The FinnishData Protection Authority has published a statement on the Log4j vulnerability. It specifies the conditions according to which a data breach should be reported. The Norwegian authority published a similar post a few days earlier. Read the statement here →(In Finnish)
The European Data Protection Supervisor has published a blog post describing pseudonymous data as a “foundational technique”, which can, for example, mitigate security risks. Considering that, pseudonymous data is covered by the GDPR, while anonymised data is not. Access the blog post here →
The Ukrainian Data Protection Authority has published a summary of the 2021 privacy investigations. See the press release here →(in Ukrainian)
2) Notable Case Law
The FrenchData Protection Authority (the CNIL) has issued a €180,000 fine against the company SlimPay SA, after an investigation. In the course of the investigation, it was uncovered that the company did not have data protection agreements with all their sub-processors. It was further underlined that the personal data had not been securely stored, although there had been no apparent fraudulent access to it. Read about the decision here → (in French)
The CNIL has also issued a €300,000 fine against the phone operator Free Mobile, after finding that it had failed to comply with the data subject’s right to access their personal data and toobject to its processing. The CNIL’s decision also noted that the company had failed to secure the personal data, as it sent clients their passwords by the post, without making them temporary or changing them afterwards. The Authority’s summary can be found here → (in French)
A Russian court has fined Google an estimated 8% of its annual Russian turnover after the company did not remove content that was deemed illegal according to Russian Law. Google was also asked to restore the channel of a State-backed broadcaster. Reuters reported here →
3) New and Upcoming Legislation
Georgia – A Bill was approved by the Parliament, to open two new agencies, the Special Investigation Service and Personal Data Protection Service. The new agencies would replace the State Inspector’s Service. State Inspector’s statement here →
Rwanda – FAQs on the new data legislation were published. Read here →
The European Commission has concluded an adequacy decision with South Korea. In other words, transfers of data between EU countries and South Korea can take place in the same way they do between the EU countries themselves.
The Irish Data Protection Authority has published its regulatory strategy for 2022-2027. The press release notes: “The DPC recognises that it cannot achieve its ambitions alone – new partnerships and new ways of engaging will be necessary as we look towards a future of closer convergence.”