Data Privacy Insights
PIPC in South Korea updates the DPIA handbookDate: 22 April 2024
The standards for performing data privacy impact assessments under the Personal Information privacy Act have been modified by the Personal Information Protection Committee of South Korea. New sections on automated decision-making technologies, pseudonymous information processing, and adjustments to the evaluation system are included in the updated notice.
The standards for performing data privacy impact assessments under the Personal Information privacy Act have been modified by the Personal Information Protection Committee of South Korea. New sections on automated decision-making technologies, pseudonymous information processing, and adjustments to the evaluation system are included in the updated notice.
Financial and medical details are sold by a ransomware organization after a data breachDate: 22 April 2024
Following a breach on Change Healthcare, the ransomware group Ransom Hub declared that it is selling the financial and medical details of American citizens, according to Wired. It's probably an attempt to get more ransom payments from the healthcare businesses affected by the breach, according to Brett Callow, Emsisoft Threat Analyst, and "less about actually selling the data." Editor's note: Ransomware trends were covered in a recent edition of The Privacy Advisor Podcast.
Following a breach on Change Healthcare, the ransomware group Ransom Hub declared that it is selling the financial and medical details of American citizens, according to Wired. It's probably an attempt to get more ransom payments from the healthcare businesses affected by the breach, according to Brett Callow, Emsisoft Threat Analyst, and "less about actually selling the data." Editor's note: Ransomware trends were covered in a recent edition of The Privacy Advisor Podcast.
US House passes bill restricting sales of personal information to law enforcement and intelligence organizationsDate: 22 April 2024
According to CyberScoop, the Fourth Amendment is Not for Sale Act was enacted by the US House of Representatives and forbids law enforcement and intelligence services from purchasing personal data from data brokers without first getting a search warrant. Section 702 of the Foreign Intelligence Surveillance Act was to be reauthorized. In the meanwhile, the Office of Management and Budget released a statement supporting the House bill and one opposing the measure on behalf of the White House.
According to CyberScoop, the Fourth Amendment is Not for Sale Act was enacted by the US House of Representatives and forbids law enforcement and intelligence services from purchasing personal data from data brokers without first getting a search warrant. Section 702 of the Foreign Intelligence Surveillance Act was to be reauthorized. In the meanwhile, the Office of Management and Budget released a statement supporting the House bill and one opposing the measure on behalf of the White House.
Colorado enacts legislation to safeguard brain dataDate: 22 April 2024
The Colorado Privacy Act was amended by the Colorado General Assembly to protect sensitive biometric and "neural data," according to The New York Times. The goal of the law is to shield users from gadgets that record information about brain function. Cathy Kipp, a Democratic state representative from Colorado, stated that although technology has its advantages, "there should be some guardrails in place for people who aren't intending to have their thoughts read and their biological data used."
The Colorado Privacy Act was amended by the Colorado General Assembly to protect sensitive biometric and "neural data," according to The New York Times. The goal of the law is to shield users from gadgets that record information about brain function. Cathy Kipp, a Democratic state representative from Colorado, stated that although technology has its advantages, "there should be some guardrails in place for people who aren't intending to have their thoughts read and their biological data used."
Resistance exists to US state attempts to enact legislation protecting minors onlineDate: 22 April 2024
The Guardian details how internet companies are opposing state-level initiatives to enact rules protecting children's safety online. While opponents claim the proposals are burdensome and would violate free speech rights, supporters of the legislation argue that they are essential for safeguarding children's data and preventing harm to them on social networking sites.
The Guardian details how internet companies are opposing state-level initiatives to enact rules protecting children's safety online. While opponents claim the proposals are burdensome and would violate free speech rights, supporters of the legislation argue that they are essential for safeguarding children's data and preventing harm to them on social networking sites.
Ahead of the Olympics, French officials get ready for cyberattacksDate: 22 April 2024
According to The New York Times, Parisian officials are being ready for any cyberattacks that might affect this year's Summer Olympics. Cybersecurity tactics have been employed by the organizers of the Olympics, whereby "ethical hackers are hired to attack systems in place for the Games, and 'bug bounties' are offered to those who discover vulnerabilities."
