffiths, senior legal counsel at legal document management software form Conga, said that while the legislation has delivered marked benefits, lingering issues remain.

"Over the last four years, UK businesses have made substantial strides in aligning with UK GDPR requirements. Companies have implemented stronger data governance policies, enhanced security protocols and prioritized the rights of data subjects," Bromley-Griffiths said.

"However, challenges still remain, particularly for small and medium-sized enterprises struggling with the complexity and cost of full compliance. GDPR mandates stringent measures to safeguard consumer data, which includes data storage, processing and transfer practices, all of which impacts organizations’ data strategies and operational costs."

Brexit has also caused issues with regard to the transfer of personal data between the UK and the European Economic Area (EEA), along with UK controllers who have an establishment or customers in the EEA, or who monitor individuals in the area.

While the EU GDPR still applies to this processing, the way organizations interact with European data protection authorities has changed.

"The international data landscape is now rather complex. UK businesses handling data from the European Union (EU) must also comply with the EU GDPR," said Bromley-Griffiths.

"Then, of course, there is the US-UK data bridge, which forms part of the EU-US Data Privacy Framework and permits the flow of EU-based data to the United States under certain conditions."

All this, she said, highlights the importance of maintaining two or more compliance strategies to make sure operations across borders go smoothly – and, ultimately, keep the trust of customers, reassuring them that their data is safe.

Looking ahead, Bromley-Griffiths expects regulatory bodies to look at cracking down harder on repeat offenders or businesses that have suffered significant data breaches.

Meanwhile, the UK GDPR is likely to be amended, with the introduction last October of the Data Use and Access Bill in the House of Lords. With this bill, and in future, the UK is unlikely to diverge significantly from EU legislation.

It currently enjoys 'data adequacy' with the EU, meaning that personal data can be transferred freely between the two. If this were lost, it could be an economic disaster.

However, more minor changes, said Bromley-Griffiths, could be on the cards.

"Given how quickly cyber threats are evolving, the UK GDPR standards may be updated. Businesses need to have the appropriate tools and measures in place to ensure that they are ready to adapt to any legislative changes," she said.

"Organizations must remain committed to investing in their employee’s ongoing education but also in the right technology to safeguard personal data."

Just over 20 years ago, in The Matrix: Reloaded, Keanu Reeves taught us an important lesson about technological sovereignty. Mid-way through the film, he arrives back in the last remaining human city, Zion, deep underground, and stands on a balcony with Anthony Zerbe, looking out over a field of servers. 

Together, facing an impending machine invasion, they speculate on the nature of control. Reeves – with his usual gravelly brevity – neatly sums it up: if we wanted to, he says, we could shut the machines down. 

Over the last few years, especially in the wake of Brexit, the issue of control and sovereignty has become increasingly pertinent. The networking and cloud market has seen a raft of challenges when it comes to control, freedom, and transparency, making life more complex and, at times, difficult for channel partners. 

From vendor lock-in to rising prices, threats of international surveillance, and scrutiny from Ofcom into bundling and competition, there is more and more to track today, with each consideration taking up valuable time for channel partners and increasing the overall length of the sales cycle.

And with respect to Mr Reeves – particularly as he does make an important point about the nature of control – the discussion is somewhat more nuanced than the ability to simply shut servers down. 

What is data sovereignty?

Data sovereignty is about both control and freedom: it’s the ability to control all aspects of your data, and allowing customers the ability to do the same, practically, politically and economically. 

If you don’t have the freedom to move your data, you aren’t in control. For this reason, sovereignty is often associated with residency (where your data is stored) which closely influences how it is handled. 

Many people associate data sovereignty with General Data Protection Regulation (GDPR). UK GDPR applies to personal data, and states that data must be stored within the EU or in a country outside the EU that can offer an ‘adequate’ level of data protection, and that data is used ‘fairly, lawfully and transparently’. 

However, local country laws also apply, adding a layer of complexity. In particular, the location of the head office of a data center owner intersects with these regulations, making it crucial that organizations understand the nuance and impact of where they choose to locate their data. 

There is plenty of non-personal data that requires good governance, which is why we also need international standards for data and cloud security. As most channel partners know, we also have standards for this, including the likes of ISO 27001, and ISO 27018 for cloud environments specifically. 

From a regulatory perspective, data from specific industries needs to be stored in an appropriate environment and handled according to best practice. For example, in the UK we have PCI-DSS, which governs how payment data is handled, and so on. 

Channel partners that can find a cloud provider with infrastructure that is already compliant with these regulations can make life much easier.

Cyber security is also an important component of good sovereignty: knowing where customer data is and how it will be handled means it won’t be exposed to potentially adverse situations, like being processed for national intelligence purposes.  

Moving beyond residency

Responsible data sovereignty is about more than just residency and handling. For example, it’s important to consider freedom of (or control over) choice in terms of hardware – and therefore where equipment was manufactured, for example. 

Clearly, it’s also no good knowing where customer data is, and having it in a well-established location if you can’t move it when things change. Portability is a key part of sovereignty, but has a number of components, including both standards and commercial arrangements. 

To start with, non-proprietary or open-source software, such as OpenStack or Docker, can help to create standardized environments which are easy for customers to move data in and out of. 

Furthermore, it’s also important to consider other aspects of portability, such as choosing a provider that allows you as a channel organization to move data when needed – including fair ingress and egress fees. This gives both you and your customers greater freedom and sovereignty. 

This may have been exactly what Keanu was talking about, making sure that the human resistance could turn its servers on and off when needed – or scale them up and down to meet the growing (or perilously shrinking) population of the underground city. 

It’s also what Ofcom has been looking into, ensuring that competition in the cloud market is good for the UK market, and that ingress/egress fees are not unfair, for example. 

With all this in mind, it should be easy to understand why a broad definition of sovereignty is important. Digital freedom is intrinsically valuable, and channel and end-user organizations alike should be able to control and manage their data how they wish and have a free choice of vendors. 

However, it goes well beyond this: being able to store and handle data in the way that is right for your company and your customers allows you to move it when it’s beneficial for you to do so. 

Risks and rewards

Like the seemingly doomed population of Zion in the Matrix, it’d be easy to sum up by looking at the negative side of the debate. For example, one risk of not considering data sovereignty includes data being subject to country-specific rules that are in conflict with best practice in your region.

This might mean data being processed for economic intelligence reasons, which in some cases could constitute a data breach – and no-one has to be reminded about the crushing fines and reputation damage that come with a personal data breach under GDPR.

It’s far better to look on the positive side. Channel companies that do consider data sovereignty from the outset will tend to have a more consultative relationship with customers. 

Channel partners with a good grasp of data sovereignty will have an inherently orderly, flexible, secure, and compliant infrastructure where data is well-governed and appropriate rules are set for your customers’ business, sector, and region. 

Or to take another Keanu-related piece of advice, as Ian McShane advises us in the John Wick series, without rules, we live with the animals. 

20 years on, Keanu’s movies are still teaching us about best practice in data handling and sovereignty. 

Zoom has issued a clarification over items in its terms of service that relate to the use of user data for AI training after a series of LinkedIn posts criticized the firm for allegedly not giving users any way to opt-out.

Users had objected to several clauses that stated Zoom could use customer content, such as uploaded files and data or transcripts and analytics that result from Zoom calls, to train and tune algorithms and models for artificial intelligence (AI) and machine learning (ML).

Points 10.2 and 10.4 in the terms of service had drawn particular concern, as they stated Zoom could use the content for the purposes of “machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof”.

Zoom has rejected criticisms of its terms, and restated that customers have a choice over what their data is used for.

“Zoom customers decide whether to enable generative AI features, and separately whether to share customer content with Zoom for product improvement purposes,” a Zoom spokesperson told ITPro.

Alongside its well-known video conferencing software, the firm has released Zoom IQ, an AI assistant that can summarize meetings and action items from conference calls.

Within businesses that adopt Zoom IQ, administrators have control over whether information is shared with Zoom for training purposes, and can revoke consent they may grant to Zoom for these purposes at any later date.

Users can continue to use Zoom IQ's generative Ai features regardless of whether they opt-in to data sharing or not.

Zoom also collects ‘Service Generated Data’ (SGD), the phrase it uses for diagnostic and telemetry data alongside any other data that Zoom collects or generates as a result of customer use of its services and software.

The terms agreement states that Zoom users grant the firm a “perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” to handle SGD as the firm deems appropriate within the boundaries it has set out.

Greg Wilson, ​​senior software engineering manager at Deep Genomics, wrote a post on LinkedIn urging businesses to drop Zoom as a platform while the practice remained in place.

Zoom COO Aparna Bawa replied to the post, explaining that the terms were intended to improve transparency rather than cause concern.

Separately the company published a blog post in which it addressed the new terms of service, which came into effect in March 2023.

“In Section 10.4, our intention was to make sure that if we provided value-added services, such as a meeting recording, we would have the ability to do so without questions of usage rights,” wrote Smita Hashim, chief product officer at Zoom.

“An example of a machine learning service for which we need license and usage rights is our automated scanning of webinar invites/reminders to make sure that we aren’t unwittingly being used to spam or defraud participants. 

“The customer owns the underlying webinar invite, and we are licensed to provide the service on top of that content. For AI, we do not use audio, video, or chat content for training our models without customer consent.”

Some LinkedIn users compared the changes to recent moves by Google.

In July, the search giant changed its terms of service to explicitly allow the company to train its AI models on publicly-available data.

A passage in its privacy policy, which had referenced the use of publicly-available information such as text from open-access websites for training Google’s language models was amended to include reference to Google AI products such as Bard.

Google specifically stated that firms with business information on a website could have this indexed for use in Google services.

The change drew criticism from some in the industry, who pointed out that it could give the firm an unfair advantage over competitors. It has also been compared to OpenAI, which is widely believed to have used a large amount of public data to train models such as GPT-4.

OpenAI quietly released GPTBot configuration on 7 August, which will allow admins to prevent their web data from being scraped for inclusion in future models trained by the firm. 

Other companies are facing similar questions as the AI race heats up, with productivity tools such as Google Duet AI and Microsoft 365 Copilot facing scrutiny.

In a post on Mastodon, security researcher Kevin Beaumont suggested that changes such as automatically generating transcripts with generative AI could give individuals insight into private corporate meetings through GDPR mechanisms.

“Probably my favorite unconsidered vector with AI is MS Copilot plans to do meeting summaries and transcriptions... so if you want to find out what a company is saying about you in meetings, wait a year and get in that GDPR subject access request,” wrote Beaumont.

ITPro has reached out to Google for more information.

Companies that suffer data breaches face a significant drop in income on top of the typical associated remediation costs, new research has suggested. 

A report from ExtraHop found that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure, highlighting the painful financial repercussions of security incidents. 

The company’s analysis focused on the overall costs associated with data breaches at six unnamed organizations, taking into account potential regulatory fines, legal settlements, and cyber insurance costs on top of any impact to earnings.

“Nearly all” organizations experienced a decline in quarterly earnings in the wake of a data breach, the report found, while stock prices were often found to drop significantly. 

In one example, a company’s stock price dipped nearly 21% the day after a breach was disclosed. In this same incident, net income dropped 27% year-over-year in the quarter that the breach occurred.

These income-related losses are compounded by the fact that companies also encounter a domino effect of costs in the wake of a breach, ExtraHop said. 

Losses incurred in the aforementioned example from ExtraHop were in addition to over $1 billion in reported costs, which included regulatory penalties, legal fees, and “multiple settlements with consumers, businesses, and individual states”.

“Net income for five of the organizations we studied sank an average of 73% within nine to 12 months of each organization announcing a breach. 

“In addition, in nearly all cases, quarterly earnings declined and stock prices dropped significantly after data breaches.”

The study noted that while “economic and other business factors” may also have contributed to sluggish financial performances, there is “no question” that the breaches impacted company performance.

Patrick Dennis, CEO at ExtraHop, said the research highlights the “ripple effect” that a security incident could have on company finances due to reputational damage and a loss of consumer or client trust. 

“When a data breach hits, real people lose real money - it goes way past the upfront costs that accompany stolen records and the number of people affected,” he said. 

“Both investors and customers lose faith in the business, which has a ripple effect on the organization for years to come. It’s important that corporate leaders take a hard look at their budget and make the cyber security investments they need to more effectively manage risk.”

High stakes for businesses

Data breach costs can become a significant burden for organizations in the wake of an incident. Research from IBM showed that UK businesses pay an average of £3.4 million in overall costs following an incident. 

Although the report emphasized the potential financial repercussions of a data breach, the 2023 figures published last month mark a decrease compared to 2022, which saw the average cost stand at £3.8 million. 

The report noted, however, that this is still a 9% increase on 2020 figures, underlining the rising costs associated with data breaches over the last three years. 

Stronger regulatory standards have been introduced in recent years to protect consumers and businesses in the wake of a data breach, most notably with the EU’s GDPR legislation. 

