Included in this issue: Google fined $170m for collecting children's personal data on YouTube without consent; Landmark case deems police use of facial recognition technology lawful and more...


Google fined $170m for collecting children's personal data on YouTube without consent

The US Federal Trade Commission (FTC) has fined Google $136m for collecting children's personal data on its video site YouTube without their parents' consent. The company will also pay $34m to New York state to resolve similar allegations.  

This is the largest fine yet that the FTC has imposed on Google. 

Under federal law, parental consent is required for users under the age of 13 before companies can collect and share their personal data. Google has said that its YouTube service is intended for those that are 13 years or older, however the channel still features cartoons and sing-a-longs which are made for children.

Google accused of using secret web tracking pages

Privacy-focused web browser Brave has accused Google of using secret webpages assigned to users to provide advertisers with more information about online movements of the users.

Brave's chief policy officer, Johnny Ryan, conducted the research as a new user on Google Chrome. He discovered that hidden webpages had a unique address which acted as an identifier that was unique to him. When combined with cookies, this helped tracked user activity across the web.

Brave's allegation has been sent to the Irish Data Protection Commission as a supplement to an ongoing complaint.

Landmark case deems police use of facial recognition technology lawful

The High Court has ruled the use of automatic facial recognition (AFR) technology by the police as lawful, in a landmark case brought by Human rights group Liberty. 

This case is the first of its kind in the UK to legally challenge the police for use of the mass surveillance tool.

The two presiding judges decided that the use of AFR by South Wales Police did infringe privacy rights under Article 8, however they had "struck a fair balance and it was not disproportionate" so its deployment was justified. As a result, South Wales Police can continue with its use of the technology. 

Liberty, acting on behalf of Cardiff resident Ed Bridges, plans to appeal the ruling against the High Court.

Gender identity clinic discloses patients' email addresses in major data breach

Tavistock and Portman NHS Trust has admitted a 'serious data breach' at its Charring Cross Gender Identity Clinic in London after the email addresses of nearly 2,000 transgender patients were exposed.

An employee at the clinic sent out a mass email about an art competition to patients going through or considering gender therapy forgetting to blind copy the details of other patients. The employee then sent out another email which blind copied other addresses when they realised their error.

The clinic has apologised for the data breach and reported it to the Information Commissioner's Office.

Court of Amsterdam decision highlights high threshold for use of fingerprints

The Court of Amsterdam has decided that an employee had the right to refuse to provide their fingerprint to their employer, Manfield Schoenen BV, to use in a finger scan authorisation system for cash registers, highlighting the high threshold for use of fingerprints. 

The Court also emphasised that an increased use of fingerprint biometric systems over the past few years is not a valid reason for the implementation of this type of system, and the employer was criticised for not having considered any less privacy-invasive options before installing the system.

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile