Our pick of key compliance stories this month
- X faces privacy complaints after using data without permission
- HS2 pays a £6.2m settlement to HMRC for compliance failures
- London businesses fined £14m in GDPR violations
- Six-year legal probe ends with $152m Glencore fine
- The new EU AI Act to change how AI is regulated
- PwC is the first audit firm to be fined by the FCA
- AIA Group slapped with a $2.9m fine for AML failings
X faces multiple privacy complaints from users
X, Elon Musk's social media platform, is facing a series of privacy complaints due to the use of EU users' data to train AI models without their consent. The issue came to light when a user discovered a setting indicating X's use of post data for its Grok AI chatbot. The Irish Data Protection Commission (DPC) expressed "surprise" at this, as GDPR requires explicit consent for such data processing.
Nine complaints have been filed across various EU countries, arguing that X violated GDPR by processing data without a valid legal basis. The DPC has taken legal action against X, but privacy group noyb, who is supporting the complaints, believes these measures are insufficient.
“Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well,”
They emphasise that users weren't informed about the data usage, making it impossible to opt out initially. The situation highlights concerns over the misuse of personal data under the guise of "legitimate interest" and the broader challenges in ensuring compliance with GDPR for AI systems.
HS2 pays a £6.2m settlement to HMRC
High Speed Two (HS2), the UK body responsible for developing the high-speed rail network, paid £6.2 million to HM Revenue & Customs (HMRC) to settle a breach of the IR35 tax avoidance rules. Originally, HS2 had set aside £10.2 million for this settlement, but the final amount was significantly lower.
The issue arose from a review of HS2's compliance with IR35, which began in May 2022. The review focused on how the organisation adapted to the public sector IR35 reforms introduced in April 2017.
HS2's 2023–24 annual report confirms the review is now complete, and no further provisions are needed. During the last financial year, HS2 employed 339 off-payroll workers, with 94% classified as working within the IR35 rules.
Key takeaways:
- Regular compliance reviews: organisations should conduct regular compliance reviews, especially when adapting to new regulations, like the public sector IR35 reforms introduced in 2017. Early identification of issues can prevent penalties.
- Accurate classification: properly classifying workers under IR35 is crucial. HS2's experience highlights the importance of assessing each off-payroll worker's status to ensure compliance with tax regulations.
- Proactive provisioning: setting aside funds for potential liabilities, as HS2 did with the £10.2 million provision, is a prudent measure. Even if the final settlement is lower, being prepared helps manage financial risk.
- Clear documentation: maintaining clear and detailed records of compliance efforts and worker classifications is essential. HS2's successful conclusion of the review indicates the value of thorough documentation.
London businesses fined £14m in GDPR violations
Twelve London businesses were collectively fined £14,012,500 for breaching data protection laws between 2023-2024, highlighting the serious financial and reputational risks of non-compliance.
Hayes Connor, data breach experts, analysed recent Information Commissioner's Office (ICO) data to assess the impact on local businesses.
The fines resulted from 17,366 complaints, revealing major lapses in handling sensitive customer data. The ICO's actions emphasise the importance of robust data protection measures and serve as a warning to London businesses to take GDPR compliance seriously.
“High fines deter businesses from neglecting their data protection obligations. The ICO’s actions demonstrate that non-compliance can lead to substantial financial consequences, encouraging other businesses to prioritise data security...Beyond fines, businesses might face lawsuits from affected individuals, leading to further financial liabilities and legal expenses.”
Six-year legal probe ends with $152m Glencore fine
Glencore has been ordered by Swiss authorities to pay approximately $152 million, concluding a four-year investigation into alleged bribery involving a Congolese public official by one of its business partners in 2011.
The settlement includes a $2.4 million fine and a $150 million compensation for the financial gain from the misconduct.
The Swiss Office of the Attorney General closed the investigation, marking the end of publicly known corruption probes into Glencore, which have affected the company's reputation for years. A related Dutch case was also dismissed.
The bribery involved payments made by Glencore's partner to acquire undervalued stakes in two Congolese mining companies.
Although Glencore was held criminally liable for failing to prevent the bribery, the company stated that no employees were aware of the misconduct, and it did not benefit financially. Glencore did not admit to the findings but chose not to appeal the penalty.
Key takeaways:
- Implement strong compliance programmes: the case underscores the need for robust compliance frameworks that actively monitor and manage the actions of both staff and third-party partners, particularly in high-risk regions or sectors.