Last week the US Securities and Exchange Commission (SEC) also introduced far stricter reporting standards for public companies that encounter security incidents. 

New rules outlined by the commission will require companies to disclose a data breach or security incident within four days of the event unfolding. 

The new ‘Form 8-K’ rules will mean firms are required to provide information on the timing of the incident, as well as its scope and potential impact on customers or clients. 

The European Commission has adopted the adequacy decision for the EU-US Data Privacy Framework after years of talks, but experts have indicated it will struggle to uphold it in court.

In its decision announced on 10 July, the Commission found that the US upholds a level of protection comparable to that of the EU when it comes to the transfer of personal data. 

Companies that comply with the extensive requirements of the framework can access a streamlined path for transferring data from the EU to the US without the need for extra data protection measures.

The framework is likely to face legal action and be overturned, according to Nader Henein, research VP of privacy and data protection at Gartner.

“It takes one step closer to what the European Court of Justice needs, but it takes one where the Court of Justice needs it to take five, or ten steps,” Henein told ITPro.

“Maximilian Schrems already said he was going to do it, and if not him someone else will like the EFF or multiple privacy groups. What we’re telling our clients is two to five years, depending on who raises the request, when they raise it, and who they use.”

A potential legal challenge could move more swiftly if the individual complaint was made against a known entity such as Facebook, which was the subject of the Schrems II verdict that took down the old framework known as Privacy Shield.

Schrems has posted a series of tweets comparing the new adequacy agreement to Privacy Shield, and vowed to fight it in the courts.

Henein said businesses are being advised to use the next two years to set up plans that are not dependent on the EU-US Data Privacy Framework, and noted that many firms will be approaching suppliers to demand they protect against more expensive disruption.

The European Commission has stated the framework will be subjected to regular reviews, with a check that the US side of the framework is operating as intended expected within 12 months.

Unlike the EU, which has the GDPR, the US has no federal data protection scheme. It often leans on the fourth amendment, which protects US citizens from “unreasonable searches and seizures” as a precedent for the conduct of law enforcement, but this does not apply to EU citizens.

While the framework is in effect, compliant companies will be able to transfer data without the need for costly additional assessments, which could prove especially beneficial for cross-Atlantic collaboration.

“The EU-US Data Privacy Framework is a positive development in the mission to protect individuals and organizations on both sides of the Atlantic against cyber threats,” said Drew Bagley, VP and counsel, privacy and cyber policy at CrowdStrike.

“Modern IT infrastructure, cyber security, and privacy compliance programs are dependent upon global data flows.

“Data localization is not a substitute for data protection, and the new Framework stands in sharp contrast to some policy and certification proposals that mistakenly prioritize localizing data over protecting would-be victims from breaches. 

“This marks an opportunity to accelerate the G7’s Data Free Flow with Trust initiative and ensure defenders have the tools they need to defend against cyber attacks.”

From 2016 to 2020, transfers between the EU and US had been covered by the regulatory framework Privacy Shield. This worked as an adequacy agreement between the EU and US, with the US having promised to oversee the deletion of unneeded data.

In July 2020 the European Court of Justice invalidated Privacy Shield, having ruled that it was not compatible with the rights afforded to non-US citizens regarding surveillance and data collection in the name of national security.

The EU-US Data Privacy Framework seeks to address these concerns with new safeguards in place for EU citizens. 

President Biden signed an executive order in October 2022 which brought in new restrictions and measures of redress for intelligence service activities.

One of the foremost concerns with transferring EU data to the US has historically been that US intelligence services would be able to access and use sensitive data belonging to EU citizens.

Under the new agreement, intelligence entities will only be able to access data in a manner proportionate to protecting national security. 

Under the framework, EU citizens will also be given access to an impartial, independent mechanism for redress over the use of data by US intelligence agencies overseen by a new Data Protection Review Court (DPRC).

Complaints will be free to make, and citizens will not be required to produce evidence that their data was collected by an intelligence agency in order for the complaint to be looked into.

Ursula von der Leyen, President of the European Commission praised the “unprecedented commitments to establish the new framework” taken by the US.

But Henein argued that there is nowhere near enough transparency, and argued that as the surveillance redress process appears to happen behind closed doors it is unlikely to satisfy privacy concerns.

EU regulators have once again hit back at big tech criticism of regulatory changes in what marks the latest tit-for-tat battle ahead of the pending Data Act. 

Amid concerns the legislation could harm tech companies, Thierry Breton, European commissioner for internal markets, will say it’s expected to do the exact opposite. 

Lawmakers won’t shift their stance either despite the mounting opposition from big tech, according to the draft text of a speech set to be delivered in San Francisco this week. 

“Our European data strategy is to unlock a wealth of big data and set out how that data should be shared, stored, and processed. This will benefit all businesses – European, American, and others alike,” he is expected to say, and will add: “Assertiveness is not protectionism.”

Why tech companies are fighting the Data Act

The Data Act aims to prevent non-EU governments from accessing data processed by firms operating within the union. Rules outlined in the act will apply to both corporate and consumer data, and are applicable to a range of services and products, such as smart technologies and industrial machinery. 

Some US companies, however, warn the legislation could have a negative impact on international data transfers and create additional cost burdens for companies that operate across borders. 

US firms aren’t alone in leveling criticism. Last month, Siemens and SAP suggested the act could compromise “trade secrets” due to provisions requiring companies to collaborate with third parties to ensure regulatory compliance. 

In an open letter to Breton, EU antitrust chief Margrethe Vestager, and Commission president Ursula von der Leyen, German companies opposed to the act said it “risks undermining European competitiveness by mandating data sharing”. 

"Effectively, this could mean that EU companies will have to disclose data to third-country competitors, notably those not operating in Europe and against which the Data Act's safeguards would be ineffective," the letter read.

Pushing back against regulation

This criticism marks the latest in a long-running trend of big tech companies across the world pushing back against pending EU legislative changes.

Earlier this year, a number of industry stakeholders, most notably OpenAI, slammed the EU’s long-awaiting AI Act, branding it too restrictive and potentially inhibiting operations within the union. 

OpenAI CEO Sam Altman sparked controversy after suggesting the firm could be forced to “leave Europe” if the act was approved as it stood. While Altman swiftly reneged on the threat and clarified OpenAI’s commitment to Europe, the comments drew harsh criticism from Breton. 

Breton told Reuters at the time the AI rules are aimed specifically to safeguard the “security and well-being of our citizens” and insisted that changes “cannot be bargained”. He stressed the EU has been ahead of the curve in “designing a solid and balanced regulatory framework” in the interests of safety but also so Europe can “become a frontrunner in trustworth AI”.  

Data sovereignty rules in the EU have also been in the crosshairs for non-EU firms, with the cyber security labeling rules described as “discriminatory” against international firms in recent months. 

Big tech resistance is futile

Such pushback has a common theme: time and time again they fall flat. 

The first real acid test for this was prior to the implementation of GDPR, which received a significant degree of resistance from firms within the union and internationally. 

Similarly, cookie legislation and data-sharing rules in the wake of the Schrems cases, which saw companies such as Facebook hint they’d back out of the EU, fizzled out with a whimper. 

It appears tech companies haven’t learned their lesson. EU lawmakers are steadfast in their position and unrelenting in their attempts to implement regulations that benefit member states and citizens. 

For regulators to suddenly u-turn at the slightest hint of pushback would be disastrous from a political perspective. Companies, too, with even the slightest bone to pick would smell blood and pounce on future proposals. 

This raises questions over why organizations continue to try so hard to water down legislation. There are two differing tactics at play – playing tough and cozying up – both of which aim to temper potential regulatory crackdowns.

Altman’s hardline approach backfired. But around the same time Microsoft president Brad Smith outlined how the organization planned to develop a responsible framework for generative AI development. This approach showed a more measured approach that could curry favor with regulators. 

With the draft Data Act pending, organizations pushing back will likely find their criticism – which sometimes seems more like spitting out the dummy than offering constructive input – will come to no avail. 

Meta has confirmed it will be appealing a €1.2 billion ($1.3 billion) GDPR fine imposed on it this week for the unlawful transfer of Europeans’ data to the US.

The Irish Data Protection Commission’s (DPC) decision was published on Monday morning and forces the company to suspend data transfers between the EU and US due to concerns over EU citizens’ data privacy. 

The DPC said that current data transfer practices at Facebook “did not address the risks to the fundamental rights and freedoms of data subjects” and were in breach of the GDPR.

The ruling follows a long-running question over citizens’ data privacy and how Meta-owned Facebook conducts data transfers between the EU and US. 

Data transfers were previously protected by the transatlantic ‘Privacy Shield’, which was originally created to allow secure data transfers between the EU and US, which operate in different data protection jurisdictions. 

This was later invalidated after a lawsuit between Meta (then called Facebook) and Max Schrems concluded that the standard offered too much leniency to US surveillance laws.

The DPC noted that Meta used updated standard contractual clauses (SCCs) that were adopted by the European Commission in 2021 with the transfers in question, along with “additional supplementary measures”. 

However, these were still deemed to have not safeguarded the rights and freedoms of European data subjects.

Ever since Privacy Shield was rendered invalid, businesses large and small have been left without clear guidance regarding cross-continent data transfers.

The EU is still yet to finalize a clear mechanism for safe and secure data transfers between it and the US, although one is expected before the end of the year.

Meta described the ruling as “unjustified and unnecessary” in a scathing response.

Nick Clegg, president for global affairs at Meta, criticized the DPC’s decision in a blog post, saying there is a “fundamental conflict of law between the US government’s rules on access to data and European privacy rights”. 

“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Clegg wrote alongside chief legal officer Jennifer Newstead.

The Computer & Communications Industry Association (CCIA) warned that the ruling will exacerbate confusion over current data transfer protocols for US-based firms. 

“Since an EU Court invalidated the previous EU-US data framework back in 2020, European and US organizations and companies of all sizes have been left without clear guidelines for transatlantic data transfers,” the non-profit said in a statement. 

“To this day, that uncertainty continues to affect not only companies, but also non-profits, charities, governments, and others. Data flows between the EU and US make up the busiest internet route in the world, and are vital to transatlantic trade. Yet, today’s decision to suspend data transfers from the EU to the US ignores that reality.”

Last year, the Biden administration signed an executive order introducing new data protection safeguards for European citizens. The CCIA said these should “pave the way for a new and strengthened EU-US data privacy framework”. 

However, lawmakers on both sides of the Atlantic “still need to finalize the framework before it can come into force”.

“Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU member states. We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay,” said Alexandre Roure, public policy director at CCIA Europe. 

The fine issued to Meta is the largest ever handed out since the GDPR was enacted in 2018.

It also comes the day before the landmark regulation’s fifth anniversary.

The previous record GDPR fine was handed to Amazon in 2021 by Luxembourg’s data protection regulator.

The tech giant was ordered to pay €746 million ($807 million) and the details of the case were never revealed in any great detail.

At the time the fine was nearly 15 times larger than the then-current record fine issued to Google in 2019 by the French data protection regulator CNIL.

ChatGPT's developer OpenAI has been ordered to implement a ‘right to be forgotten’-style policy in the chatbot by the Italian data protection regulator (SA).

Data subject rights were among the most important considerations made by the Italian regulator in deciding ChatGPT’s long-term presence in the country, which has recently been in doubt.

The additional measures that must be implemented, per the Italian SA’s recent address, include the capability for users and non-users to request their personal information be changed if generated in ChatGPT user prompts. 

“OpenAI will have to make available easily accessible tools to allow non-users to exercise their right to object to the processing of their personal data as relied upon for the operation of the algorithms,” the regulator said. 

“The same right will have to be afforded to users if legitimate interest is chosen as the legal basis for processing their data,” it added. 

The measures echo the so-called ‘right to be forgotten' - the data privacy rule that preceded GDPR and was ultimately included in the EU-wide regulations in 2018.

Since Italy banned the use of ChatGPT in the country earlier this month, a move that was branded ‘an overreaction’ by experts, talks have been ongoing between it and OpenAI - ChatGPT’s developer.

The result of these talks has led the California-based firm being given a ‘to-do’ list of changes before it can resume operating in the country. 

OpenAI has been given a deadline of 30 April to comply with the numerous measures set out by the Italian SA. 

These include changes to data processing transparency, the rights of data subjects, the legal basis of data processing for algorithmic training, and safeguards for minors. 

GDPR and data subject rights

Data subject rights outlined under GDPR include eight fundamental tenets, including the right to withdraw consent for the use and processing of personal data. 

Under GDPR, citizens are also entitled to the right to rectification under Article 16 of the legislation, meaning that data subjects can request “inaccurate or outdated personal information be updated or corrected”.

Similarly, data subjects have the right to be forgotten, or the ‘right to erasure’, which enables them to request that their personal data be deleted.

