Luxembourg is the first country to implement a GDPR-compliant certification procedure. On May 13, 2022, the National Data Protection Commission (CNPD) adopted its GDPR-CARPA certification system. Read here →
The Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC) have released its annual report for 2021. Access here →
The UK DPA and the Information Commissioner’s Office (ICO), responded to the UK Government’s consultation on the Online Advertising Programme. Reported here →
2) Notable Case Law
The French DPA (CNIL) announced on 28 June 2022 that the Conseil d’Etat had confirmed, on 27 June 2022, the CNIL’s decision from December 2020, in which it imposed a fine of €35 million on Amazon Europe Core Sarl for violations of Article 82 of the Act No.78-17 of 6 January 1978 on Data Processing, Data Files, and Individual Liberties. Read about the decision here →
Following the receipt of a complaint submitted by an individual, the Italian DPA (Garante Privacy) imposed a fine of €100,000 on Intesa Sanpaolo S.p.A., a bank, for violations of Articles 5(1)(a), 5(1)(f), and 6 of the General Data Protection Regulation. The Authority’s summary can be found here → (in Italian)
Spanish DPA fined a company € 1800 for insufficient privacy and cookie policies/cookie disable function not operating properly. Furthermore, the website’s privacy and cookie policies lacked the necessary information. The original fine was set for € 3000, however, the fine was decreased to € 1800 due to voluntary payment and acknowledgment of responsibility. Reported here → (in Spanish)
Danish DPA fined a company €134,415 (DKK 1mio) for retaining/failing to delete data of 685,000 former book club members. Read here → (in Danish)
3) New and Upcoming Legislation
California – Assembly Bill 2273, the California Age-Appropriate Design Code Act, was approved by the California State Assembly by a vote of 72-0 and is now being submitted to the Senate for review. The measure includes:
safeguards for the protection of children’s data; as well as
limits on online exposure for minors under the age of 18.
According to California’s 2022 legislative schedule, measures must be passed in both legislative chambers by August 31, and the governor must sign or veto the legislation by September 30. Access the Act here →
4) Strong Impact Tech
Brendan Carr, a commissioner on the US Federal Communications Commission, shared a letter to Apple CEO Tim Cook and Alphabet CEO Sundar Pichai on Twitter. The letter highlighted reports and other developments that put TikTok in violation of the two organizations’ app store standards. Reported here →
A group of ten European consumer organizations is suing Google over the company’s account sign-up process. The organization claims that the sign-up process leads users toward options that capture more data. Read the full story here →
To tackle a substantial and growing global cyber danger to personal information, the Office of the Privacy Commissioner of Canada and other foreign data protection and privacy regulators have collaborated to release recommendations on ‘credential stuffing attacks.’ Read the official announcement here →
Other key information from the past weeks
The latest decision of the Italian DPA (Garante Privacy) is the result of one of 101 complaints filed by the ‘NOYB’ regarding Google Analytics compliance. While the decision is close to that of previous rulings issued by the French and Austrian Authorities, there are some differences.
EU Justice Commissioner Didier Reynders offered updates on the transatlantic data privacy framework after a visit to the US. He said that a legal text may surface “in the next weeks,” partially in the form of an executive order issued by the United States, which would then trigger a lengthy review process in Europe.