The Brazilian data protection authority (ANPD) announced, on 29 August 2022, that it was seeking opinions on high-risk processing and issued a questionnaire for this purpose. In particular, the ANPD outlined that Article 4 of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law, outlines factors whereby the processing of personal data will be considered high risk. The ANPD is creating guidance that will elaborate on this provision and assist personal data processing agents. The questionnaire covers factors such as the volume of personal data processed, emerging technologies, and the frequency and duration of processing. Comments may be submitted via the questionnaire until 28 September 2022. Read here → (in Portuguese)
The UK’s Information Commissioner’s Office (ICO) announced in January 2022 that the international data transfer agreement (the IDTA), which is often referred to as the UK standard contractual clauses, needs to be used for contracts entered into, on, or after 21 September 2022. Organizations transferring UK-originated personal data will be required to use the IDTA, or the New EU SCCs together with the IDTA starting from that date. Access the guidance here →
2) Notable Case Law
The U.S. Federal Trade Commission sued the company Kochava for allegedly selling geolocation data that may be used to track users to sensitive locations. The commission says that the information provides evidence of “visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.” Read about the decision here →
3) New and Upcoming Legislation
California has passed the new legislation, the California Age-Appropriate Design Code Act, that will mandate businesses like TikTok, Instagram, and YouTube to put safeguards in place for users under the age of 18, including adjusting their privacy settings by default to a higher level and not collecting location data from young users. Additionally, it specifies that businesses examine their algorithms and products to evaluate how young users might be impacted, determining whether they are intended to be addictive or potentially endanger children further. The Authority’s summary can be found here →
Following the Bill’s passage out of the Energy and Commerce Committee, Speaker Nancy Pelosi released a statement on the American Data Privacy and Protection Act (the ADPPA). Pelosi praised the Committee for its work on the ADPPA and the inclusion of consumer rights for personal data protection. Read the statement here →
The second reading of the UK Data Protection and Digital Information Bill [Bill 143 2022-23], which was introduced in the House of Commons on 18 July 2022, is scheduled on 5 September 2022. The Bill is intended to update and simplify the UK’s data protection framework to reduce burdens on organizations while maintaining high data protection standards. Access the Bill here →
The updated Federal Act on Data Protection of 1992 (the Revised FADP), along with two new ordinances on data protection and on data protection certificates, will go into effect on September 1, 2023. The Federal Council provided that organizations should have a year to comply with the new regulations during the transition period. See our guide here for more information on the new FADP →
4) Strong Impact Tech
According to TechCrunch, a “massive” data leak affected the face recognition and license plate database of the Chinese technology business Xinai Electronics. The Xinai database included more than 800 million records. A human mistake was said to have “likely” caused the incident. Read more on our blog →
On Monday, September 5, 2022, a number of cybersecurity experts tweeted about the alleged discovery of a server breach that gave access to TikTok’s storage that they believe contained personal user information. A few days ago, Microsoft Corp. announced that it had discovered a “high-severity vulnerability” in TikTok’s Android app that “would have allowed attackers to compromise users’ accounts with a single click.” TikTok denied the allegations of a breach that was found over the weekend. As reported here on our blog →
Other key information from the past weeks
NOYB filed a complaint with the French Data Protection Authority (CNIL) against Google. NOYB claims that the tech giant has consistently disregarded the Court of Justice of the European Union’s (CJEU) decision regarding direct marketing emails and used Gmail to send spam.
LastPass, a password management provider, suffered from a security breach two weeks ago, giving hackers access to the company’s source code and confidential technical data.
Small businesses can now follow a six-step guide from the UK DPA (Information Commissioner’s Office or ICO) on handling their data protection complaints.