In this context, the Italian data protection regulator appears concerned that given the potential for personal information to be disclosed via ChatGPT, this poses a risk to Italian citizens and is in breach of GDPR. 

Large language models (LLMs) such as ChatGPT rely on huge volumes of information drawn from the internet to train AI models.

This has posed questions recently over how platforms such as ChatGPT may pose privacy risks - and the generation of incorrect information has been thrust firmly into the spotlight in this regard.

Last week, an Australian mayor mulled the prospect of legal action when ChatGPT generated false information which stated he was imprisoned for bribery.

In reality, Brian Hood, Mayor of Hepburn Shire Council, was a whistleblower and was neither arrested nor convicted on criminal charges.

Regulatory crackdown

Discussions around regulatory safeguards to mitigate the potential dangers of generative AI have raged since the launch of ChatGPT in November last year.

 Earlier this week, US authorities launched a public consultation to explore potential “accountability measures” for companies developing AI systems such as ChatGPT. 

The consultation could guide the development of future US legislation on AI safeguards to ensure responsible use.

Lawmakers in the US are set to explore potential “accountability measures” for companies developing artificial intelligence (AI) systems such as ChatGPT amid concerns over economic and societal impacts. 

The National Telecommunications and Information Administration (NTIA), the US agency which provides advice to the government on technology policies, said it will launch a public consultation on AI products and services. 

According to the NTIA, insights gathered from this consultation will help inform the Biden administration to develop a “cohesive and comprehensive federal government approach to AI-related risks and opportunities”. 

“NTIA’s ‘AI Accountability Policy Request for Comment’ seeks feedback on what policies can support the development of AI audits, assessments, certifications, and other mechanisms to create earned trust in AI systems that they work as claimed,” the department said in a statement on Tuesday. 

In its statement, the NTIA said that potential audits of AI systems could work in a similar fashion to those conducted in the financial services industry to “provide assurance that an AI system is trustworthy”.

NTIA administrator Alan Davidson said the consultation will help inform the US administration’s long-term approach to AI products and prevent or mitigate any adverse effects. 

“Responsible AI systems could bring enormous benefits, but only if we address their potential consequences and harms. For these systems to reach their full potential, companies and consumers need to be able to trust them,” he said. 

“Our inquiry will inform policies to support AI audits, risk and safety assessments, certifications, and other tools that can create earned trust in AI systems.”

Concerns over AI's growth

The move from the NTIA follows mounting concerns about the potential impact of generative AI systems such as ChatGPT. 

The rapid advent of generative AI products has prompted a degree of hesitancy among lawmakers on both sides of the Atlantic. 

In late March, Italy announced a shock ‘ban’ on ChatGPT amid data privacy concerns. 

The Italian data protection authority voiced serious concerns about the generative AI model and said it plans to investigate OpenAI “with immediate effect”. 

Lawmakers elsewhere in Europe are also thought to be exploring a potential crackdown on AI systems, with German authorities among those cited as having serious concerns. 

While lingering worries over generative AI products such as ChatGPT continue, some industry analysts described the Italian decision as an “overreaction”, saying that such crackdowns could have negative long-term implications for companies in the country exploring the use of AI. 

Andy Patel, researcher at WithSecure, told ITPro that Italy’s decision had essentially “cut off” one of the most transformative tools currently available to businesses and individuals. 

Industry stakeholders have also voiced a growing discontent over the speed of generative AI development. 

Around the time of Italy’s ChatGPT decision, an open letter penned by tech industry figures including Elon Musk called for an immediate halt to “out of control” AI development. 

The controversial letter demanded a six-month pause be imposed on companies building generative AI models and argued that there is a concerning lack of corporate and regulatory safeguards currently in place to moderate generative AI development. 

TikTok is set to establish two new data centres in Europe as the Chinese social media platform looks to comply with local data laws.

The company, which has more than 150 million users across Europe, said that it’s finalising a plan for a second data centre in Ireland with a third-party service provider.

It's also in talks to secure a third data centre in Europe. It didn’t specify where, though it said it will complement its Ireland operations.

European TikTok user data is set to begin migrating this year and continue into 2024.

“We also remain focused on building trust with our community by demonstrating to them that their data is secure,” said Rich Waterworth, general manager of operations, Europe, at TikTok.

“We're continuing to deliver against the data governance strategy we set out for Europe last year, which includes further reducing employee access to European user data, minimising data flows outside of Europe, and storing European user data locally.”

TikTok tightens data protection

TikTok announced in April 2020 that it would establish a data centre in Ireland, its first in Europe, with the intent to store European user data at the facility.

The following year, the company also revealed its data governance strategy, underlining that it was committed to Europe’s data protection regulations.

In April 2022, TikTok gave an update on this data governance strategy for Europe and revealed that it had finally signed a contract for a data centre in Dublin to store UK and EEA user data through a third-party service.

Operations at this site were expected to commence in early 2023. A spokesperson from TikTok told IT Pro that it plans to start the migration of Europe user data beginning in Q2.

TikTok has stored global user data overseas, in locations like Singapore or the US. However, it said it wanted to provide a localised solution which would help it to comply with European data sovereignty laws.

“Chinese-owned TikTok is under pressure to assure its international customers that the user data it holds is secure and safe from being accessed by the Chinese state,” said John Abbott, infrastructure analyst at 451 Research, part of S&P Global Market Intelligence.

“It’s part of a broader data governance plan set out by TikTok intended to reduce the flow of European user data outside of Europe.”

Abbott said that Ireland has been chosen as a location for data centres as it’s popular with hyperscalers, like AWS, Google, and Microsoft, as well as colocation providers like Digital Reality and Equinix.

“Opening data centres nearer customers has two benefits: It can help reduce lag by allowing access to data locally rather than thousands of miles away in China,” said Frank Jennings, partner and head of commercial at Teacher Stern LLP.

“It can also help assuage concerns over the transfer of personal data to China, a regime that doesn’t have a strong human rights record, let alone data protection laws comparable to GDPR.”

Jennings said that keeping data in the EU won’t fix all the problems facing the company on this issue.

“It wasn’t that long ago that a New York District Court forced Microsoft to hand over customer data it was holding in its Dublin data centre under the aptly named “Clarifying Lawful Overseas Use of Data” – aka the Cloud Act,” he said. “No doubt the Chinese government will have such powers too.”

The new data centres are a good start, said Jennings, but won’t be enough to address the underlying issue.

In June 2022, the head of the FCC in the US urged Apple and Google to remove TikTok from their app stores due to the way it handled data.

FCC commissioner Brendan Carr said the app collects vast troves of sensitive data on its users. He pointed to a report which stated that ByteDance officials, the company which owns TikTok, had accessed the app’s sensitive data which had been collected from US citizens.

Is your data security team working with siloed security tools and processes? Is this standing in the way of enabling secure data usage and sharing for your organisation?

Gartner recommends a modern data security platform that supports on-premises and cloud data, AI and machine learning use cases, and high levels of integration capability.

Download this Gartner report to learn how you can enable simpler, more consistent data security that can help your organisation to realise new value and new data opportunities.

Provided by

Few things are more important than having quality data that is easy to use, but simultaneously secure and compliant. Being unable to fulfil this need can result in erroneous insights and reduced customer trust.

This whitepaper analyses several topics related to data governance and privacy such as scalability, establishing and implementing organisation-wide standards, and data lineage and traceability. Building blocks like data cataloguing, automated metadata generation, and reporting are also covered alongside a discussion of how governance and privacy are related to a data fabric.

Download now to learn more from real-world examples featuring ING.

Provided by

The Home Office is planning to fit migrants who have committed a crime with smartwatches containing facial recognition technology, with which they will be required to scan their faces up to five times per day.

Migrants fitted with the devices will be expected to complete regular checks, such as taking a photo of themselves for data processing at points throughout each day.

Their names, date of birth, nationality, and facial recognition data will be stored, and checked against a Home Office database, for use in determining whether or not a manual check is required. Location data of those wearing the smartwatches will also be constantly recorded.

Collected data will be stored for up to six years, and during this time will be shared between the Home Office and the Ministry of Justice and the police.

Use of a database to cross-check daily photos of migrants to facial recognition data was not expanded upon, but the Metropolitan Police Service has a controversial history of using facial recognition databases, having been discovered surveiling passengers at King’s Cross in 2019 for that purpose.

According to a letter seen by The Guardian, the Home Office pressed ahead with plans for “daily monitoring of individuals subject to immigration control” after completing a data protection impact assessment (DPIA) in August 2021.

Under the General Data Protection Regulation (GDPR), organisations seeking to implement new systems that could infringe upon the rights of subjects must run a DPIA, in which the data controller assesses the risks of processing data on subjects.

Rights groups have been vocal about their objection to the collection of facial recognition data, both in regards to the invasion of privacy that they see it as representing and also in doubt of the degree to which the technology can be relied on. Big Brother Watch state that between 2016 and 2022, facial recognition used by the Metropolitan Police Service was 87% inaccurate.

The scale of the operation is not currently public knowledge, though the contract signed between the Ministry of Justice and Buddi Limited is valued at up to £6 million by 30 December 2023.

Home Office data for the year ending June 2021 shows that 2,809 foreign national offenders (FNOs) were returned from the UK that year, a number that would prove sizeable to track if all FNOs were chosen for the smartwatch programme.

In June, an independent legal review by the Ada Lovelace Institute urgently called for new legislation to regulate the use of biometric data, as well as recommending the creation of a biometric ethics board.

In contrast, the government’s proposed Data Reform Bill, which ministers have credited with cutting down the “red tape and pointless paperwork” of GDPR, seeks to reduce the need to seek user consent in certain circumstances, including data processing by criminal justice organisations and police forces.

“The Home Office is still not clear how long individuals will remain on monitoring,” Dr Monish Bhatia, a lecturer in criminology at Birkbeck, University of London, told the Guardian.

“They have not provided any evidence to show why electronic monitoring is necessary or demonstrated that tags make individuals comply with immigration rules better. What we need is humane, non-degrading, community-based solutions.”

IT Pro reached out to the Home Office for a statement. Buddi Limited declined to provide comment.

UK safety tech sector revenues hit £381 million last year, the government has announced, an increase of 21% across the ‘world-leading’ industry.

This was matched by the creation of jobs within the sector, with a total number of 2,850 now available marking a 30% increase from the previous year.

Additionally, 57% of safety tech firms were based outside of London and the South East, a sizeable increase from the 48% based outside of these regions just two years prior. In total, 117 firms have been identified as currently offering safety tech solutions.

In a blog post, the government specifically championed safety tech such as tools used to detect and remove child sexual exploitation and abuse (CSEA) content. These systems have been put in the spotlight by the government’s Online Safety Bill, which seeks to compel companies to use or develop such tools to even work on messages currently protected by end-to-end encryption (E2EE).

The bill has drawn criticism from rights organisations such as The Open Rights Group, which has described the measures as “an Orwellian censorship machine.” A recent survey of industry experts also revealed that 66% thought ending E2EE would have a negative impact on protecting society, while Meta plans rollout of E2EE across Messenger and Instagram in 2023.

Last year, the government set up the Safety Tech Challenge Fund, a £555,000 competition to find novel solutions for combatting CSEA content without impacting people’s rights to privacy. These include artificial intelligence (AI) and facial recognition solutions for detecting child abuse images before upload.

At the time, it was announced that the Information Commissioner’s Office (ICO) would offer advice to the winners, to protect privacy throughout the development process.

However, doubts have been raised over the feasibility of regulation of direct messaging that also retains privacy measures. Last year several rights organisations signed an open letter to MPs, stating that the tech being sought by the government would be bad for business as well as individual privacy.

“End-to-end encryption means that your constituents’ family photographs, messages to friends and family, financial information, and the commercially sensitive data of businesses up and down the country, can all be kept safe from harm’s way,” the letter stated.

“It also keeps us safer in a world where connected devices have physical effect: end-to-end encryption secures connected homes, cars and children’s toys. The government should not be making those more vulnerable to attack.”

At the time of writing, the Online Safety Bill has been put ‘on ice’ amidst Conservative Party restructuring, leaving the timeline for when these changes can be expected to be passed into law unclear.

When the house returns in September the bill could be redrafted, or scrapped entirely under the leadership of either Liz Truss or Rishi Sunak.

For now, safety tech sees no signs of slowing, as 67% of firms within the sector predict a customer base increase of 50% or more within the next 12 months.

“Making the online world safer is not only the right thing to do, it’s good for business,” said digital minister Damien Collins

“UK tech firms are at the cutting-edge developing practical solutions to the risks posed by the internet so that it continues to be a benefit not a detriment to people’s lives.

“They have blazed a trail of growth, innovation and job creation to become world leaders in their field and we are committed to maintaining their upward trajectory.”

Tim Hortons has reached a proposed settlement of a national class action lawsuit involving its app and the collection of geolocation data.

