DPO Newsletter: Data Protection & Privacy News (issue #8)

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The UK’s Data Protection Authority (the ICO) has opened a public consultation on its draft guidance on anonymisation, pseudonymisation, and privacy-enhancing technologies. View the draft guidance here →
• The French Data Protection Authority (the CNIL) has opened a public consultation on the draft guidance on processing data with regards to the medical and social support of minors’. Read or reply to the consultation here → (available in French)
• Denmark’s Data Protection Authority (the Datatilsynet) has published a draft guidance on data processing in the context of direct marketing activities. Read the draft guidance here → (available in Danish)
• The European Data Protection Supervisor (EDPS) has issued an Audit Fact Sheet. Full details here →

2) Notable Case Law

• The UK’s ICO has fined a political party for sending direct marketing emails without proof of consent. The ICO also found that the party had not kept clear records of the legal bases of processing. Read the press release here →
• The US Supreme Court overturned a decision convicting a police officer under the Computer Fraud and Abuse Act, for misusing a government database, in the context of an investigation. The police officer was not considered to be guilty of fraud as the database had been made available to him – regardless of the motive. View the judgment here →

3) New and Upcoming Legislation

• European Union – the modernised standard contractual clauses (SCCs) for the transfer of personal data to third countries were published by the European Commission (EC), and will be issued in the Official Journal of the EC in the coming days. From then on, companies will have 18 months and 20 days to comply.
  The new SCCs take into account the Schrems II case and include four types of data transfers: controller-to-controller (C2C), controller-to-processor (C2P), processor-to-controller (P2C) and, processor-to-processor (P2P). See our detailed post on the Privacy Shield Invalidation here →
• United States (California) – the California Privacy Protection Agency Board will hold its inaugural meeting on June 14th, 2021. Link to the meeting →
• United States (Executive Order) – the US government has issued a ban on investments in a number of Chinese tech and military companies.
• The Organisation for Economic Co-operation and Development (OECD) – The OECD has adopted Recommendation for children in the Digital Environment, which notably discusses risks to children’s privacy.
• Canada – the Information and Privacy Commissioners adopted a resolution to reinforce privacy and access to information during and after the pandemic.

4) Strong Impact Tech

• Google Play is expected to further limit ad tracking by removing the advertising ID when a User opts out of personalization in their Android Settings. This is set to affect apps running on Android 12 devices from the end of the year (2021).
• Twitter has launched its Twitter Blue subscription, thus broadening its revenue model from online advertising.

Other Key information from the past weeks:

• The NGO noyb.eu has sent out over 500 draft complaints to website owners for their implementation of cookie banners.
• The US Federal Trade Commission (FTC) has published a Privacy and Data Security Update.
• The Brazilian Data Protection Authority has published a Guidance which specifies the role of the Data Controllers and of Data Protection Officers.