Iubenda logo
Start generating


Table of Contents

DPO Newsletter: Data Protection & Privacy News (issue #81)

DPO Newsletter: Global Data Protection & Privacy News

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

đź‘‹ Do you want to know how your cookie consent rate compares to the rest of the industry and tips on improving it?

Umm, YES!

We would too! Just answer a few questions anonymously, and we’ll send you a report containing the benchmark cookie consent rate for different industries and tips on improving your cookie consent rate. Yep, it’s that easy!

But don’t take our word for it, see for yourself →

1) Newly Published Documentation

US-EU data transfer framework

The German Data Protection Authority has issued an opinion regarding President Biden’s Executive Order (EO) to implement the US-EU data transfer framework.

In particular, the Authority found some critical issues:

  • the EO would not have the character of stability as it is not a parliamentary law but a government instruction;
  • it is unclear how the EO would fit in with other related laws such as the CLOUD Act;
  • access to data is allowed according to a proportionality criterion; however, this element has a different interpretation in the US framework than in the EU framework; and
  • compliance with a mere executive order is not enforceable, especially against EU citizens.

In light of this, the Authority questions whether the EO is a sufficient basis for the European Commission to re-evaluate the data protection framework in the U.S. and issue an adequacy decision. Read here →

Other news

The UK Information Commissioners Office (ICO) has issued guidance on processing activities involving biometric data. In this regard, the ICO specified the need to conduct a risk analysis before implementing an emotion analysis system that relies on the processing of biometric data of data subjects. Access here →

2) Notable Case Law

  • The UK Information Commissioners Office (ICO) fined Interserve Group Ltd 4.4 million pounds for a data breach against 113 thousand employees due to a cyber attack by a phishing email. The fine was issued despite the company’s timely reporting of the breach involving: phone numbers, bank account information, social security numbers, salary information, and other sensitive data. Read about the decision here →
  • The Italian Garante fined the company Servizio Idrico Integrato S.c.p.a. with a penalty of 15,000 euros for failing to implement an encryption system (SSL certificate) in order to protect the area of the website where user contacts and invoices are managed. Access the decision here → (In Italian)
  • The Italian Garante issued a fine to a company for failing to respond adequately and timely to a data subject’s request for the deletion of his personal data. The company did not carry out the deletion until four months after the request and justified the delay on the basis of the need to migrate the e-mail system. Read here →

3) New and Upcoming Legislation

  • European Union – The Digital Services Act was officially published in the Official Journal of the European Union on October 27, 2022, and will enter into force twenty days after its publication. Read about this on our blog →
  • Australia – Following a wave of data breaches in recent weeks, including the Optus telco hack last month, Australia has stated that an upcoming legislative update will dramatically improve its internet privacy regulations. Access the Bill here →

4) Strong Impact Tech

  • On Oct. 27, 2022, the Texas attorney general sued Google LLC alleging violations of biometric data processing regulations due to the collection without the consent of voiceprints and facial recognition data from users and non-users using the company’s products. Access the decision here →
  • An unofficial document sent last October to government officials of some EU authorities and the EU Commission reveals that the US is preparing for a narrower definition of Artificial Intelligence, a broader exemption for general-purpose AI, and an individualized risk assessment in the AI Act. Reported here →

Other key information from the past weeks

  • The European Commission has published its Work Program 2023, which sets out its agenda for the targeted actions to complete the objectives of the mandate in terms of political strategy and key legislative proposals, among others.
  • The European Data Protection Board (EDPB) released its revised Guidelines 9/2022 on notifying the public of a personal data breach under the General Data Protection Regulation and is now looking for feedback from the general public.
  • Following complaints from NGOs, the French data protection authority (CNIL) fined Clearview AI €20 million in accordance with EU privacy rules and directed it to stop collecting data in France and destroy any data that had already been obtained.

đź‘Ť Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.