Iubenda logo
Start generating


Table of Contents

DPO Newsletter: Data Protection & Privacy News (issue #72)

DPO Newsletter: Global Data Protection & Privacy News

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

  • NOYB filed a complaint with the French Data Protection Authority (CNIL) against Google. NOYB claims that the tech giant has consistently disregarded the Court of Justice of the European Union’s (CJEU) decision regarding direct marketing emails and used Gmail to send spam. Want to learn more about NOYB’s cookie complaints and what to do? See our new article here →
  • Small businesses can now follow a six-step guide from the UK DPA (Information Commissioner’s Office or ICO) on handling their data protection complaints. Read the six-step guide here on our blog →
  • On August 24, 2022, the Office of the Attorney General (OAG) updated its list of 13 enforcement case examples under the California Consumer Privacy Act (CCPA). The OAG stated that it typically does not disclose information about its investigations but that the cases represent instances in which the OAG allegedly provided notice of non-compliance, and each company responded by taking action. See here for the case example →
  • The Turkish DPA (KVKK) produced a proposed set of guidelines for processing genetic data. In the Law on the Protection of Personal Data, the KVKK classifies genetic information as “sensitive personal data.” Reported here → (In Turkish)

2) Notable Case Law

  • Sephora will have to pay $1.2 million in fines for violating the California Consumer Privacy Act by selling users’ personal information and failing to comply with opt-out requests. According to California Attorney General, in exchange for benefits like targeted advertising and discounted analytics, Sephora made its users’ personal information available to third-party trackers without telling them it was doing so. Reported here on our blog →
  • Meta settled a claim that it unlawfully acquired location data from users even when those individuals had their devices’ location services switched off. To resolve allegations that Facebook broke California law and its privacy notice, Meta will pay $37.5 million. See here for more →
  • Snapchat have agreed to settle a lawsuit for $35 million, which claimed the business had broken the Illinois Biometric Information Privacy Act (BIPA). Snapchat’s filters failed BIPA by secretly gathering and storing users’ biometric data. Read more on our blog →
  • On August 23, 2022, the National Consumer Secretariat (Senacon) of the Brazilian Ministry of Justice and Public Security (MJSP) issued a decision fining Facebook BRL 6.6 million (about €1,290,000) for disclosing Brazilians’ personal data without their consent. Read more here → (in Portuguese)

3) New and Upcoming Legislation

  • The latest draft for the proposed Data Act was provided by the Czech Presidency of the Council of the European Union. The most recent text modifies the terms under which public agencies may request access to privately held data. The plan exempts most institutions from legal obligations and adds clauses that permit government agencies to utilize private firm data in exceptional circumstances. Reported here →
  • On its third reading, the California Senate revised Assembly Bill 2273, the California Age-Appropriate Design Code. The most recent modifications include extending the time to correct violations from 45 to 90 days and extending the deadline for submitting data protection impact assessments from two to three days. The bill is now back on the Senate’s schedule for second reading due to the revisions, and final approval from the Assembly is now necessary. Access the bill here →

4) Strong Impact Tech

  • LastPass, a password management provider, suffered from a security breach two weeks ago, giving hackers access to the company’s source code and confidential technical data. We’ve reported this story on our blog →
  • Oracle is accused of operating a “worldwide surveillance machine” and violating the fundamental privacy rights of hundreds of millions of people in a class action lawsuit filed last week in the Northern District of California. In addition to five causes of action ranging from state data protection laws to the federal wiretap act, the lawsuit contends that Oracle’s collection and sale of personal data violated the state constitution of California. Read more here →
  • Apple has released an update to address security holes that it claims hackers may have “actively exploited” in its iPhone, iPad, and Mac devices. The new software “provides important security updates and is recommended for all users,” the tech company claimed. Industry experts have speculated that the hole could allow hackers to take total control of vulnerable devices. iPhone 6s and after, iPad Pro, iPad Air 2 and later, and iPad 5th generation and later may all access the update. Reported here →

Other key information from the past weeks

  • The Italian Data Protection Authority (Garante Privacy) imposed a fine of €70,000 on UniCredit S.p.A. for violating Articles 12 and 15 of the General Data Protection Regulation (GDPR) following the receipt of a complaint submitted by an individual.
  • The European Data Protection Board (EDPB) published a binding decision under Article 65(1)(a) of the General Data Protection Regulation (GDPR)
  • Twitch, a video game streaming platform owned by Amazon, has admitted to a significant data breach. According to Twitch, a hacker breached the service’s servers.

👍 Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.