The European Data Protection Board (‘EDPB’) announced, on 31 May 2022, that it had published its response to the joint payments industry regarding Guidelines 06/2020 on the interplay of the Second Payment Services Directive (‘PSD2’) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), adopted on 17 July 2020 (‘the Guidelines’). Read the response here →
The French Data Protection Authority (CNIL) has issued guidance on identifying a “data controller” and any additional roles that clarify the nature and scope of data-related tasks so that each is identified “as soon as possible.” Access the guidance here → (in French)
The Congressional Research Service has updated its report on the Trans-Atlantic Data Privacy Framework (TADP) between the EU and the United States. The paper discusses data transfer and surveillance issues, as well as the TADP framework’s key points and areas where Congressional action could have an impact on the future data transfer landscape, such as the possibility of comprehensive federal privacy laws. Read our summary of the report here →
The National Institute for Transparency, Access to Information, and Personal Data Protection in Mexico has published “Recommendations for the Processing of Personal Data” on artificial intelligence. The guidance encourages the appropriate and ethical use of personal information through and compliance with the obligations of the personal data security duty. AI in education, the public and private sectors, cloud computing, and privacy by design are among the subjects covered in the recommendations. Read about the decision here → (in Spanish)
2) Notable Case Law
The Italian DPA imposed a fine of €10.000 on the Ministry of Defense due to the disclosure of two emails containing personal data to unauthorized third parties. Read more about this on our blog here →
Following a telemarketing company’s failure to comply with the Ombudsman’s prior decision to provide data subjects with access to their data, the Finnish Office of the Data Protection Ombudsman (‘the Ombudsman’) fined it €8,300 for violating Article 15 of the GDPR. The Authority’s decision can be found here → (in Finnish)
New York – Senate Bill (‘SB’) 6701A for the New York Privacy Act was amended on 31 May 2022 and reprinted and renumbered to SB 6701B, before being sent back to the Senate Committee on Internet and Technology for consideration.
Thailand – The Personal Data Protection Act 2019 (‘PDPA’) entered into effect, on 1 June 2022, following two postponements. In particular, the PDPA establishes lawful grounds for data collection, use, and disclosure, including sensitive personal data, controller and processor obligations, as well as data subject rights.
4) Strong Impact Tech
On May 30, 2022, the Spanish data protection authority (‘AEPD’) released a blog titled ‘Privacy by Design: Secure Multi-Party Computation: Additive Sharing of Secrets.’ According to the AEPD, Secure Multi-Party Computation (an enabling technology) is a cryptographic protocol that, through additive secret sharing, allows to segmenting of secret data into different parts so that, when the data is shared, the original data cannot be revealed by any of the sources. Reported here → (in Spanish)
The UK’s Minister of State for Media, Data, and Digital Infrastructure said that an online advertising program will look into the regulatory frameworks for paid digital advertising. Read more here →
Other key information from the past weeks
HiQ’s scraping of public LinkedIn data is not a violation of the US Computer Fraud and Abuse Act, according to a US appeals court ruling in the case HiQ v LinkedIn.