According to The New York Times, Parisian officials are being ready for any cyberattacks that might affect this year's Summer Olympics. Cybersecurity tactics have been employed by the organizers of the Olympics, whereby "ethical hackers are hired to attack systems in place for the Games, and 'bug bounties' are offered to those who discover vulnerabilities."
Retailer allegedly violated Illinois' BIPA, according to a class-action lawsuitDate: 22 April 2024
According to NBC Chicago, retailer Target is being sued as a class action for allegedly using the store's surveillance systems to violate Illinois' Biometric Information Privacy Act. According to the lawsuit, the business uses its antitheft facial recognition technologies to harvest biometric data without getting customers' permission.
According to NBC Chicago, retailer Target is being sued as a class action for allegedly using the store's surveillance systems to violate Illinois' Biometric Information Privacy Act. According to the lawsuit, the business uses its antitheft facial recognition technologies to harvest biometric data without getting customers' permission.
Telehealth company fined $7 million by the FTC for violating privacy notificationDate: 22 April 2024
A federal judge must approve a proposed order filed by the U.S. Federal Trade Commission accusing a mental health telehealth company of deceiving customers about its cancelation rules and breaching their privacy notice. For requesting personally identifiable information from clients, Cerebral and its CEO, Kyle Robertson, were fined USD7 million by the FTC. The FTC claims that the business thereafter sold that information to unidentified parties.
A federal judge must approve a proposed order filed by the U.S. Federal Trade Commission accusing a mental health telehealth company of deceiving customers about its cancelation rules and breaching their privacy notice. For requesting personally identifiable information from clients, Cerebral and its CEO, Kyle Robertson, were fined USD7 million by the FTC. The FTC claims that the business thereafter sold that information to unidentified parties.
Greece penalizes data controller for violation under DPADate: 22 April 2024
Following a data breach that exposed the Hellenic Post's files and malware installations, the organization was fined 2.99 million euros by the Hellenic Data Protection Authority. According to the EU General Data Protection Regulation, the authorities concluded that the company did not provide adequate protections.
Following a data breach that exposed the Hellenic Post's files and malware installations, the organization was fined 2.99 million euros by the Hellenic Data Protection Authority. According to the EU General Data Protection Regulation, the authorities concluded that the company did not provide adequate protections.
US House holds hearing on discussion draft of the American Privacy Rights ActDate: 15 April 2024
On April 17, the Innovation, Data, and Commerce Subcommittee of the U.S. House Committee on Energy and Commerce will hold a hearing centered on the several online safety and data privacy proposals that are being considered by the house, including the American Privacy Rights Act. The Children's Online Privacy Protection Act revisions, the proposed Kids Online Safety Act, and other topics will be discussed by the committee.
On April 17, the Innovation, Data, and Commerce Subcommittee of the U.S. House Committee on Energy and Commerce will hold a hearing centered on the several online safety and data privacy proposals that are being considered by the house, including the American Privacy Rights Act. The Children's Online Privacy Protection Act revisions, the proposed Kids Online Safety Act, and other topics will be discussed by the committee.
Mastercard publishes a technology guide that enhances privacyDate: 15 April 2024
In addition to sharing information about privacy-enhancing technologies, Mastercard emphasized the significance of utilizing PETs to reduce security threats in the banking sector. According to Mastercard, in order to sustain the advancement of inventive data and privacy, authorities and institutions must work together to enhance the utilization of PETs.
In addition to sharing information about privacy-enhancing technologies, Mastercard emphasized the significance of utilizing PETs to reduce security threats in the banking sector. According to Mastercard, in order to sustain the advancement of inventive data and privacy, authorities and institutions must work together to enhance the utilization of PETs.
