The Danish Data Protection Authority, Datatilsynet, has launched a new webpage containing “Statistics on breaches of personal data security”. These statistics will assist Datatilsynet in determining where closer supervision and better guidance may be required. Read here →
The UK ICO has issued draft guidance which applies to “information society services likely to be accessed by children” under the Age Appropriate Design Code, more commonly referred to as the Children’s Code. Public consultation, closes on 19 May 2023. Access here →
Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) has released a list of ongoing sanction proceedings against both private companies and public bodies for violating the General Law for the Protection of Personal Data. The ANPD plans to publish the outcome of each proceeding and disclose whether any punishment applies. Access here →
The European Consumer Summit 2023 held a panel discussion on “Online advertising and privacy – the challenges with cookies.” Euractiv suggests that this voluntary initiative to move away from repetitive cookie banners could be a prelude to a legislative proposal. This topic was added, possibly, due to the European Commissioner for Justice and Consumers discussing “cookie fatigue” among online users in a December interview with Euractiv. Read a summary on our blog →
2) Notable Case Law
Norwegian data protection authority, Datatilsynet, has fined US-based company Argon Medical Devices 2.5 million kroner for failing to report a July 2021 data breach within the 72-hour deadline required by the GDPR. The breach affected all of Argon’s European employees and involved personal data that could be used for fraud and identity theft. Read about the decision here →
The Finnish Sanctions Board of the Ombudsman has imposed corrective measures on Forenom Oy after an investigation prompted by data subjects’ complaints. It was found that Forenom had been retaining personal data for over ten years. The Ombudsman has instructed the company to shorten its personal data processing time within legally applicable limitations. The Authority’s summary can be found here →
New Hampshire’s Attorney General announced that he has joined a group of 5 other attorney generals in reaching a $9 million multistate settlement with Google. New Hampshire is expected to receive $1.8 million from the settlement, which concerns Google’s alleged violations of state consumer protection laws in relation to deceptive location tracking practices linked to users “Location History” and “Web & App Activity” since at least 2014. Reported here →
3) New and Upcoming Legislation
US law updates:
Montana: Senate Bill 351 concerning the genetic information privacy act was transmitted to the House of Representatives.
Maryland: House Bill 901 was read for the first time at the state Senate. This bill addresses businesses that offer “an online product likely to be accessed by children” and requires such businesses “to complete a certain data protection impact assessment under certain circumstances.”
New Hampshire: Senate Bill 255 on consumer expectation of privacy was introduced to the state House of Representatives and referred to its Judiciary Committee.
Bloomberg has reported that Apple, Google and Meta have been lobbying “for consideration of data access limitations if Section 702 of the Foreign Intelligence Surveillance Act” which allows U.S. intelligence agencies to collect personal data for surveillance purposes, “is reauthorized by the U.S. Congress.” Reported here →
A ChatGPT bug leaked user’s conversation history, as well as “visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window.” OpenAI CEO Sam Altman said that the company feels “awful”, but the “significant” error has now been fixed. Many users, however, remain concerned about privacy on the platform. Read here →
Other key information from the past weeks
The six-month implementation period of IAB Europe’s Transparency and Consent Framework (TCF) action plan has been suspended by the Belgian data protection authority (APD) on its own initiative.
EU: MEPs adopted the draft Data Act and are now ready to enter into negotiations with the Council in an effort to finalize the law.
The Wall Street Journal has reported that national courts are siding with multinational companies in Privacy Appeals and overturning fines imposed by national DPAs.