The AI-powered tool again became the source of the data breach. This time ChatGPT exposed individual taxpayer registry records in Brazil. A bunch of important events from the legal point of view occurred in Kenya and in Saudi Arabia. Two companies were found guilty of violating data protection law in Kenya, while regulators in Saudi Arabia published new guidelines for Personal Data Transfer Risk Assessment.

On the 25^th of February, an incident involving ChatGPT happened in Brazil. According to media reports, the AI system started to disclose sensitive information of Brazilian public figures. Chatbot shared CPF numbers, individual taxpayer registry of politicians, TV presenters, and entrepreneurs, including President Luiz Inácio Lula da Silva, Vice President Geraldo Alckmin, and former President Jair Messias Bolsonaro.

The leak violates the privacy rights of Brazilian residents. Even though ChatGPT took personal data from open sources like lawsuits, invoices, and company minutes, it is important to prevent similar incidents from happening in the future. For this, it’s necessary to form AI guardrails to avoid the disclosure of sensitive data and excessive data collection.

This event is one of the links in a long chain of AI-related data breaches. GenAI is a rapidly evolving instrument that requires additional attention due to its nature. AI chatbots are constantly ingesting new information from the available sources for further training processes. Users of AI-powered tools should understand risks related to such products and follow basic safety rules. As a minimum precaution, we recommend that users do not include personal information in their prompts and eliminate sharing of sensitive data.

At the same time, an important legal ruling was made in Kenya. The Data Commissioner investigated the complaint of a private person and found Safaricom, a telecom company, and Becton Dickinson (BD) guilty of violating the Data Protection Act. The ruling fined both legal entities Sh. 250 000 each. This case highlights that regulators started to enforce the legislative demands in a stricter manner.

The case is the result of a complaint filed by Catherine Murithi, an ex-employee of Becton Dickinson. After the termination of her employment contract, BD shared Catherine’s personal information with Safaricom to transfer her corporate account to a personal one. This was done without contacting and informing Catherine about the data-sharing process.

The Kenyan Data Commissioner examined the case and found three violations of the Data Protection Act:

• Ignoring Consent Requirements: BD shared Murithi’s personal records without explicit consent.
• Lack of Transparency: Safaricom failed to inform the data subject about the transfer.
• Unlawful Data Processing: Both legal bodies mishandled personal information, threatening the data subject’s privacy.

 The case illustrates the growing regulatory attention to the field of data protection. Legislation forms legal procedures for data processing as well as a set of requirements for technical solutions and DPO appointments. Compliance can be a tricky challenge, especially for small and medium business entities that are lacking onboard data protection specialists. To address this issue, we developed the Managed Security Service for internal threat protection.

Another major step in the process of forming a legal foundation for data protection was made in the Kingdom of Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) continues to form legal guidelines. The legal body published a new Personal Data Transfer Risk Assessment to ensure compliance with the Saudi Personal Data Protection Law (PDPL) and its Regulations.

The guidelines constitute four phases for the process of a comprehensive risk assessment:

• Preparation phase. This stage requires the preliminary steps to determine the need for an assessment of potential risks and impacts, identify the purpose of data collection and the nature of collected data, and review the details of personal data processing, including usage, disclosure, and destruction of data.
• Assessment of potential risks and negative impacts. Application of international standards for risk assessment—list of threats, level of risk, probability of negative incidents. Development of necessary tools to minimize risks and potential impact. This can be achieved through the implementation of administrative, technical, and physical controls demanded by Regulation.
• Risk assessment for data transfer or disclosure to entities outside the Kingdom. Data controllers have to analyze potential risks according to the nature of transferred data and compliance of data recipients. Data controllers must pay close attention to the fulfillment of data protection measures by Saudi standards and implement measures to reduce potential risks.
• Guidelines for identifying factors related to the analysis of implications for the vital interests of the Kingdom.Data controllers have to consider possible results of data transfer for the Kingdom’s vital interests: the nature of collected data, the impact of data transfer or disclosure outside of the Kingdom, and the adequacy of implemented protective measures.

Reliable risk assessment is the data controller's duty. Saudi guidelines for risk assessment emphasize the need for highly qualified information security specialists with vast expertise to properly conduct the data transfer process. Highly likely, demand for cybersecurity workers on the job market will rise in the upcoming months.

Learn more about compliance with the Saudi Arabia Personal Data Protection Law and how solutions by SearchInform can help to meet the regulator’s requirements. The Law is the major KSA Act, which regulates the usage of personal data. It became fully enforced on the 14^th of September 2024.