PCPD talks about safeguarding personal information of workersDate: 15 April 2024
The Office of the Privacy Commissioner for Personal Data in Hong Kong provided advice on using messaging apps to share information with human resources. Organizations must to establish guidelines that clarify "relevant legislative requirements, describe the data protection measures and procedures adopted by organisations, outline employees’ responsibilities in protecting personal data, and provide clear guidance on the secure usage of personal data."
The Office of the Privacy Commissioner for Personal Data in Hong Kong provided advice on using messaging apps to share information with human resources. Organizations must to establish guidelines that clarify "relevant legislative requirements, describe the data protection measures and procedures adopted by organisations, outline employees’ responsibilities in protecting personal data, and provide clear guidance on the secure usage of personal data."
Canada releases a package of investments in AIDate: 15 April 2024
Canada's Justin Trudeau, the prime minister, revealed a CAD 2.4 billion investment in the nation's artificial intelligence infrastructure, which includes supporting AI startups and providing processing capacity. A research division devoted to the responsible advancement of AI and support for individuals whose jobs may be affected by the technology is also included in the package.
Canada's Justin Trudeau, the prime minister, revealed a CAD 2.4 billion investment in the nation's artificial intelligence infrastructure, which includes supporting AI startups and providing processing capacity. A research division devoted to the responsible advancement of AI and support for individuals whose jobs may be affected by the technology is also included in the package.
Health data disclosures of alcohol addiction treatment services are prohibited by an FTC injunctionDate: 15 April 2024
Under a proposed settlement, the U.S. Federal Trade Commission prohibited alcohol addiction treatment provider Monument from providing advertisers with health information. Claims that Monument had given that information to outside marketers without permission are resolved by the order. Additionally, the FTC mandated revised privacy policies, customer openness, and data erasure as corrective actions.
Under a proposed settlement, the U.S. Federal Trade Commission prohibited alcohol addiction treatment provider Monument from providing advertisers with health information. Claims that Monument had given that information to outside marketers without permission are resolved by the order. Additionally, the FTC mandated revised privacy policies, customer openness, and data erasure as corrective actions.
Report on Cyberport cyberattack released by PCPDDate: 15 April 2024
The investigative report of Hong Kong's Office of the Privacy Commissioner for Personal Data regarding the cyberattack on Cyberport, which impacted 13,000 individuals, was published. The PCPD stated that Cyberport "failed to implement sufficient and effective measures to ensure the security of its information systems prior to the incident."
The investigative report of Hong Kong's Office of the Privacy Commissioner for Personal Data regarding the cyberattack on Cyberport, which impacted 13,000 individuals, was published. The PCPD stated that Cyberport "failed to implement sufficient and effective measures to ensure the security of its information systems prior to the incident."
New GDPR procedural rules are approved by the European ParliamentDate: 15 April 2024
New procedural guidelines pertaining to the enforcement of the EU General Data Protection Regulation were adopted by the European Parliament. The proposed regulations seek to strengthen dispute resolution procedures, align procedural rights and laws, and increase the level of collaboration between the various data protection authorities of EU member states in order to unify data flows among them. After the June EU-wide elections, the newly elected European Parliament will probably take additional action on the legislation.
New procedural guidelines pertaining to the enforcement of the EU General Data Protection Regulation were adopted by the European Parliament. The proposed regulations seek to strengthen dispute resolution procedures, align procedural rights and laws, and increase the level of collaboration between the various data protection authorities of EU member states in order to unify data flows among them. After the June EU-wide elections, the newly elected European Parliament will probably take additional action on the legislation.
Kids Code' passed by MarylandDate: 15 April 2024
In regards to consumer protection, internet services, and the use of children's personal data, the Maryland General Assembly passed Senate Bill 571, also referred to as the "Maryland Kids Code." The measure mandates that, before April 1, 2026, businesses that provide goods or services online complete a data protection impact assessment outlining specific hazards such goods may cause to children's online safety. The bill is awaiting the governor's signature and will go into effect on October 1.
