The Spanish Data Protection Authority published a blog post on the differences between anonymised and pseudonymised personal data, and their legal implications. Read it here →(in Spanish)
The United Kingdom’s Information Commissioner’s Office (ICO) is organising a conference on the U.K.’s Age Appropriate Design Code, on October 20th. The conference is aimed at product teams. More information here →
The ICO has also submitted its comments to the UK Government’s open consultation on reforms to the current data protection regime. Read the comments here →
The Canadian Information and Privacy Commissioner has opened a public consultation on guidance concerning the police’s use of facial recognition tools. View the guidance (still open for consultation) →
The South Korean Data Protection Authority has issued guidance on the launch of an Agency dedicated to pseudonymised data. Read the press release here →
The Data Protection Authority of Hong Kong has issued an FAQ on the new EU Standard Contractual Clauses. Learn more here →
2) Notable Case Law
The Italian Data Protection Authority (Garante) has issued a fine against a company for contacting LinkedIn users without a proper legal basis. The fact that the user had a public profile did not suffice to justify sending messages to sell services and products. Read a summary of the decision here →
The Spanish Data Protection Authority (AEPD) has issued a fine against a telecommunications company for making direct marketing telephone calls and text messages without the data subject’s consent. The data subject had not previously been a client of the company, nor had they directly consented to receiving marketing. The company was fined €30,000. Read the decision here →
3) New and Upcoming Legislation
Italy – A decree was passed to amend the Personal Data Protection Code with regards to processing personal data by the public administration for the public interest. Access the decree here →
US (California) – Two Bills were signed by the governor to amend the CCPA. With the first Bill, the CCPA was modified to describe how data breaches should be notified. Genetic data was also added to the definition of personal data. With the second Bill, the definition sectionwas extended, to for example state that: “Advertising and marketing” means a communication by a business or a person acting on the business’ behalf in any medium intended to induce a consumer to obtain goods, services, or employment“. Access the first Bill here → and the second here →
India – Amendments to the Personal Data Protection Bill are expected to be discussed by the Committee in charge on October, 20th 2021.
4) Strong Impact Tech
It is expected that Google will automatically start installing a two-factor authentication system for 150 million accounts by the end of 2021. Read Google’s announcement here →
Other key information from the past weeks
In Germany, the Baden-Württemberg Data Protection Authority has modified its FAQ guidance on International Transfers, to include examples referring to the new Standard Contractual Clauses (SCCs).
The European Council has agreed on a negotiating mandate for the Digital Governance Act.