The Canadian coffee giant had been found to have tracked and recorded the movements of its app users every few minutes of the day, Canadian privacy commissioners found in June 2022. This happened even when the app wasn’t open, in violation of the country’s privacy laws, and occurred between 1 April, 2019 and 30 September, 2020.

Tim Hortons sent an email to customers on 29 July detailing that as part of the proposed settlement agreement, eligible app users will receive a free hot beverage and baked good, as shared by James McLeod on Twitter. The company is set to share the details of the distribution of this settlement once it is approved by the court.

Tim Hortons has offered to compensate group members in two areas, without any admission of liability, for the purpose of avoiding trial and the additional costs and expenses related thereto, it said.

The first is granting each eligible member one credit to be used to purchase one free hot beverage, at the value of $6.19 CAD plus taxes, and one free baked good, at the value of $2.39 plus taxes, from any participating Tim Hortons store in Canada.

The second is that the company said it would take appropriate measures to permanently delete any geolocation data about group members that may be in its possession, and instruct its third-party vendor, Radar Labs, to do the same.

IT Pro has contacted Tim Hortons for comment.

What did the investigation find?

At the start of June, an investigation into Tim Hortons from various privacy commissioners in Canada found that its continual and vast collection of location information was not proportional to the benefits the store may have hoped to gain from better-targeted promotion of its coffee and other products.

The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta carried out the investigation.

“The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” the commissioners said.

They also found the app used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

The investigation discovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.

The company said it only used aggregated location data in a limited way, like analysing user trends, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.

The investigation launched in 2020, and while the store stopped continually tracking users’ locations in the same year, the commissioners said that this didn’t eliminate the risk of surveillance. They added that Tim Hortons’ contract with a US third-party location services supplier contained language that was vague and permissive, which would have allowed the company to sell “de-identified” location data for its own purposes.

“There is a real risk that de-identified geolocation data could be re-identified,” warned the commissioners.

“Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more,” they underlined.

Lastly, the investigation revealed that Tim Hortons lacked a robust privacy management programme for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.

TikTok has announced new initiatives aimed at improving transparency around the company’s data use, measurement of trends and moderation systems.

In a blog post, chief operating officer Vanessa Pappas laid out a series of plans in detail to involve researchers, industry experts and academics to test and advise on TikTok’s platform.

Researchers will be given access to an application programming interface (API) through which they will be able to study public and anonymised data about content on the platform. This will be made available later this year.

The short-form video hosting service and editing app is extremely popular, with an active base of over one billion users. If research led by the data is made publicly available, insight into the trends and data analysis of TikTok’s vast dataset could prove highly valuable to the tech sector.

Businesses could benefit from knowledge of the factors that drive content to do well on the platform, as well as an understanding of how trends grow in popularity to release videos before or during them. Often, by the time businesses engage with a viral trend, much of the user interest in it has waned.

This month, Ofcom published a report stating that TikTok is the second most popular news source for teenagers with 28% using it to inform themselves, just one percent behind Instagram’s 29% of teens.

This marks it as a vital frontier in the battle against disinformation, and the moves announced today will allow greater oversight into this ongoing issue. In the same announcement, the company pledged to publish information on covert influence operations in all further quarterly Community Guidelines Enforcement Reports.

Select researchers will be given a similar API focused on TikTok's moderation system, to probe existing content moderation systems and the current state of content on the platform. The API will also have the functionality to let researchers upload their own content, to see what is permitted, rejected, or passed on to moderators.

In addition, select independent experts will be given access to TikTok’s list of filter keywords, which it uses to identify content as harmful and asked to offer advice based on this.

Those chosen will include members of TikTok’s US Content Advisory Council, which was set up in 2020 to give industry experts a say in the company’s safety strategies and content policies. The expert members of TikTok’s regional Safety Advisory Councils, namely Europe, the Middle East and North Africa, Asia Pacific, Brazil and Latin America will also be included.

“We've been listening to feedback from different communities of researchers, academics, and experts, and are today sharing new initiatives to strengthen transparency and accountability of our platform,” wrote Pappas in the post.

TikTok and its parent company ByteDance have faced harsh criticism in recent months, with FCC commissioner Brendan Carr last month urging Apple and Google to remove TikTok from their respective app stores. This was prompted by growing concerns over the security risk posed by the app's data harvesting.

IT Pro has approached TikTok for comment.

In a clear message to all companies collecting individual data, the Federal Trade Commission (FTC) has reaffirmed its commitment to harshly enforce illegal breaches of sensitive information.

The FTC notes in a blog post there's a litany of information that can be collected to categorise and identify people’s medical histories, which has potential for dangerous exploitation particularly in the case of consumers seeking abortions.

In light of the recent ruling by the Supreme Court to overrule Roe v Wade, the decision which had protected the right to choose to have an abortion, misuse of sensitive data is a point of fierce discussion.

The regulator cited cases such as that of Copley Advertising LLC as early examples of what could be a growing trend. The company had been utilizing location data to identify people entering within a certain range of clinics offering abortion in several states, and then targeting them with anti-abortion advertising.

It has since reached a settlement with the Massachusetts Attorney General for misuse of geofencing for advertising purposes.

Striking a tough tone against potentially unethical firms, the FTC further outlined its powers to not only fine companies in breach of data protection legislation, but also require them to delete data they have collected as well as any models made with the data.

People’s information can be collected and misused in more ways than one, and the post is careful to focus on the potential for information that consumers willingly track — such as blood sugar level, menstrual cycle, sleep patterns and contraceptive use — in addition to less flagged data points such as location.

Unlike the EU and UK, the US has no central data protection legislation, nor is there an explicit right to privacy within the US constitution. Instead, a range of laws and constitutional rulings cover consumers’ right to privacy, making up a complex tradition of protections that vary state-by-state.

Currently, some of the widest such legislation includes rules that the FTC enforces such as the Health Breach Notifications Rule, which states that “vendors of personal health records and related entities to notify consumers following a breach involving unsecured information”. Violation of the rule can result in a fine if up to $46,517 per violation per day.

Many rights groups argue these rules are inadequate and subject to loopholes such as legitimate sale of information to third-party brokers. The non-profit organisation Planned Parenthood has called for a federal data protection law to codify regulation of such data into law and prevent misuse by advertisers. Biometric data law is a particularly contentious issue, with similar calls within the UK right now for more transparent consumer protections around what data companies can track, and why.

In the post, the FTC specifically warns against misleading claims of ‘anonymization’ by companies, pointing out that such data can frequently be re-identified. Knowingly making such false claims to placate customer concerns around privacy will trigger FTC intervention, it asserts.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data,” stated the agency in the blog post.

“The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

An independent legal review has concluded that new laws regulating the use of biometric data in the public and private sector are urgently needed.

The report, commissioned by The Ada Lovelace Institute and undertaken by Matthew Ryder QC, aimed to highlight the uncertain level of biometric technology regulation provided by existing laws such as the EU's General Data Protection Regulation (GDPR).

Among the review’s recommendations are a new statutory framework to set out the use of biometric data by private and public organisations for both identification and classification, and the establishment of a national Biometrics Ethics Board. This, it says, is necessary given the rights-intrusive potential of new technologies such as live facial recognition and gait recognition.

Further investigation into the private sector’s use of biometrics, as well as the sharing of information between private and public sector entities, was also highlighted as a matter of importance.

The review gives the example of the use of facial recognition technology at the King’s Cross site in 2019, which was later found to have included a data sharing agreement with the Metropolitan Police and British Transport Police, to “prevent and detect crime in the neighbourhood”, according to the site's owners.

Recommendations in this area include stricter regulation of Live Facial Recognition (LFR) and a complete moratorium on all LFR in both the public and private sector until the new framework is in place.

Additional concern was raised around the use of remote monitoring and video processing to collect biometric data in the private sector, enabled by the rise of remote working throughout the pandemic.

Under current protections provided by GDPR, biometric data is only classified as special category data when it is collected for ‘the purpose of uniquely identifying a natural person'. The Ada Lovelace Institute, in their policy report supplemental to the review, notes that this leaves biometric data used to determine a person’s “gender, race, or emotional state” subject to less stringent legal oversight.

Proposed legislation would cover use of biometric data for identification and classification. It would also require biometric technology earmarked for public use to first undergo a series of impact assessments to determine its potential impact on privacy and equality, as well as scrutinise the necessity and proportionality of the technology.

Public bodies would then have to refer any such technology to a newly proposed Biometric Ethics Board, the creation of which would provide ethical oversight in a public advisory capacity. It was also suggested that the advice of the board should be made publicly available, with public bodies required to publish explanations for any decisions made contrary to this advice within 14 days of any such decision.

Having begun in 2020, the review makes no reference to the proposed Data Reform Bill, which has been specifically highlighted by government ministers as relaxing certain restrictions imposed by GDPR that they dubbed “red tape and pointless paperwork”. These include aims by the government to cut down on the need to seek user consent for the processing of data in certain circumstances.

As part of the review, the Ada Lovelace council convened a Citizens’ Biometrics Council, composed of a diverse group of 50 members of the public asked to learn about and offer views on the use of biometric technology in legislation. A common view in their recommendations was the need for consent and transparency regarding the use of biometric data.

A third (32%) of UK workers are now being monitored at work using technology like tracking software and remotely controlled webcams.

The issue has worsened over the past six months, when workers being monitored stood at a quarter (24%) of those polled by Prospect.

The sharp increase comes amid a huge jump in webcam monitoring, with 13% of homeworkers currently being surveilled by their employer through their work-issued device. The figures have more than doubled in the past six months as just 5% of workers were monitored via video in April 2021.

The vast majority of those questioned thought the use of webcam monitoring by employers should either be banned (52%) or regulated (28%). Just 8% of employees reported feeling that employers should be able to monitor their webcam's image at will.

Younger workers are thought to be particularly at risk of higher rates of monitoring by employers. Defined by an 18-34 age bracket, 48% of younger workers are believed to be monitored at home by employers, including 20% of those being monitored using a camera.

The latest findings have prompted Prospect to launch a campaign to help drive unionisation in the tech sector as it is affected by the recent upward home surveillance trend due to high levels of remote working and low levels of trade union membership.

Home surveillance will be investigated alongside other issues affecting the industry such as a culture of working long hours, workplace discrimination, and pay.

"We are used to the idea of employers checking up on workers, but when people are working in their own homes this assumes a whole new dimension," said Mike Clancy, general secretary at Prospect. "New technology allows employers to have a constant window into their employees homes, and the use of the technology is largely unregulated by government.

"We think that we need to upgrade the law to protect the privacy of workers and set reasonable limits on the use of this snooping technology, and the public overwhelmingly agree with us. Prospect’s new tech workers sector will be campaigning on this issue and other issues affecting tech workers, and I encourage any workers who are worried about monitoring to join Prospect and support our campaign."

The Information Commissioner's Office (ICO) is currently reviewing guidance for employers on the use of technologies such as employee monitoring.

“People expect that they can keep their personal lives private and that they are also entitled to a degree of privacy in the workplace," said an ICO spokesperson to IT Pro. "If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring.

“We are currently working on updating our employment practices guidance to address the changes in data protection law and to reflect the new ways employers use technology and interact with staff.”

Workplace monitoring saw a steep rise over the course of the pandemic which saw the nations' workforce largely adopt a work from home policy.

Some business managers report using the technology to 'feel closer to their workforce' and have reported using the tools for good, offering bonuses and promotions for demonstrably good work.

Questions around the privacy and ethical issues of the technology's use remain, however. Jim Killock, executive director at Open Rights Group, said to IT Pro: "employers think they have a free pass to monitor as they like, but they do not. They have to consider and consult about the impacts on workers, whose dignity and interests must be preserved. Employers are required to be transparent and accountable.

“The government plans to scrap such restraints in their current GDPR consultation, but people should get on and use their rights," he added.

The sentiment is echoed by Chi Onwurah, MP and shadow digital minister, who said: “This deeply worrying research shows just how anxious many people are about the use of invasive surveillance whilst they work. Ministers must urgently provide better regulatory oversight of online surveillance software to ensure people have the right to privacy whether in their workplace or home.

“The bottom line is that workers should not be subject to digital surveillance without their informed consent, and there should be clear rules, rights and expectations for both businesses and workers,” she added.

Senator Edward J. Markey (D-Mass.) and Representatives Kathy Castor (FL-14) and Lori Trahan (MA-03) today wrote to the Federal Trade Commission (FTC) to ask it to use its powers to ensure that large online platform operators handle children's privacy more responsibly.

The Senators want the FTC to enforce policies outlined in the UK's Age Appropriate Design Code (AADC). The Code, released by the Information Commissioner's Office (ICO) in September 2020, came into effect last month. It dictates 15 principles that online services firms need to follow in order to better protect children's privacy on the web.

The AADC states that providers of online services to children should work in the child’s best interests and offer privacy policy information in language suited to the child's age. It forbids service providers from using data in ways that are detrimental to their wellbeing and bans the use of “nudge” techniques that encourage children to give up their privacy. It also enforces default high privacy settings and disabling of geolocation functions.

