On May 12, 2022, The European Data Protection Board (EDPB) released its Annual Report of 2021. The Annual Report discusses the EDPB’s activity in 2021, covering topics such as adopted guidance and opinions, as well as its involvement in various legislative consultations. Access the report here →
The French data protection authority (CNIL), published its 2021 Activity Report. The report highlighted the creation of a personal data “sandbox” for health-related data. The CNIL received 14,143 complaints, of which 12,522 were resolved. There were 135 official notifications issued and 18 penalties imposed, with fines totaling more than 214 million euros. In response to COVID-19, the CNIL responded to:
22 parliamentary hearings and issued 121 opinions on bills, 16 of which addressed data processing;
the DPA handled 576 health authorizations; and
54 research authorizations for COVID-19.
In Greece, the Hellenic Data Protection Authority issued compliance guidelines for informational websites that use trackers. Several websites that use cookie banner pop-ups were examined by the authority and did not comply with several points of the EU General Data Protection Regulation. Reported here →
2) Notable Case Law
The Icelandic DPA fined the municipality of Reykjavik 5.000.000 ISK for using the Seesaw educational system, an American cloud-based service. The Icelandic DPA ruled that the municipality had violated multiple GDPR provisions by utilizing Seesaw. Read about the decision here →
3) New and Upcoming Legislation
The UK’s legislative agenda for the next year includes a data reform bill that, according to experts, could bring into question the EU’s data adequacy ruling, which continued to permit data transfers over the Channel after the UK left the EU in January 2020. More information on this topic can be found here →
The provisional agreement for the Digital Markets Act was agreed upon and published by the Committee of Permanent Representatives of the Governments of the Member States to the European Union (COREPER). Reported here →
4) Strong Impact Tech
Costa Rica‘s newly appointed president, Rodrigo Chaves, announced a state of emergency in response to a severe ransomware assault launched by the Conti group.
Chaves addressed his first government council, during which he declared a national emergency and attributed it to the attack’s impact on the Ministry of Finance. For more on this topic, click here →
Other key information from the past weeks
According to Politico, the US Congress is stalled and will not adopt federal privacy laws in the near future. The US is instead working on establishing future global data protection laws to allow individuals’ personal information to easily move across borders. The director of global data policy at the US Commerce Department’s International Trade Administration added that the goal is to open up trade between participating countries while giving people assurances that their data will not be mishandled once it leaves their home countries.
The Office of the Privacy Commissioner of Canada (OPC), the Information and Privacy Commissioner of Alberta, the Information and Privacy Commissioner of British Columbia, and the Commission d’accès à l’information du Québec have signed a new Memorandum of Understanding (MOU) to promote greater collaboration