Last week, the French Authority published a post on its website to inform that as of 27 December 2022, exporters and importers of data will no longer be able to use the European Commission’s old standard contractual clauses and will have to use the updated clauses in 2021 or use another transfer tools. Read here → (in French)
The UK Data Protection Authority published the UK government’s assessment of the Republic of Korea’s adequacy in processing personal data. Therefore, the adequacy decision between the UK and the Republic of Korea came into force on 19 December 2022. Access here →
2) Notable Case Law
The French Authority imposed a 60 million euro fine on Microsoft Ireland Operations Limited for failing to put in place a mechanism to reject cookies as easily as accepting them. It was found that when a user visited the website, cookies were deposited on their computer without consent and used for advertising purposes. In addition, the company will have to obtain the consent of the data subjects within three months, if they fail to do so, the company will be required to pay a penalty for each day of delay. Read about the decision on our Blog →
On 15 December, the Spanish Data Protection Authority issued a decision in response to one of the complaints filed by NOYB concerning the use of Google Analytics. The Authority‘s summary can be found here → (in Spanish)
Epic Games, developer of the popular video game Fortnite, was sentenced to pay a penalty of 275 million dollars for violating the law on children’s privacy, changing the default privacy settings, and $245 million in refunds for tricking users into making unwanted purchases. Reported here →
3) New and Upcoming Legislation
The EU Directive 2022/2555, called NIS2, was published today in the Official Journal of the European Union and will enter into force in 20 days. At its core, NIS2 establishes stricter cybersecurity requirements for risk management, reporting obligations, and information sharing. The requirements cover incident response, supply chain security, encryption, and vulnerability disclosure, among others. Read here →
After three years, the review of the Australia Privacy Act commissioned by the coalition government has been completed, and the final report has been handed over to the Attorney General, which will now review the revision and is expected to publish it along with the Act and the government’s response in the first half of 2023. Read here →
4) Strong Impact Tech
Microsoft started the phase-in of the ‘EU data boundary’, which allows cloud European customers to process and store data in the EU area. The ‘EU data boundary’ applies to Microsoft’s core cloud services. The first phase will include customer data, followed by registration and service data. Reported here →
Uber suffered a breach of sensitive corporate information of its third-party provider Teqtivity. The hacker then published archives on the dark web that would contain the source codes of the mobile device management platforms used by Uber, Uber Eats, and other third parties. The stolen personal data also include e-mail addresses and information belonging to more than 70,000 Uber employees. Read here →
Other key information from the past weeks
The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday (13 December). But the third attempt to underpin transatlantic data transfers is bound to face more legal challenges.
Elon Musk is reportedly considering forcing Twitter users to accept personalized advertising, barring an opt-out for ads if they subscribe, according to a report by Platformer.
The director of the US Federal Trade Commission’s Bureau of Consumer Protection warned that the agency “is not afraid to take companies to court” over data practices.