The European Parliament (“EP”) has concluded “that the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection” due to:
the lack of federal privacy and data protection legislation in the United States of America (“US”),
the different meaning given to the “principles of proportionality” pursuant to Executive Order 14086 on Enhancing Safeguards For the United States Signals Intelligence Activities, which contrasts with the definition in terms of “EU law and their interpretation by the CJEU”,
“Decisions of the Data Protection Review Court will be classified and not made public or available to the complainant”.
The EP therefore “further urges the Commission not to adopt the adequacy finding.”Access here →
The European Data Protection Board has released a thematic document: “One-Stop-Shop case digest on right to object and right to erasure”. The document predominantly analyses decisions relating to Articles 17 (right to erasure) and 21 (right to object) of the General Data Protection Regulation. Read the official document here →
The German Federal Commissioner for Data Protection and Freedom of Information (‘BfDI’) confirmed that further to the completion of public consultation phases, the European Data Protection Board (‘EDPB’) has adopted:
Guidelines 07/2022 on Certification as a Tool for Transfers which explain the “practical application of transfers of personal data to third countries or to international organizations based on certifications”, and
Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platform Interfaces: Practical Recommendations, which “influence the behavior of users and their ability to effectively protect their personal data.” Access here → (In German)
The UK Information Commissioner’s Office (‘ICO’) published recommendations entitled “Top Tips for Games Designers – How to Comply with the Children’s Code”. These recommendations are also commonly referred to as the “Age Appropriate Design Code” and are created to assist games designers when providing online services that can be accessed by children. Access the Press release and Recommendations →
Further to the decision given last year by the Belgian Data Protection Authority (APD) in relation to the Transparency and Consent (TCF) case concerning the validation of IAB Europe’s action plan, IAB Europe has proceeded to file a formal request for interim measures with the Belgian Market Court. Read about this on our blog →
The Federal Communications Commission’s Enforcement Bureau and the Illinois Attorney General’s Office have signed a Memorandum of Understanding establishing critical information sharing as well as cooperation structures which will facilitate the investigation of spoofing and robocalls scam campaigns. The agreement helps to combine efforts and also shares information to defend consumers. Press release here →
2) Notable Case Law
The UK’s First-Tier Tribunal (Information Rights) (the “Tribunal”) issued a ruling on Experian Limited’s (“Experian”) appeal against the action of the UK’s Information Commissioner’s Office (“ICO”) which ordered Experian to change how it handles people’s personal data. Read the decision here →
The German Federal Constitutional Court has declared in a landmark ruling that surveillance software involved in “data mining” (Palantir) used for policing in the cities of Hamburg and Hesse, is unconstitutional. The judges however still pointed out manners in which the software could still be used for the creation of predictive algorithms, in particular in “predictive policing”. The Authority’s summary can be found here →
After a data breach revealed the social security numbers of 12,663 Pennsylvanians who underwent genetic testing between 2004 and 2012, Acting AG Henry was able to strike a $400,000 assurance settlement with DNA Diagnostics Center. Access here →
3) New and Upcoming Legislation
The Australian Privacy Act Review is moving forward with a new government report and feedback is being sought until 31st of March 2023. The proposed reforms are “aimed at strengthening the protection of personal information and the control individuals have over their information.” Indeed, more stringent privacy protections will aim to support digital innovation whilst contributing to “Australia’s reputation as a trusted trading partner.” Review the report →
US Law Updates:
Illinois: Further to the introduction of House Bill 1381 earlier this year on the creation of the Right to Know Act, Senate Bill 1365 which also deals with the same Act is now gaining momentum and is presently pending with the Senate Judiciary Committee.
California:Assembly Bill 947 California Consumer Privacy Act of 2018: California Privacy Protection Agency was introduced to the California Assemble.
4) Strong Impact Tech
The EU and India have established a new Trade and Technology Council (the “TTC”) to strengthen their strategic partnership in trade and technology, according to a statement from the European Commission. The Commission described how the working group on strategic technologies, digital governance, and digital connectivity will address issues like cybersecurity, cloud computing, and artificial intelligence (or “AI”). Official press release here →
An investigation concerning the violation of section 63(12) of Article 5 of the Executive Law of New York and sections 349 and 350 of the General Business Law of New York by a group of technology companies, culminated in the issuance of an Assurance of Discontinuance. The various technology companies (namely Powerline Group Inc., ILF Mobile Apps Corp., and Highster Data Services LLC.,) were subjected to a penalty of $410,000 for promoting spyware and privacy violations. Read this story here →
The Kingdom of Saudi Arabia is distinguished as a center for data and privacy compliance, innovation, and experimentation. With the creation of the data and privacy regulatory sandbox by the Saudi Data and AI Authority (SDAIA), a first of its type in the region, local businesses are encouraged to test their solutions and how the Personal Data Protection Law may affect their goods and services in the Sandbox. Reported here →
Other key information from the past weeks
Norway’s data protection authority, Datatilsynet, maintained a fine of 10 million kroner issued against fitness center chain Sats for alleged breaches of the Personal Data Protection Regulation.
The EU and India have established a new Trade and Technology Council (the “TTC”) to strengthen their strategic partnership in trade and technology, according to a statement from the European Commission.
Further to the report adopted by the EDPD on the work undertaken by the Cookie Banner Task Force a few weeks ago, the EDPD has now published examples of non-compliant practices to better assist website managers in attaining compliance.