The Code, which also applies to connected toys and devices, is not a law. Still, the ICO takes it into account when evaluating companies' compliance with regulations such as GDPR. Violation of those regulations, which the UK government is pressing to reform, can carry financial penalties.

The letter highlighted several steps that technology companies took in response to the code. Instagram introduced private accounts for young people by default to provide more protection from predators and some advertising, the senators pointed out. YouTube defaulted to making uploads private and turning off location history for users under 18. TikTok disabled messaging for users under 16.

"We write to urge the Federal Trade Commission (FTC) to use all its authority to ensure that these powerful companies comply with their new policies, to hold them accountable if they fail to do so, and to prioritize the protection of children’s and teen’s privacy," the letter said. The senators suggested using Section Five of the FTC Act, which forbids deceptive practices, to enforce the commitments.

"These policy changes are no substitute for congressional action on children’s privacy, but they are important steps towards making the internet safer for young users, the letter added.

The letter follows a ground-breaking testimony by whistleblower Frances Haugen before Congress this week. Haugen accused Instagram owner Facebook of disregarding teens' mental health and putting profit before people.

You might think you're being careful about what post on Facebook, Twitter and LinkedIn – but over time your accumulated posts will inevitably build up a picture of who you are. That could include where you reside, what you do for a living, your childhood, your family composition, your birthday and more. All of which would be valuable information to a potential identity thief.

As an example, let’s say you post a picture of your child blowing out candles on a cake. Unless the metadata has been stripped first, you’ve probably also shared the date on which the picture was taken. If your child is young, it’s unlikely they waited until the weekend to celebrate, so there’s a good chance the date it was taken was their birthday itself, even if you didn’t post it until a few days later. If there are three candles on the cake, or a card with a number on it, that’s the other half of the equation: anyone seeing your post now knows exactly when your child was born. If you’ve used their birthday – or part of it – in a password or security question, that’s a chink in your digital armour right there, ripe for exploitation.

That’s not the worst of it. If you took the picture on your phone, the exact GPS coordinates of the place where it was taken could be embedded into the image file. That’s probably your home address, so anyone who sees the picture now knows exactly where to find that nice painting hanging in the background. If you’re a married woman and your friends list includes family members, it won’t be hard to deduce your maiden name – another common security question.

The list goes on. Photos of your first car, connections to school friends… every seemingly innocuous detail makes you more vulnerable to exploits and scams. And now consider the data you’ve scattered outside of social networks – CVs uploaded to job sites, links stored in a cloud-based bookmarking tool, ads you’ve clicked on, the emails you’ve received in a webmail inbox and the places you’ve been with your phone in your pocket.

Whether this data has escaped through over-sharing or been collected without your noticing, you can never get rid of it all. But you can shrink it down – and the obvious place to start is social media.

Shrink your Facebook footprint

Facebook is currently involved in a dispute with Apple over what information it's able to collect about users – but if you've ever used the platform then there's no doubt that it already knows plenty about you.

To find out what information Facebook is holding, log in through a browser and click the down arrow in the top-right corner. Click “Settings & privacy”, followed by Settings. Select “Your Facebook information” in the sidebar, then “Download your information”. Leave the default settings as they are and click “Create file”. It will take a short while for Facebook to collect the relevant information. When it’s finished, you’ll be able to download a ZIP file, whose contents you can peruse to see what’s stored against your name on Facebook’s servers. Armed with this data, you can decide what stays – and what should be removed.

Deleting content from Facebook is surprisingly easy, especially if you use the Manage Activity tool; this lets you remove batches of information at a time, rather than just individual items. The catch is, it’s currently only available in the Facebook mobile app. To access it, tap the menu button on the toolbar, then hit “Settings & privacy”, followed by Settings. Now select “Activity log”; to remove individual entries, tap the three dots on the right of the screen beside each one. To delete several entries at once, tap “Manage activity” and pick whether you want to manage posts, activity you’re tagged in or interactions such as likes, reactions and comments.

Whichever you choose, Facebook will pull up a list of the ten most recent data points, and scrolling down the screen will extend the list. Tap the box beside each item you want to remove, or tap the box at the top of the list to select everything that’s shown on the page (you might want to scroll down to extend the list a few times). Finally, tap the remove or recycle button – depending on what you’re deleting – at the bottom of the screen.

You can also delete content through a browser – it’s just more time consuming. Log in and click the down arrow at the top of the screen, followed by “Settings and privacy” and Settings. Click “Your Facebook information”, followed by “Activity log”. As you hover over each item in the sidebar, three dots will appear on top of it, allowing you to unlike things you have liked or move content you’ve posted to the archive or recycle bin.

While these functions let you manage your publicly accessible content, you should be aware that Facebook also collects data to make internal decisions about what to show you. To review this, select “Privacy shortcuts” from the “Settings & privacy” menu and then “Review your ad preferences” (in the “Ad preferences” box) or “Manage your information” (in the “Your Facebook information” box).

If you’re reviewing your ad preferences, click “Ad settings” in the sidebar and work your way through each of the sections in the “Manage data used to show you ads” section. Some of the settings you’ll find here let you prevent advertisers from reaching you on third-party websites based on your Facebook data, while others let you see the content categories Facebook thinks you’re interested in.

This latter information can be quite eye-opening. It’s not always spot-on: I discovered that I was being targeted for content related to Assassin’s Creed, yet I haven’t played a computer game in more than 20 years (not even for career development). For the most part, though, the list was scarily accurate – it even knew the brand of watch I wear. There are links on the page that let you remove any categories that don’t apply, or which you’d simply prefer Facebook not to use for targeting.

If you want to get off Facebook altogether, the “Manage your information” section provides links to delete your data and close your account. If you’re hesitant about leaving the platform because you don’t want to lose touch with friends or family members who are using Facebook Messenger, there’s good news; it is possible to continue using Messenger for instant messages even after deactivating your main Facebook account.

If you decide to take the plunge, point your browser at Facebook's account deactivation page, enter your password, complete the form and click Deactivate.

Instagram

You might imagine that Facebook-owned Instagram would offer similar levels of control over your content. Sadly, that’s not the case: you can discover a lot about the metrics that are used to determine what you’re shown in the app, but you can’t always correct or delete any incorrect inferences.

To see what Instagram thinks of you, open the app and tap your icon at the end of the toolbar, followed by the three lines at the top of the next page. Tap Settings followed by “Ads | Ad topics” and untick subjects that don’t interest you. If you tap into Security, rather than Ads, and hit “Access data”, you can see your apparent interests in blocks by selecting “View all” under “Ad interests” – but you can’t delete items recorded here.

What you can do is flag unwanted adverts individually. Tap the three dots above them in your feed then tap “Hide ad”. You can specify whether the ad is irrelevant, shown too often or inappropriate.

Shrink your Twitter footprint

Last year Twitter was hit by an embarrassing security breach that gave hackers access to numerous high-profile accounts, exposing all sorts of personal information associated with those accounts.

What information is Twitter keeping about you? To find out, log in through a browser and click More in the sidebar, followed by “Settings and privacy”. As with Facebook, the information is provided as a bulk download: with “Your account” selected in the second sidebar, click “Download an archive of your data” in the third, and enter your password. Click the “Request archive” button and Twitter will compile a Zip file. It will send you an email when it’s ready for collection.

Once you know what kind of information is in the database, you can make more informed decisions going forward. There are also some specific settings that it’s worth looking at (all of the menu options mentioned below are found under the “Privacy and safety” section of Twitter’s settings).

If you want to restrict your tweets so they can be read only by people who actively follow you, click “Audience and tagging” and click the box beside “Protect your tweets”. While you’re in this section, you can optionally disable photo tagging too, which stops people identifying you in photos they post to their own profiles. Once you’ve protected your tweets, you’ll be asked to authorise any future follower requests, rather than allowing anyone who wishes to follow you do so.

A specific privacy issue that we mentioned earlier is the possibility of giving away your whereabouts. To prevent Twitter from reporting your location, click “Your tweets”, then “Add location information to your tweets”. Untick the box and, optionally, click the link to wipe location data from tweets you’ve posted in the past.

Again, like Facebook, Twitter builds up an internal profile of you that’s used to select ads and suggest content. You can review this and remove specific interests from your record as you wish. To do so, click “Content you see | Interests” and untick the box for each subject you’d rather not hear about.

As for items you’ve actively shared, it’s easy to delete individual tweets by clicking the three dots icon on each one and selecting “Delete tweet”. Twitter doesn’t provide any way to remove whole batches of posts, but a number of third-party services have sprung up to plug the gap – check out tweetdeleter.com, twitwipe.com, or tweeteraser.com. If that’s not good enough, you may choose to go the whole hog and delete your Twitter account.

Shrink your Google footprint

Google offers an extraordinary range of products and services, many of which collect a whole lot of personal information – either for publication or for internal usage. Fortunately, the company also provides a single centralised dashboard from which you can keep track of everything that’s being stored about you across Google’s numerous sites and apps. To access it, start by navigating to myaccount.google.com and logging in.

Once you’re authenticated, a good place to begin is Google’s Activity controls page. Here you’ll find options to turn off whole categories of data collection, including location data, data gathered by Google-owned websites and Chrome, and data collected by devices such as your phone and tablet.

You can also limit what information is collected and used by YouTube: this will probably cause you to receive less relevant video recommendations, but you may not consider that a great price to pay for enhanced privacy.

At the bottom of the page there’s a link to the advertising settings page. If you want to see random ads, rather than ones based on your behaviour, just click off the switch labelled “Ad personalisation”. This only affects advertising on Google sites, but if you visit the Your Online Choices website you can similarly turn off advert personalisation for dozens of different companies.

If you want to remove your own content from your Google account – such as contacts, calendars, Drive data, ebooks, Play store purchases and so forth – it’s a good idea to download an archive of your content in advance, just as with Facebook and Twitter, which you can do from the Account Dashboard. When you visit this page you’ll see a long list of all the Google services that your identity is connected to; to download data for any of these individual services, click the down arrow to expand it, then click the three dots at the bottom of its card, followed by “Download data”. Clicking the main “Download your data” link at the top of the page will download a complete archive of content from all the various services.

Bear in mind that this page only shows information for the currently logged-in Google account. If you have multiple accounts – one for work and a personal account, for instance – you’ll need to repeat this process for each one. You can keep track of which identity you’re using by checking the account image at the top right of the dashboard pages.

Shrink your Microsoft footprint

Like Google, Microsoft has helpfully centralised a lot of its privacy settings in a unified dashboard. You can download a copy of your activity by clicking “Download your data”, followed by “Create new archive”. The file that’s delivered will include things like your search and location history and other personal information, but it won’t include data generated in applications such as Office Online or the Outlook calendar. To download those items, you’ll need to go into each product and manually make a copy of whatever you want to keep.

One information repository that’s of particular interest is what’s known as Cortana’s Notebook. Microsoft is scaling back Cortana as a general-purpose voice assistant, but since its introduction

which is where Cortana keeps track of things it’s learned about you, to help it provide relevant answers to any questions. You’ll find a link to this at the top of the Privacy page, with the data broken into sections covering topics such as your commute, weather preferences, news stories that interest you, stocks you’re tracking and so on. The more information Cortana has squirrelled away, the more effective it will be – but, if you’d rather wipe what it knows, click “Clear Cortana data” in the right-hand sidebar.

Like Facebook and Google, Microsoft also provides an easy way to opt out of so-called behavioural advertising, which by default serves up content based on what it knows about you. To do so, visit Microsoft’s Ad settings page and turn off all of the switches for personalisation.

Don’t forget to also check your privacy settings in Windows itself. Press Windows+I to open the Settings app and click Privacy, then use the switches to manage what the operating system can and can’t do. The standard settings allow the OS to show ads based on your interests and websites to access your language lists to provide locally relevant content, but these can be turned off at the flick of a switch. You can use the App permissions link at the left to block third-party apps from accessing information such as your location and account settings too.

Prevention is better than cure

The companies we’ve focused on above have huge databases of personal information, but don’t think your digital footprint stops there. It also extends to, for instance, the online supermarket that brings your groceries, the public library you use to download ebooks, your favourite digital magazine stores and anywhere you’ve ever saved your credit card details.

To audit and curate exactly what all of these services know about you can be a time-consuming business. However, it’s made a lot easier by services such as Rightly, which provides direct links to all manner of companies, with options to see what information they hold about you, to opt out of marketing or to request deletion.

It’s also important to realise that even if you take direct action, close your accounts and ask companies to scrub you from their databases, your information may still be out there somewhere. The things you publish online can find their way into an incalculable number of third-party services, without your ever knowing about it.

The only truly safe course of action, therefore, is never to publish anything that you might regret sharing in the future. If that’s not realistic, the next best option is to lock down any services you actively use from the very start, to prevent them from gathering personally identifiable information in the first place.