- Be mindful of third-party risks: companies must carefully vet and monitor third-party partners, as their actions can result in significant liabilities for the company, even if the company claims no direct benefit from those actions.
- Weigh up cooperation and consequences of a legal battle: Glencore’s decision not to appeal the penalty, despite not admitting wrongdoing, reflects a strategic choice to resolve the matter and move forward. This approach can be preferable to prolonged legal battles, especially when trying to restore corporate reputation.
The new EU AI Act to change how AI is regulated
The European Union’s AI Act, which took effect on August 1, 2024, is the world’s first comprehensive regulatory framework for artificial intelligence (AI), setting new compliance standards for businesses globally.
“Banks utilising AI technologies categorised as high-risk must now adhere to stringent regulations focusing on system accuracy, robustness and cybersecurity, including registering in an EU database and comprehensive documentation to demonstrate adherence to the AI Act,”
The law is expected to impact industries across the board, requiring companies to reassess and potentially redesign AI products to meet these stringent new standards.
The Act's influence extends beyond the EU, affecting any organisation operating within or selling to the EU market. This has led to increased costs in research, development, and compliance but also presents opportunities for innovation in responsible AI development.
Notably, the financial sector is particularly impacted, as high-risk AI technologies used by banks must now adhere to these strict regulations. Companies, including Unilever, are already implementing frameworks to ensure compliance, recognising the potential for legal risks in rapidly evolving AI technology.
The law's extraterritorial reach underscores its potential to set a global benchmark for AI governance, influencing regulatory approaches in other jurisdictions. Companies must comply by 2026, with some provisions, like those affecting AI models such as ChatGPT, taking effect sooner.
Non-compliance could result in fines of up to 7% of global annual revenue, emphasising the need for organisations to prioritise AI compliance. The AI Act is expected to drive investment in compliance technologies and shape global AI development practices.
PwC is the first audit firm to be fined by the FCA
PwC has been fined £15 million by the Financial Conduct Authority (FCA) for failing to report suspicions of fraudulent activity at London Capital & Finance (LCF) during its 2016 audit. This marks the first time the FCA has fined an audit firm.
The FCA noted that PwC encountered significant difficulties during the audit, as LCF provided "inaccurate and misleading information," and a senior LCF executive was aggressive towards the auditors.
The complexity of the audit led PwC to suspect possible fraud at LCF, but despite these concerns, the firm did not report them to the FCA as required. Although PwC ultimately deemed LCF's 2016 accounts accurate, the FCA emphasised that PwC was still obligated to report its earlier suspicions.
LCF later went into administration in January 2019 after being ordered by the FCA to withdraw misleading promotional material, leading to substantial losses for investors. The Serious Fraud Office continues to investigate the case.
The FCA acknowledged that PwC's failure to report was not reckless or deliberate and that the firm was not involved in LCF's misconduct. However, by not reporting its concerns, PwC deprived the FCA of potentially critical information. PwC has since settled with the FCA, describing the breach as unintentional.
AIA Group slapped with a $2.9m fine for AML failings
AIA Group Ltd. has been fined a record HK$23 million ($2.9 million) by Hong Kong's Insurance Authority for shortcomings in its anti-money laundering (AML) processes.
The fine, the largest since the regulator began overseeing insurance companies in 2017, follows an inspection that revealed technical issues with AIA's AML system and algorithm.
These issues led to some "politically exposed persons" not being flagged during the screening process, delaying the identification of their financial sources. However, the regulator noted that no inappropriate policies were sold.
This fine comes amid increased scrutiny of the insurance industry in Hong Kong, especially as business with mainland Chinese clients has surged. Recent regulatory actions also included raids on a licensed broker and a referral company suspected of using unlicensed referrers.
AIA’s shares fell approximately 2.5% in response to the news. The company stated that while the issues identified were technical and no evidence of money laundering or improper client onboarding was found, it is cooperating with the regulator and will submit a report from an independent advisor on the effectiveness of its remedial measures.
Key takeaways:
- Enforce rigorous AML standards: companies must ensure that their AML systems and algorithms are robust and effective. Technical deficiencies that result in lapses, such as failing to flag politically exposed persons (PEPs), can lead to substantial financial penalties.
- Prepare for regulatory scrutiny: regulatory bodies are intensifying their scrutiny of the financial and insurance sectors, especially in response to increased business activity with high-risk regions or clients. Organisations should be prepared for detailed inspections and proactive in addressing potential compliance issues.
- Cooperate with regulatory authorities during investigations: this can help mitigate the impact of fines and demonstrate a commitment to compliance.
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.