On 25 July 2022 The Information Commissioner’s Office (ICO) published new guidance on UK Binding Corporate Rules (BCRs), which replaced all previous guidance and documents. Read the guidelines here →
The Spanish data protection authority (AEPD) released a blog post on the processing and evaluation of the use of biometric data In accordance with the GDPR. A number of evaluation factors were noted by the AEPD, including “adequacy, proportionality, and necessity.” Access the blog post here →
A report on the implementation and functioning of the EU Data Protection Law Enforcement Directive has been released by the European Commission. See here for the report →
2) Notable Case Law
Due to data protection violations regarding research trips with cameras, the Lower Saxony Data Protection Authority fined Volkswagen €1 million. A Volkswagen test vehicle equipped with outside cameras to document the traffic situation and perform error analysis. In violation of the GDPR, the vehicle lacked the camera icon and the appropriate signage alerting its collection of data and its intended use. Read about the decision here → (in German)
The Spanish Data Protection Authority (AEPD) has fined two companies for failing to comply with two national laws and the GDPR.
Vueling Airlines S.A. €30,000, which was later reduced to €18,000, for violating Article 22 (2) of Law No. 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce (LSSI). The Authority’s summary can be found here → (in Spanish)
The Spanish DPA fined Esvetel Sociedad Limitada €40,000 for violating both Article 48 (1) of Law No. 9/2014, of May 9, General Telecommunications (the “LGT”) and Article 28 of the GDPR (2016/679). Access the decision here →
The French DPA (CNIL) fined UBEEQO International, a company that engages in the short-term leasing of vehicles, €175,000.00. The investigations focused in particular on the data gathered, the defined retention periods, the information provided to individuals, and the security measures put in place in the context of the new geolocation data uses. Read the official report here → (in French)
3) New and Upcoming Legislation
The U.S. – Following its executive session, the U.S. Senate Committee on Commerce, Science, and Transportation declared on July 27, 2022, that it had adopted the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act.
The Children and Teens’ Online Privacy Protection Act outlines standards for the collection of minors’ and children’s personal information, including information that must be given to a parent or minor, and data subject rights including rectification, erasure, and access.
The Kids Online Safety Act has set similar standards for covering platforms with regard to the duty of care and the protection of children. The Kids Online Safety Act specifically states that a covered platform must act in the best interest of a minor who uses its products or services and must prevent third parties from viewing a minor’s personal data.
This year saw a record-high increase in the average data breach cost, reaching $4.4 million, according to research from IBM Security issued on Wednesday. That was an increase of 2.6 percent from the previous year and a 13 percent increase since 2020. Read the report here →
Other key information from the past weeks
On July 25, 2022, the Italian Ministry of Economic Development announced that the new public register of oppositions would go into effect on July 27, 2022.
A consultation on the draft code of conduct for Italian Confindustria-promoted telemarketing activities has begun, and comments must be submitted by September 9 of this year.
The European Data Protection Board (EDPB) adopted Statement 02/2022 on Personal Data Transfers to the Russian Federation, which confirmed that data transfers to Russia require a data transfer impact assessment (DTIA).