The Securities and Exchange Commission (SEC) has ordered UK-based Pearson Education to pay $1 million to settle charges it misled investors about a 2018 data breach that resulted in millions of stolen student records.

The SEC announced the settlement after it found Pearson made “misleading statements and omissions” about the intrusion that involved the theft of student data and administrator log-in credentials of 13,000 school, district, and university customer accounts.

In its semi-annual report filed in July 2019, the SEC said Pearson referred to a data privacy incident as a hypothetical risk, despite the fact the breach had already occurred. In a statement published that same month, Pearson said the breach may include dates of birth and email addresses, but it already knew such records were stolen.

The SEC also said Pearson had "strict protections" in place, “when, in fact, it failed to patch the critical vulnerability for six months after it was notified.”

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then, Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

Dominic Trott, UK product manager at Orange Cyberdefense, told IT Pro the $1 million settlement agreed between Pearson and the SEC comes as the education sector faces increasing hostility from malicious actors.

“As the threat landscape evolves and while education remains firmly in the crosshairs, it is more important than ever to maintain an open dialogue. Only through collaboration and transparency can cyber researchers and technologists begin to turn the tide against cybercriminals intent on wreaking havoc in the sector,” Trott said.

“As Pearson has learned, failure to properly disclose a breach can also be far more damaging to an organization’s reputation and can incur severe legal penalties, particularly when customer data is involved.

"Breach disclosure processes should form part of an organization’s blended approach to cyber security, layering a combination of people, process and enabling technologies to reduce the risk, minimize the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.”

ESign Genie has announced that its digital signature platform now supports knowledge-based authentication (KBA).

Developed in collaboration with LexisNexis Risk Solutions, the new solution improves the security of sensitive, private, or protected documents by mandating a Social Security number.

“Dynamic security is at the forefront of eSign Genie's electronic signature technology. Providing essential security options, such as KBA, was a feature that the software company felt was an important step in its continued development and improvement of safe, reliable, and secure eSigning software. eSign Genie has developed this fraud prevention solution using industry-leading LexisNexis Risk Solutions that authenticate signers using an automated, query-based identity verification system,” explained eSign Genie.

Notably, eSign Genie helps businesses create reusable document templates they can fill out and have different recipients sign as needed. Forms can be embedded on websites, applications, or sent via email. Enterprises also may enable email authentication for signing online forms.

KBA by eSign Genie adds an extra layer of security by authenticating document recipients’ identities before issuing viewing or editing rights. The feature is exclusive to eSign Genie’s Enterprise Plan subscribers.

"We are excited to release our new KBA security feature as it further enables our Enterprise Plan users to stay compliant by utilizing all forms of identity checks while also maintaining signature certificate authentications and obtaining eSignatures on important digital documents," said Mahender Bist, founder and CEO of eSign Genie.

Bist added, "We understand that security and compliance are of utmost importance to our clients. We strive to provide security and fraud prevention improvements to meet the KYC compliance, such as the new KBA feature, so that we may continue to supply the highest level of safe and secure electronic signature technology available."

Three senators have written to Amazon with questions about the company's Amazon One palm scanning technology.

The bipartisan group expressed concerns about the biometric system's effect on privacy and its potential to bolster Amazon's market position. The letter, from senators Amy Klobuchar (D-Minn.), Bill Cassidy (R-La.) and Jon Ossoff (D-Ga.) to Amazon CEO Andy Jassy, queries the company's handling of biometric data gathered using the service.

"Amazon’s expansion of biometric data collection through Amazon One raises serious questions about Amazon’s plans for this data and its respect for user privacy, including about how Amazon may use the data for advertising and tracking purposes," the letter said.

Unveiled in September 2020, Amazon One is a contactless payment system that uses palm scanning for applications, including making payments, granting access to locations, presenting loyalty cards, or clocking into work.

The company began rolling it out at its automated Amazon Go stores, which already used technologies like computer vision to replace traditional checkout operators. It has since arrived at some Whole Foods locations, which Amazon acquired in 2017.

Amazon said the service would be an optional entry method at its stores, which would still allow customers to enter using the Amazon app. At launch, the e-commerce giant also vowed to offer customers the devices, including retailers, stadiums, and office buildings.

"Our concerns about user privacy are heightened by evidence that Amazon shared voice data with third-party contractors and allegations that Amazon has violated biometric privacy laws," said the letter, referring to reports the company violated facial recognition privacy law in Illinois by using residents' faces to train its algorithms.

It also cited a class-action lawsuit filed this month against Amazon for allegedly violating the Illinois Biometric Information Privacy Act (BIPA) with its Alexa system.

"We are also concerned that Amazon may use data from Amazon One, including data from third-party customers that may purchase and use Amazon One devices, to further cement its competitive power and suppress competition across various markets," the senators said.

Amazon recently offered consumers a $10 credit to enroll themselves on Amazon One. To do so, customers must present their credit cards and scan their palms with the Amazon One device.

Rather than storing scans locally, the devices send them back to Amazon's cloud. This was an area of concern for the senators, who compared it with biometric scanning technology from Apple and Samsung, which store information locally on the device.

The letter asked Amazon several questions, including when the company plans to expand its use of Amazon One; how many third-party customers has it sold its technology to; how many users have signed up for the service; and whether the company pairs the scans with data from biometric systems.

The senators also asked the company to describe how it uses data from the service, with a special focus on whether it uses the data to personalize advertisements or product recommendations.

DataCamp has begun to offer free data literacy courses to all Degreed users.

DataCamp and Degreed develop comprehensive learning programs tailored to enterprises’ needs. Extending their partnership, DataCamp is offering free access to three interactive online courses: Data Science for Everyone, Machine Learning for Everyone, and Data Engineering for Everyone.

The courses require no prior coding experience, making them an ideal choice for organizations undergoing or planning an enterprise-wide digital transformation. Essentially, the courses are suitable for all skill levels and roles.

Degreed clients with Edit Settings permission can access DataCamp’s free courses through the Provider's tab or by contacting their Client Experience partner. There’s also the option to upgrade for full DataCamp access.

The “Data Science for Everyone” course includes 15 videos and 48 exercises on data science, data collection and storage, time series analysis, and A/B testing.

“Machine Learning for Everyone” lets users discover intelligent technologies behind self-driving cars and always-on customer experience tools.

Lastly, “Data Engineering for Everyone” explains data engineers’ core responsibilities via Spotflix, a fictional music-streaming firm. Each course takes two hours to complete.

DataCamp CEO and co-founder Jonathan Cornelissen said, "There is incredible power in data—but only if you know what to do with it. All departments and roles must have the skills to analyze that data to extract meaningful insights. Through our renewed partnership with Degreed, we are proud to provide their clients with free access to the powerful data skills they need to make better decisions, better serve their customers, and drive business growth."

"Data is core to every organization and that means everyone must have a baseline understanding of data. We're excited to offer all Degreed clients the DataCamp training, to empower their people ready for the data-driven future and ensure everyone knows how to use data effectively in their work," commented Rob Wellington, director of experience partnerships at Degreed.

Security researchers have found a major breach that exposed the details of over three million US seniors.

According to WizCase, the data breach affected SeniorAdvisor, “one of the largest consumer ratings and reviews websites for senior care and services across the US and Canada.” Among the exposed details were users’ names, surnames, phone numbers, and more.

Researchers at WizCase discovered a misconfigured Amazon S3 bucket belonging to the website containing over 1 million files and 182GB of data. Contact dates from the files suggest they are from 2002 to 2013, though the files had a 2017 timestamp.

“The majority of data exposed was in the form of leads, a list of potential customers whose details were collected by SeniorAdvisor presumably via their email or phone call campaigns,” said researchers.

Researchers also unearthed 2,000 “scrubbed” reviews. These are reviews where the user’s sensitive information has been wiped or redacted.

“However, this scrubbing process is useless if you have the corresponding information. The scrubbed reviews had a lead id which could be used to trace the review back to who originally wrote it,” researchers said. As both lead data and these scrubbed reviews were in the same database, supposedly anonymous reviewers could have their identity revealed with a simple search operation.

WizCase researchers said since the breach contained data from a section of the public more vulnerable to scams, the risks were higher. In a 2018-2019 report, the Federal Trade Commission (FTC) noted that people who filed a fraud complaint between 60 and 69 years old lost $600 per scam on average. The amount rose in older groups, culminating in $1700 on average per scam for people between 80 and 89.

“In particular, the report found senior citizens were more likely to fall for digital scams such as tech support scams, prize/sweepstakes scams, online shopping scams, and especially phone scams,” said researchers. “As shown, senior citizens are at greater risk for online fraud than the rest of the population, and therefore should be even more careful in their online behavior.”

Researchers urged people using such services to input the bare minimum of information when making a purchase or setting up an online account.

“The less information hackers have to work with, the less vulnerable you are,” warned researchers. Researchers have since contacted the company, and the bucket has since been secured.

Senator Kirsten Gillibrand is back with a revised bill that would create a federal data protection agency in the US to oversee consumer privacy. This time, it includes powers to review big tech company mergers.

The Democratic senator from New York introduced the Data Protection Act of 2021 today, a revised and expanded version of an original bill introduced in February 2020.

At its core lies something the US has lacked to date: a federal regulator dedicated to overseeing data privacy. The bill proposes developing an agency that would make its own data privacy rules or enforce those made by Congress across the government and private companies. It would be an executive agency with a director appointed by the president for a five-year term.

Alongside enforcing data protection rules, the agency would also develop model privacy frameworks for businesses, watch for discrimination in the use of automated algorithms, and advise the government on emerging threats like deep fakes.

The proposed law goes beyond its predecessor with several additions. The most notable is the supervision of mergers that involve data aggregators or any merger that involves transferring over 50,000 peoples' data.

The new bill would also include a civil rights office within the data protection agency, which would protect people from discrimination and clearly define terms such as privacy harm and high-risk data practices.

Under the new law, the data protection agency would have more enforcement powers, including the power to issue penalties and fines for violators.

Gillibrand targeted big tech companies in her remarks. They represent a direct threat to privacy and civil rights, she said, describing them as bad actors at the center of a "data privacy crisis."

Today, there are two main routes to hold companies accountable for privacy infractions in the US. The first is via states with strong consumer protection laws, such as California. The second is via the Federal Trade Commission, which Gillibrand called out for failing to act in dozens of cases and enforce its own orders.

Ads on the internet have become increasingly targeted, customized, and persistent. Flash sales by Amazon feature products you'll likely order. A phone model you searched for earlier in the day appears in your Facebook feed. Even Gmail and YouTube tailor their ads to your exact interests.

The uncanny precision in ads makes one wonder if they're being watched all the time. However, upon close inspection, you'll find that we let ads find us.

Each time we access online services, we create a trail. In time, the trail takes shape as a digital footprint. This includes the websites you visit and the information you submit to online forums, public accounts, and more.

Unparalleled insights about a user's identity, online activities, and purchase history can be pieced from a digital footprint. There's no statutory limit to when or how such information may be accessed, collected, or used.

But that's not all. Hackers and cyberpunks can use digital footprints to create counterfeit digital identities. Several crimes can be committed under a false identity, including cyber espionage, phishing, and crypto-jacking.

While all this is cause for concern, there are several things you can do to protect your data. Here is a guide on how to shield your identity on the web.

How to be anonymous on the internet

Before we jump into the specifics, it helps to know that digital footprints can take two distinct forms.

When you tweet, blog, or post a photo on social media, you leave an active footprint. Browser cookies and IP addresses create what is called a passive digital footprint. Unlike active digital tracks, you unwittingly leave behind passive digital during website visits, searches, purchases, and online reviews.

Active and passive footprints carry great value to marketers. A potential employer or creditor may also examine your online presence.

Here are seven simple steps you can take to minimize your visibility online.

1. Use Virtual Private Network

Virtual Private Networks (VPNs) circumvent geo-restrictions on websites and multimedia content. But the real appeal lies in security.

A VPN hides your IP address, obscuring your digital footprint. VPNs also keep your online communications anonymous through encryption. Additionally, VPNs keep third parties from viewing, selling, or collecting your search history.

2. Deactivate old accounts

Service providers are far more likely to retain account data despite inactivity. Your personally identifiable information, such as name, phone number, and email address, could linger in a marketing database for years.

Therefore, it's worthwhile to deactivate inactive social media and email accounts.

3. Beware of "free" Wi-Fi connections

Free is an enticing word, but there are repercussions you should consider. Using a public Wi-Fi network for online transactions invites theft. This includes WiFis in restaurants, coffee shops, libraries, and even grocery stores.

Most public Wi-Fi doesn't promise security and lacks encryption. When equipped with the right tools, hackers can intercept unencrypted data, eavesdrop on conversations, steal passwords, and more.

Consider limiting your online activities to just browsing and streaming when on public Wi-Fi. Switch to your mobile data plan for transactions. You may also use a VPN to create a private network within the free Wi-Fi network.

