Further to the report adopted by the EDPD on the work undertaken by the Cookie Banner Task Force a few weeks ago, the EDPD has now published examples of non-compliant practices to better assist website managers in attaining compliance. In response to the EDPD’s publications, the French Data Protection Authority “strongly encourages organizations to review their cookie banners in light of the recommendations contained in the report.”Read about this on our blog →
The European Union Agency for Cybersecurity (ENISA) published a report entitled “Engineering Personal Data Sharing” which takes a closer look at data sharing primarily in the health sector. The report considers certain technologies and cryptographic techniques which can be implemented to enable privacy preserving data sharing. In addition, the report also identifies certain challenges concerning the right to erasure and the right to rectification when sharing data and the possible architectural solutions to such data sharing. Access here →
2) Notable Case Law
Norway’s data protection authority, Datatilsynet, maintained a fine of 10 million kroner issued against fitness center chain Sats for alleged breaches of the Personal Data Protection Regulation. Read about the decision here → (in Norwegian)
Following a complaint, the Spanish Data Protection Authority, AEPD imposed a €70,000 fine which was subsequently reduced to €56,000 on Vodafone España, S.A.U. for processing personal data without a legal basis in violation of Article 6(1) of the General Data Protection Regulation. The Authority’s summary can be found here → (in Spanish)
The German Data Protection Conference (‘DSK’) issued its decision on the data protection assessment of third country public authorities’ access to personal data and the risks associated thereto. Reported here → (in German)
In a preliminary ruling concerning Article 38 of the GDPR, the Court of Justice of the European Union confirmed that data protection officers can maintain other tasks within their role, provided that they do not result in a conflict of interest. Official report here →
The South KoreanPersonal Information Protection Commission (PIPC) fined Meta KRW 6.6 million won (approximately EUR 5,000) for violations of the Personal Information Protection Act (PIPA). Read here →
Further to its investigation report following a data breach notification concerning the ransomware attack on the servers of The Hong Kong Institute of Bankers (HKIB), the Hong Kong Office of the Privacy Commissioner for Personal Data also issued a compliance order to the HKIB, for violations of Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance. Access the report here →
Oman’s Royal Decree No. 6 of 2022 which promulgated the data protection law, has now come into force on 13 February 2023, a year to the date from its publication in the Official Gazette. The law involves 32 articles concerning data protection and appoint the Ministry of Transport, Communications, and Information Technology as the regulatory authority with the responsibility to oversee and enforce the legislation. The data Protection Law is Available here → (in Arabic)
US Law Updates
California: Following the California Privacy Protection Agency’s (CCPA) adoption of the California Privacy Rights Act Regulation proposed rule-making, the CCPA has now invited the public to comment on the preliminary rule-making activities on cybersecurity audits, risk assessments, and automated decision-making. Interested parties are to submit their comments by March 27th 2023. Access here →
Utah: Bill 152 on social media regulation fails to pass second reading in Senate.
Indiana: Bill 1038 on data security passed by State House, referred to State Senate and Bill 5 on consumer data protection was read for the third time, passed by Senate and referred to the House of Delegates.
Florida: Bill 591 relating to social media protection for minors was introduced to the House of Representatives and referred to committees.
Tennessee: House Bill 1310 on consumer biometric data protection, assigned to the Banking and consumer affairs subcommittee.
Connecticut: Bill 6393 to establish additional privacy protections for minors introduced to the General Assembly.
Iowa: Bill 1071 for consumer data protection passed by Technology Committee
Maryland: House Bill 807 concerning consumer protection and online and biometric data privacy was introduced to House of Delegates. This bill goes hand in hand with Senate Bill 698 which concerns the same matter.
4) Strong Impact Tech
The EU and India have established a new Trade and Technology Council (the “TTC”) to strengthen their strategic partnership in trade and technology, according to a statement from the European Commission. The Commission described how the working group on strategic technologies, digital governance, and digital connectivity will address issues like cybersecurity, cloud computing, and artificial intelligence (or “AI”). Official press release here →
An investigation concerning the violation of section 63(12) of Article 5 of the Executive Law of New York and sections 349 and 350 of the General Business Law of New York by a group of technology companies, culminated in the issuance of an Assurance of Discontinuance. The various technology companies (namely Powerline Group Inc., ILF Mobile Apps Corp., and Highster Data Services LLC.,) were subjected to a penalty of $410,000 for promoting spyware and privacy violations. Read this story here →
The Kingdom of Saudi Arabia is distinguished as a center for data and privacy compliance, innovation, and experimentation. With the creation of the data and privacy regulatory sandbox by the Saudi Data and AI Authority (SDAIA), a first of its type in the region, local businesses are encouraged to test their solutions and how the Personal Data Protection Law may affect their goods and services in the Sandbox. Reported here →
Other key information from the past weeks
The CNIL fined the voice, video, and text communication service Discord Inc 800,000 euros for failure to comply with the General Data Protection Regulation (GDPR).
The US Federal Trade Commission (FTC) fined the telehealth and prescription drug discount provider GoodRx Holdings Inc., US$1.5M for sharing sensitive health data with social media platforms and other tech giants.
A data breach that let hackers obtain the personal information of millions of consumers has been verified by Google.