The European Data Protection Board (EDPB) has adopted its work programme for 2021- 2022. Read it here.
2) Notable Case Law
The Düsseldorf Court has referred a case to the Court of Justice of the European Union. After the Bundeskartellamt (the German competition authority) ordered Facebook to stop combining personal data from third-party websites and apps with personal data from their own platforms, without user consent. This order was challenged, which eventually resulted in the Düsseldorf Court referring the case. Full details here.
3) New and Upcoming Legislation
United States (California) – Final Regulations to the CPPA 15/03/2021
The Final Regulations:
provide examples of how to opt-out of the sale of personal information offline and how to verify a consumer request;
specify that businesses can have an opt-out button in addition to the DNSMPI link or notice of right to opt-out;
provide guidance on how to keep the steps to opt-out minimal (with clear examples of what cannot be done), forbidding dark patterns (see section 999.315 :“A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”); and
detail what businesses processing the data of children should specify in their privacy policy.
Japan – Amendments to the Act on the Protection of Personal Information
The Personal Information Protection Commission announced that the amendments to the Act would be enforceable by April 1st 2022, however, transitional measures will come into effect by October 1st, 2021.
The amendments include measures to report data breaches and to disclose the purposes for the processing of personal data.
Google announced it would be phasing out third-party cookies by January 2022, and will therefore not engage in tracking users from site to site. To achieve this, Google is relying on the Privacy Sandbox, and primarily on the Federated Learning of Cohorts (FLoC). More details here.