4. Re-check privacy settings

Look into the privacy settings of websites you use most often, particularly social media sites. It also helps to be cautious when installing new apps on your smartphone. You may grant apps access to your contacts, messages, camera, and microphone, but gaming apps that solicit your contact list require extra caution. Scams like this are all too common and can have serious consequences.

5. Avoid unsafe websites

The URL gives it away. When visiting a website, be sure to look for "https" in the URL. Websites with hypertext transfer protocol secure (HTTPS) encrypt the exchanged data to prevent third-party snooping and interception.

HTTP lacks encryption, making it less secure than HTTPS. Therefore, it's wise to steer clear of URLS beginning with "http."

Avoid giving out your personally identifiable information (PII) on unsecured sites at all times. It contributes greatly to ensuring security and a small footprint.

6. Unsubscribe from mailing lists

Unsubscribing from an email is not the same as blocking it, as a blocked email can still end up in your spam box. So long as the service provider holds your email address, it will add to your digital footprint.

For example, you may have accidentally consented to receive additional promotional emails from a company after purchasing something online. Luckily, it takes only a few clicks to unsubscribe.

Begin by examining the body of an email. A lot of marketing emails and subscription newsletters have an unsubscribe link at the bottom. In a select few instances, you may be instructed to send an email with the subject line, "unsubscribe" to opt out.

7. Go incognito

Google Chrome, Safari, and Edge all offer anonymous browsing via private or incognito mode. Using a browser's private mode will wipe its cache, browsing history, and cookies, reducing third-party tracking.

Nevertheless, your internet provider will still have access to a portion of your web activities. Opt for privacy tools or browser extensions to maximize shielding. Additionally, you may also choose to browse on private search engines such as Tor and DuckDuckGo.

A final word

Tens of thousands of pages are added to the internet every day. And because security is never absolute, it is near impossible to reduce digital footprints to zero. Therefore, the myth of a "zero digital footprint" is just that: a myth.

"It used to be expensive to make things public and cheap to make them private. Now it's expensive to make things private and cheap to make them public," recalls Clay Shirky, vice provost of educational technologies at New York University.

Making small yet decisive changes to your devices and accounts can go a long way toward ensuring digital privacy. Start by "googling" or searching for yourself online. If the results show an extensive digital footprint, consider readjusting your privacy settings. Be sure to read the terms and conditions associated with any new online services you sign up for. It's also a good practice to review privacy policies periodically for any changes that may have occurred.

TikTok has informed US-based users that it's now harvesting more personal information from them, likely including "faceprints and voiceprints."

"We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content, the company's new privacy policy states. "Where required by law, we will seek any required permissions from you prior to any such collection."

This potentially important change was first spotted by TechCrunch, which noticed a few intriguing updates to TikTok's privacy policy.

Under the new policy, TikTok may collect information about images and audio in users' content, the policy says, "such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content."

This type of language may sound invasive, but this kind of legal language is fairly common for photo and video apps.

More important is the statement about collecting "biometric identifiers." It doesn't specify what TikTok plans to do with this data or whether it's taking into account federal or state laws or both.

This comes only a few months after TikTok settled a $92 million lawsuit where it was accused of collecting biometric data from users without their consent.

The lawsuit accused the social media platform of deploying a complex artificial intelligence (AI) system to scan for facial features in users' videos, alongside algorithms to identify a user's age, gender and ethnicity.

The accusers claimed that TikTok's app extracted a broad array of such data without consent and shared personal and private viewing histories with third parties, such as Facebook and Google.

Also of concern was the potential for this data to be shared with companies based in China, as the lawsuit claims TikTok doesn't adequately disclose how it shares user data with entities outside the US.

Amazon's Ring announced Thursday that police departments must now publicly request user videos from Ring's smart doorbells and cameras instead of doing so privately.

Until now, Ring device owners would get private messages from the app on behalf of law enforcement agencies looking for videos that may have captured footage of certain individuals, traffic accidents, or crimes in progress.

Ring is likely taking this action because its partnerships with law enforcement agencies have sparked privacy, surveillance, and racial profiling concerns. According to Ring's active agency tracker, thousands of American police and fire departments in the U.S. have partnered with Ring by joining the Neighbors app.

"Beginning next week, public safety agencies will only be able to request information or video from their communities through a new, publicly viewable post category on Neighbors called 'Request for Assistance,'" Ring said in a blog post. "Public safety agencies can use these posts to notify residents of an incident and ask their communities for help related to an investigation.

"All 'Request for Assistance' posts will be publicly viewable in the Neighbors feed, and logged on the agency's public profile. This way, anyone interested in knowing more about how their police agency is using Request for Assistance posts can simply visit the agency's profile and see the post history."

Ring said it would roll out the new "Request for Assistance" feature in the Neighbors app starting next week.

The company reiterated that users can always choose what they share with law enforcement agencies.

Social media apps focused on neighborhood safety have recently come under increased scrutiny. For example, the crime-tracking app Citizen was in the news last month after a live stream from the app with over a million views sparked a search in California. The app showed the name and photo of a man believed to have started a wildfire, but he turned out to be innocent.

Also in May, it came out that Citizen had been testing the idea of a private security force after vehicles branded with the Citizen logo were photographed in Los Angeles.

Organizations are investing more in privacy protection globally, according to research published today by privacy management software company TrustArc. Nevertheless, it still found significant room for improvement in key areas, including cookie consent management.

The company surveyed people worldwide for its 2021 Global Privacy Benchmarks Report, including executives, managers, full-time non-managerial employees, and members of the privacy team. It found performance improving on the privacy front and that companies were eager to do more. The proportion of companies planning big-ticket privacy investments of $1 million or more grew to 48% in 2021. This is up from 28% in 2020.

This increased focus on privacy showed up in internal programs. The number of companies with dedicated privacy offices jumped 17 percentage points to 83%. More companies also said that privacy was now a core part of their business strategy. That proportion increased 7 percentage points from 37% to 44%.

TrustArc also noted a marked improvement in attitudes to privacy on its privacy index, which it compiles based on respondents' answers to core privacy questions. These include whether their board of directors regularly reviewed privacy matters and whether they sufficiently trained employees in privacy issues. It also assessed confidence in key privacy outcomes among their customers, employees, and partners.

The median score on the privacy index jumped from 62% to 70% during the last year, while the 75th percentile score — the average score for companies getting an "A" grade — jumped from 79% to 85%.

Organizations in the US are more confident in protecting employee and customer data, at 82% compared to 74% in Europe. This could be a sign that stateside companies have upped their game following the imposition of the wide-ranging California Consumer Privacy Act, which came into force on January 1, 2020.

Companies might be paying more attention to privacy, but there is still work to be done. Over a third of respondents said they had suffered a breach in the last three years, while 27% reported their company suffered a large-scale cyber security attack.

One area where companies must try harder is cookie consent. This regulatory requirement mandates that companies collect visitor consent when serving cookies via a website. Only 23% of companies work with stakeholders across all departments to ensure that their consent solution meets regulatory requirements and business objectives. Just 46% of respondents said their cookie consent solution was "fully done."

You can now keep prying eyes away from your Google search history and more, as the tech giant has just added password protection to these sensitive screens.

Google's My Activity page displays all of your Google searches, every location you've looked up on Google Maps, and every video you've watched on YouTube. Anyone who has access to your phone, tablet, or PC could view all that information and learn a lot about you.

Google is now introducing a way to put a password on your My Activity page. To add password protection, navigate to your My Activity page and click on the link that reads, "Manage My Activity verification." From there, click the "Require Extra Verification" button. At that point, Google will have you sign in again and complete your two-factor authentication, if it's turned on.

While you're on that page, it's not a bad idea to check out the settings it has for your Google ID. Here, you can turn off and on the three things: your web and app activity tracker, location history, and YouTube history.

It's handy to have a password protecting this information, but you should also consider whether you really want Google tracking and displaying this information in the first place.

Google has long grappled with issues of tracking versus privacy. Two years ago, the search giant first offered its users the option to automatically delete their search and location history after three months.

Users can increase the time range to 18 months, and Google automatically deletes any data older than that from their accounts.

That data management tool came right after Microsoft and Facebook announced features for users to have greater control over their personal data.

These measures highlight a continuing trend of companies making an effort to show responsibility for data privacy.

Security researchers have discovered 23 Android applications that potentially exposed over 100 million users’ personal data through various misconfigurations of third-party cloud services.

According to Check Point Research, the data exposed from these apps included emails, chat messages, location, passwords, and photos. This left users exposed to fraud, identity theft, and service swipes (using the same username-password combination on other services).

Researchers said, “there was nothing in place to stop the unauthorized access from happening.”

“Modern cloud-based solutions have become the new standard in the mobile application development world,” researchers said. “Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.”

The first problem researchers discovered was the misconfiguration of real-time databases developers used to store data in the cloud and synchronize with connected clients.

In 13 Android apps, which saw download numbers range from 10,000 to 10 million, no authentication was in place to prevent hackers from accessing these databases containing email addresses, passwords, private chats, device location, user identifiers, and more.

In one app, T’Leva, a taxi app with over 50,000 downloads, researchers could access chat messages between drivers and passengers. They could also access users’ full names, phone numbers, and locations (destination and pick-up) – all by sending one request to the database.

A second issue was with push notifications. “Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” said researchers. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”

The third problem occurred in cloud storage. In one app, researchers could access cloud storage keys embedded into the app and all stored fax transmissions.

“With just analyzing the app, a malicious actor could gain access to any and all documents sent by the 500,000 users who downloaded this application,” said researchers.

Researchers said they approached Google and each app developer before publishing its research to share their findings. Researchers said only a few of the apps have since changed their configurations.

With Apple now allowing users to opt out of third-party app and website tracking, a bipartisan group of US senators is seeking to force other tech giants, like Facebook and Google, to do the same thing.

The Social Media Privacy Protection and Consumer Rights Act would allow users to opt out of data tracking and force tech companies to be more transparent about how they use consumers’ data.

Senators backing the bill include Amy Klobuchar (D-MN), Richard Burr (R-NC), John Kennedy (R-LA) and Joe Manchin (D-WV). Klobuchar originally introduced the bill in 2019 in the wake of Facebook’s Cambridge Analytica scandal, but the bill didn’t move forward due to lack of bipartisan support. It now has that support.

In addition to allowing users to opt out of data tracking, the bill would also force online platforms to post their terms of service agreements in plain language and notify users within 72 hours of any data breach.

The Senate bill essentially calls for a national version of data privacy laws already in effect in some states. The most high-profile of these laws is the California Consumer Privacy Act (CCPA).

Some tech companies, such as Microsoft, have already pledged to honor the CCPA’s rules nationwide. But Klobuchar and other senators want to put a national privacy data law in place that’s similar to Europe’s General Data Protection Regulation (GDPR).

The Senate bill would essentially force other US tech giants to follow Apple’s lead on data tracking transparency.

Last month, Apple released its App Tracking Transparency (ATT) tool. It was introduced with iOS 14.5 to explicitly tell users what data will be collected and which apps would track them as part of IDFA. Apps also have to ask for users’ permission upfront, in the form of an opt-in, before being able to track them.

Since then, only a fraction of iOS users have agreed to be tracked by third-party applications such as Facebook. Just 13% of users worldwide have granted permission for tracking by any apps, according to data compiled by Flurry, and 5% of users set themselves to “restricted,” meaning apps won’t even be able to ask them to opt in.

Facebook led a chorus of voices railing against the rollout of ATT, fearing the expected drop-off in users being tracked would hurt it and its partners’ revenues.

The social media network publicly campaigned against ATT, forcing Apple to delay the move several times to allow developers and companies to prepare for the changes.

After the first Senate data privacy bill fell short in 2019, it remains to be seen how far it will get this time.

Secure messaging application firm Signal just highlighted how much data Facebook collects about its users in a clever piece of media hacking.

Signal, which prides itself on not tracking its users, set out to demonstrate to Facebook users how much data they're giving up.

The company created an ad campaign on Instagram using the Facebook-owned photo and messaging app's multi-variant ad targeting system. This uses the detailed profiles Facebook builds about its users to deliver them appropriate advertisements. Instead of using this targeted demographic data to sell products to a carefully segmented demographic, Signal designed the advertisements to tell recipients what Facebook knew about it explicitly.

"The way most of the internet works today would be considered intolerable if translated into comprehensible real world analogs, but it endures because it is invisible," the company said when explaining the project.

Examples of the ads included: "You got this ad because you're a K-pop-loving chemical engineer. This ad used your location to see you're in Berlin. And you have a new baby. And just moved. And you're really feeling those pregnancy exercises lately."

Other examples Signal posted identified users’ marital status, including a recent divorce, and more nuanced situations like being in an open relationship. Ads also relayed recent purchases and new hobbies. They also called out the kinds of content that specific Instagram users like to read online.

