The Leaders of Data Protection Authorities (DPAs) met in Vienna on April 28 and made a number of decisions to strengthen cooperation in cases that are now regarded as “strategic.” The EDPB will assist cross-border cases of strategic importance where cooperation is prioritized. Read the decisions here →
The Brazilian Data Protection Authority (ANPD) announced the second updated version of the LGPD Guidelines on Tuesday, April 26, 2022. The ANPD amended its guidelines on the concepts of controller, joint controller, processor, sub-processor, and data protection officer. Access here → (in Portuguese)
2) Notable Case Law
The Austrian Data Protection Authority issued a second ruling, finding that Google’s IP anonymization is insufficient for data transfers between the EU and the US. The two reasons for this are as follows:
Google’s IP anonymization only applies to IP addresses, while other data such as online IDs set for cookies or device data are transferred unencrypted. Also, IP anonymization occurs only after the data has been transferred to Google.
The Authority also rejected Google’s argument in the proceedings on a “risk-based strategy.” The Authority emphasized that the GDPR does not recognize a risk-based approach for data transfers to unsafe third countries, such as the United States.
On the other hand, both the Spanish and Luxembourg DPAs closed their case because the website provider uninstalled Google Analytics from the site following the NOYB complaint, without commenting on the improper usage of Google Analytics. Follow this link to our blog for more on this topic →
Following the German Consumer Associations‘ complaint against Facebook, the European Union’s Court of Justice concluded that Consumer Associations can launch actions based on alleged GDPR infringement, provided that national legislation permits it. Read about the decision here →
The Norwegian Data Protection Authority (Datatilsynet) has issued a warning for infringing Article 14 of the GDPR in processing personal data belonging to shareholders. Click here to read the official notice →
3) New and Upcoming Legislation
The Connecticut legislature passed the Connecticut Data Privacy Act on April 28th. The measure is now on its way to the governor. Connecticut will become the fifth state to enact consumer data privacy laws if the governor signs it. The law is based on the Colorado Privacy Act in general.
Here are a few highlights:
opt-out regulations are very stringent;
consumer approval is required to handle sensitive data;
controllers must allow consumers to withdraw consent; and
children’s data privacy rights match California’s.
Google Play is now officially releasing its version of app privacy labels. The new Google Play data security section will be gradually rolled out to users ahead of the 20 July deadline. Developers will need to adequately disclose the data their apps collect, whether and how it is shared with third parties, the app’s security practices, and other details. Reported here →
The European Data Protection Supervisor (EDPS) launched the public test phase of two social media platforms: EU Voice and EU Video. EDPS have also released an official press release. The two platforms are a privacy-oriented environment based on Mastodon and PeerTube software. The EDPS hopes to contribute to the strategy to advance Europe’s independence in the digital world. Read more about this here →
Facebook is being pushed to adjust how it handles users’ personal data; the company is describing it as a ‘tsunami’ of privacy regulations from around the world. According to a leaked internal document obtained by Motherboard, the “fundamental” problem is that Facebook has no idea where all its user data goes or what it’s doing with it. For more on this topic click here →
Other key information from the past weeks
The Spanish DPA fined a company €9,000.00 for using unnecessary cookies without consent, without a reject option and without a banner.
Provisional political agreement achieved between the Council and the European Parliament on the Digital Services Act (DSA)
Google is going to update their cookie consent banner in Europe following a hefty fine of €150 million. Google have released a screen shot of the new three button banner “I agree”, “Customize” and “Deny All”.