The Danish Data Protection Authority (the Datatilsynet) has stated that it will provide guidance on the use of Google Analytics, following the Austrian Authority’s decision in one case that using the service was contrary to the GDPR. In this case, cookie IDs were considered personal data. In the meantime, the Guernsey Authority (Australia) has removed Google Analytics from their website.
The United Kingdom’s Data Protection Authority (the ICO) has released a statement on end-to-end encryption in response to the ongoing campaign #NoPlaceToHide. The ICO pointed out that other methods were available to law enforcement without ending end-to-end encryption. Read here →
2) Notable Case Law
The Italian Data Protection Authority (the Garante) has issued a 26.5 million euros fine and several orders to comply with an electricity and gas distributor. The decision found that the company had not obtained prior consent before conducting direct marketing campaigns. They were ordered to implement further technical and organizational measures. Read the Garante’s summary here (in Italian) →
The Data Protection for Lower Saxony (Germany) has issued a 10.4 million euros fine against an electronics retailer, after finding that it had used surveillance cameras to monitor its employees without a legal basis to do so. The Authority also found that alternative, less intrusive means of controlling theft had been available. Read the decision here →
In the United States, several attorney generals from different States are jointly suingGoogle over their alleged use of dark patterns. According to the claimants, dark patterns were allegedly used to manipulate users into sharing their location data. The company was also accused of collecting location data despite the user’s preferences. The IAPP has reported on the case and on the US’s enforcement of dark patterns →
3) New and Upcoming Legislation
European Union – The Digital Services Act was adopted by the EU Parliament, with several amendments. For instance, a limitation was set for targeted advertising based on sensitive information. The trialogue negotiations between the Parliament, the Council, and the Commission are to continue.
United States – A second Privacy Bill was proposed in the State of Vermont and another in the State of Mississippi.
Thailand – An Authority to implement the Personal Data Protection Act was created.
Mongolia – The Parliament has stated that five Bills connected to Personal Data have been proposed.
A Federal US Bill called the “Terms-of-service Labeling, Design and Readability Act” (TLDR Act) was introduced before the US Senate. The Bill aims at making websites present short and clear notices summarising privacy policies and terms and conditions.
After fining Google 150 million euros, the French Data Protection Authority has also fined Facebook 60 million euros on similar grounds. Indeed, the Authority found that data subjects could not reject as easily as they could accept cookies: several clicks were needed to reject while only one was needed to accept.
The Dutch and Austrian Data Protection Authorities have published updated guidelines on the use of Google Analytics.