According to Signal, Facebook disallowed the ad campaign. "Being transparent about how ads use people's data is apparently enough to get banned; in Facebook's world, the only acceptable usage is to hide what you're doing from your audience," it continued.

This media hack is another small blow in Facebook's ongoing battle against privacy advocates. In March, the US Supreme Court rejected Facebook’s appeal to scale back a $15 billion class-action lawsuit accusing it of illegally tracking its users' activity.

Facebook is also involved in an ongoing spat with Apple, which has introduced privacy changes in iOS 14 that give users an opt-in prompt to enable in-app tracking. Facebook responded by inserting messages in its app that guide users to opt in.

Acuant has acquired Hello Soda, a global identity verification provider, know your customer (KYC), and anti-money laundering (AML) solutions.

According to Acuant, the acquisition will fortify its position in the digital identity market and strengthen its Trusted Identity Platform.

The Acuant-Hello Soda merger will also bring together powerful technologies in data science modeling and advanced analytics to enhance trust in digital identities.

“Our goal has always been to power trust for all, a vision we share with Hello Soda whom we are excited to welcome to the Acuant family,” said Yossi Zekri, president and CEO of Acuant.

“This is truly the most exhilarating time in our company’s history, coinciding with the disruption of traditional financial markets, the rapid digitalization of the world and the need for business and governments to help safeguard identity more than ever before. Adding Hello Soda to our Trusted Identity Platform will reach more people today and position us even stronger for the future of digital identity.”

With its proprietary analytics software, data science modeling, and machine learning (ML) algorithms, Hello Soda helps organizations make informed business decisions by delivering actionable insights.

The Hello Soda dark web solution reduces fraud risk by scanning over 600 million dark web records for signs of compromised personally identifiable information. Hello Soda’s other interesting solutions include ProfileiD and iDocufy.

ProfileiD analyzes customers’ digital footprint to automate user authentication “in sub-5 seconds.” iDocufy, on the other hand, verifies over 6,000 forms of government-issued identity documents.

“We could not be happier to join Acuant, bringing our talent, technology, network and expertise to strengthen all we have accomplished and to take our mutual vision further as a team,” stated James Blake, founder and CEO of Hello Soda.

“Our combined technology will serve us well in our joint mission to democratize trust and provide solutions to reach every sector of the global population, allowing every individual to conduct trusted transactions when and where they wish.”

Privacy management company BigID has created a freemium platform to manage customer privacy requests.

Called BigID.me, the tool allows small- to medium-sized enterprises to automate customer privacy management without operating their own dedicated privacy office.

The service allows companies to manage customers’ data privacy preferences and consent for handling data, including cookies and privacy requests. They can create their own branded customer-facing self-service privacy portals with custom forms to submit data requests. and customers and employees can track the progress of data access requests, managing them against regulatory deadlines.

The General Data Protection Regulation (GDPR), which apply to US companies holding data on European residents, and other US consumer data protection laws like the California Consumer Privacy Act allow individuals to request access to the data companies hold about them. People can ask for that data to be updated and request its deletion at any time, withdrawing consent for companies to hold data about them.

Internal teams can use the portal to organize consistent workflows for handling privacy requests and can trigger automatic emails to customers to inform them of status changes. It generates reports for managers that show data-request trends according to data points like status and regulation type.

The freemium service allows teams of up to three members to handle up to five data access and deletion requests per month. There are two other paid tiers for handing unlimited general data privacy-related requests. The Standard package costs $750 per month, allows up to 10 members, and includes custom branding. The Growth package costs $1,500 per month, allows up to 20 members to handle unlimited general data requests and up to a million consent requests, and offers branded PDF reports. There is also an enterprise version that offers a range of additional features.

BigID, which opened in 2016, built its business offering a more full-featured privacy data intelligence platform that offers customers data discovery services and applications to help protect and manage data. It offers customers a range of privacy functions, including data flow mapping, machine learning-based classification of personal information, data inventory, and consent governance practices.

Apple has announced a searchable privacy-label database, bringing privacy labels for iOS, iPadOS, macOS, watchOS, and tvOS apps together in one place.

Starting late last year, Apple required developers to detail app privacy information on the App store. The details, which Apple calls “privacy nutrition labels,” better informed users about what data apps collect and if that data is linked to them or used for tracking.

"Our privacy labels are designed to help you understand how apps handle your data, including apps we develop," said Apple.

The database, which you can find under the “Labels” section in Apple’s privacy webpage, offers details on Apple apps across iOS, iPadOS, macOS, watchOS, and tvOS. For convenience, Apple arranges the apps alphabetically, and users can learn what data apps are gathering and if that data is linked to their identity.

For example, Apple Maps collects your location, search history, and usage data, but that data isn't linked to your identity. The App Store collects your contact and purchase info, search history, and other identifiers related to your identity. Airport Utility, on the other hand, collects no data at all.

According to Apple’s privacy policy, “collected data may depend on the features you use, whether you only use a paid version of an app, or whether you’re a child.” App developers may choose not to list data in the App Privacy section if the data collected from users is “covered by a privacy law under relevant financial services or data protection laws or regulations.”

The update is a welcome addition for users looking to view and manage their privacy settings in one place.

For more information about Apple’s data-collection policies, head to Apple’s developer support page.

Improving customer experience is the driving force behind many an organisation’s digital transformation, as any savvy business knows that in our experience economy, how a customer perceives every interaction with your business is integral to its success.

With 85% of respondents to a survey saying a personalised experience is key to earning their business and 67% saying they would pay more for these experiences, it’s clear that you need to deliver multi-channel, seamless interactions that make your customers feel seen.

How you manage and protect customer data is a big part of this, as it helps gain trust and adds to the overall experience. How do you do this, though, with the proliferation of extra devices like connected cars and smartwatches complicating secure, multi-channel interactions?

And since in the past, more data security has often been tied to having less visibility, how can you juggle protecting their information with using it to offer the best experiences?

This is where customer identity and access management (CIAM) comes in.

What is the difference between IAM and CIAM?

Traditional identity and access management (IAM) is designed for authentication and access within an organisation. It is used for controlling an employee’s access when they join, leave, or change roles and doesn’t cover requirements that are specific to customers, like how they prefer their data to be managed when they sign up to a website.

On the other hand, in addition to securing a customer’s information, CIAM is also geared towards creating better experiences through data collection. It benefits businesses as well, allowing them to build customer profiles with the data collected and better target customers for higher conversions.

Why do you need CIAM?

Customers have high expectations and they can quickly get impatient when those expectations aren’t being met. It doesn’t take too many mistakes, inconveniences, or pages that won’t load before they share their bad experiences with others, so the stakes of CIAM are high.

When we look at traditional methods of managing customer data without a CIAM platform, there are many pitfalls.

Normally, authentication is built into the website and credentials are stored in back-end databases, which don’t transfer sign-in information or social logins across multiple web applications and create more friction for customers.

This method also doesn’t update automatically, meaning you miss out on new features like multi-factor authentication or the latest security offerings.

If customers can’t easily access services with a single sign-on and their data is at risk, they’re likely to desert your business in favour of a competitor.

What benefits can my organisation get from CIAM?

As we’ve already touched on, a good CIAM platform will offer your organisation more visibility into customer behaviour, from their purchase histories to usage trends.

This customer profile informs sales forecasting, personalised marketing, and new product development, which shows your customers you understand them and their needs. Specially built for consumer applications, CIAM platforms can also be scaled to handle millions of interactions.

What benefits can my customers get from CIAM?

As a direct result of the increased visibility for businesses, customers will, of course, have interactions that are more relevant to them and actually serve their specific needs.

They also get frictionless access across any device using single sign-on or social login.

Through a CIAM platform, their data is better protected through multi-factor authentication (MFA), threat detection, and password backlists, and it’s easy for them to manage consent for how their data can be used or ask to be removed from systems.

How do I choose a CIAM solution?

Given the complexity of managing customer identity, most businesses choose to use a Identity-as-a-Service provider instead of developing a platform in-house. Choosing the right platform is key to achieving the full breadth of benefits of CIAM, so here are several things to keep in mind when you begin your search.

First of all, the platform must operate consistently across all applications and devices and it should integrate with existing CRM systems, marketing platforms, e-commerce platforms, content management systems, data management platforms, and more.

It also needs to bring together the data collected from these touchpoints into one unified database, but with flexibility that allows you to collect what’s most relevant to your brand.

Without these two points, you won’t be able to get the comprehensive view of your customers that’s so vital to delivering great experiences and growing revenue.

And, of course, you’ll want to make sure your chosen platform has built-in features for data regulation compliance and data breaches to keep customers’ personal information secure. It must be built to withstand all types of attacks, from denial-of-service attacks (DoS) to fraudsters using stolen identities, and also encrypt data on the back end to keep data safe in the event of an attack getting through. It also needs to meet government regulations like GDPR and CCPA.

Many CIAM platforms are cloud-based, which offers scalability and reliability and cost savings compared to on-premises, but you’ll still need to integrate this platform with other systems that are on-premises, so a hybrid architecture may be the best option.

Yesterday, Virginia became the second state to pass a consumer data protection law, forcing companies to give consumers the right to opt out of data collection. Governor Ralph Northam signed the Consumer Data Protection Act into law on Tuesday.

The law, which Virginia's General Assembly passed last month, allows consumers to confirm whether a company is holding their data and access it using an automated system. The system allows them to retrieve it in a portable format, making it possible to send it to another company.

Users can amend inaccuracies in the data or force the company to delete it altogether. They can also prevent companies from using the data for marketing or other purposes.

Companies must respond to consumer requests within 45 days but may extend that period by an additional 45 days based on request complexity, as long as they inform the individual and explain the delay. The company must fulfill up to two free annual requests from an individual, but they may charge for additional requests.

Organizations must disclose what they'll use an individual's data for and must limit their personal data collection to those purposes. They must also explain which third parties they'll share the data with and what they'll do with it.

Consumers can opt out of personal data collection and the sale of data to third parties. However, the company can choose not to offer consumers goods or services if it needs the opted-out data to provide the service.

The law, which goes into effect on January 1, 2023, affects companies holding personal data for at least 100,000 consumers or those holding at least 25,000 individuals’ personal data and make more than half their income selling that data.

Companies violating the law face civil penalties of up to $7,500 per affected individual, but they can escape those penalties if they fix the problem within 30 days of Virginia notifying them. All penalties collected will go to a Consumer Privacy Fund established by Virginia, which will support enforcement of the Act.

The Act doesn’t define new data breach notification rules, instead referring to existing rules in the state's legal code.

The legislation now goes to Virginia's Joint Commission on Technology and Science to evaluate how to implement it and release a study by November.

This is the second such law to pass in the US. California's approval of the California Consumer Protection Act (CCPA) went into effect last year. There’s still no cohesive federal consumer data protection law, which four in five Americans want.

Far-right social network Gab is investigating the alleged theft of 70GB of data containing over 40 million posts from its website.

The hacking group Distributed Denial of Secrets (DDoSecrets) reported the incident on Sunday. The person said to have taken the information goes by JaXpArO and the My Little Anonymous Revival Project. According to DDoSecrets, the data contains public and private posts, along with hashed user passwords, direct messages, and plain text passwords for groups. It also contains over 70,000 messages from over 19,000 chats.

DDoSecrets claimed no responsibility for the hack and said it’s merely reporting it and distributing information to the appropriate parties. It’s also limiting its distribution to journalists and researchers.

The hacker retrieved the information via a SQL injection attack, in which an attacker enters commands in the SQL injection language to an online form or via URL parameters. These attacks, which are part of a general injection attack class listed as the No. 1 form of web application attack by the Open Source Web Application Security Project (OWASP), and attackers have been exploiting them for over a decade.

"We were aware of a vulnerability in this area and patched it last week. We are also proceeding to undertake a full security audit," said Gab CEO Andrew Terba in a blog post about the incident. "We do not currently have independent confirmation that such a breach has actually taken place and are investigating."

Terba added that while the company hashes passwords, it doesn't encrypt them in groups, where passwords "are meant to be shared for users to join with.” The site no longer supports direct messaging functionality, he said.

Gab is an extreme far-right social network launched in May 2017. Paypal, GoDaddy, and Medium all banned Gab after one of its members posted an antisemitic message on the site before killing 11 people at a synagogue in October. Its hosting provider Joyent also booted the site from its servers. Gab later found a home with hosting service Epik.

DDoSecrets posted some analysis of the Gab data and found a marked rise in new Gab users just after Amazon kicked conservative social network Parler off its servers. New users jumped from a little under 50,000 on January 8 to around 450,000 on January 10, the figures show. Parler also suffered a hack in January, and the lone attacker exfiltrated 70 TB of data.

DDoSecrets is a successor to the secrets-leaking site Wikileaks. Active since 2018, DDoSecrets gained notoriety last June for BlueLeaks, the publication of US law enforcement officers’ data.