In regards to consumer protection, internet services, and the use of children's personal data, the Maryland General Assembly passed Senate Bill 571, also referred to as the "Maryland Kids Code." The measure mandates that, before April 1, 2026, businesses that provide goods or services online complete a data protection impact assessment outlining specific hazards such goods may cause to children's online safety. The bill is awaiting the governor's signature and will go into effect on October 1.
Third-party cookies that have been stolen could let hackers validate dataDate: 15 April 2024
According to MediaPost, hackers may be able to confirm stolen data by looking through third-party cookies and accessing online accounts without a password. Adrianus Warmenhoven, a member of the NordVPN Security Advisory Board, stated that "an attacker can potentially login into your account without having your password or needing (multifactor authentication)" if an active cookie is stolen.
According to MediaPost, hackers may be able to confirm stolen data by looking through third-party cookies and accessing online accounts without a password. Adrianus Warmenhoven, a member of the NordVPN Security Advisory Board, stated that "an attacker can potentially login into your account without having your password or needing (multifactor authentication)" if an active cookie is stolen.
The CFPB says that buying video games online raises financial privacy concernsDate: 15 April 2024
Because of the volume of data gathered within gaming marketplaces, the U.S. Consumer Financial Protection Bureau published a report outlining financial privacy problems associated with online video game transactions. The Consumer Financial Protection Bureau (CFPB) stated that video games can "track players' location data, which can generate an accurate portrait of a player's daily routines, such as their home address, places of employment or worship, and health and medical status."
Because of the volume of data gathered within gaming marketplaces, the U.S. Consumer Financial Protection Bureau published a report outlining financial privacy problems associated with online video game transactions. The Consumer Financial Protection Bureau (CFPB) stated that video games can "track players' location data, which can generate an accurate portrait of a player's daily routines, such as their home address, places of employment or worship, and health and medical status."
The PIPC of South Korea has released a compliance guide for foreign enterprisesDate: 15 April 2024
A handbook to assist foreign enterprises in adhering to the Personal Information Protection Act has been produced by the Personal Information Protection Commission of South Korea. The handbook concentrates on authorized legal amendments for 2023 that companies may have overlooked.
A handbook to assist foreign enterprises in adhering to the Personal Information Protection Act has been produced by the Personal Information Protection Commission of South Korea. The handbook concentrates on authorized legal amendments for 2023 that companies may have overlooked.
The US federal privacy law appears to be resurfacingDate: 08 April 2024
Unexpectedly, two influential members of the US Congress unveiled a bipartisan, bicameral federal privacy law draft on April 5. The draft legislation was published on Sunday by Sen. Maria Cantwell, D-Wash., the chair of the Senate Committee on Commerce, Science, and Transportation, and Rep. Cathy McMorris Rodgers, R-Wash., the chair of the U.S. House Committee on Energy and Commerce. Jedidiah Bracy, the editorial director of IAPP, provides commentary on the proposed discussion bill together with input from privacy and data protection stakeholders.
Unexpectedly, two influential members of the US Congress unveiled a bipartisan, bicameral federal privacy law draft on April 5. The draft legislation was published on Sunday by Sen. Maria Cantwell, D-Wash., the chair of the Senate Committee on Commerce, Science, and Transportation, and Rep. Cathy McMorris Rodgers, R-Wash., the chair of the U.S. House Committee on Energy and Commerce. Jedidiah Bracy, the editorial director of IAPP, provides commentary on the proposed discussion bill together with input from privacy and data protection stakeholders.
Dissecting the American Privacy Rights Act as it is proposedDate: 08 April 2024
Today, Monday, April 8, the IAPP will hold a LinkedIn Live event to start breaking down the elements of the recently released draft American Privacy Rights Act. IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, along with Center for Democracy and Technology Vice President of Policy Samir Jain and Future of Privacy Forum Director for U.S. Legislation Keir Lamont, CIPP/US, will discuss the significance of the bill, its noteworthy provisions, and potential implications for privacy professionals and businesses.
Today, Monday, April 8, the IAPP will hold a LinkedIn Live event to start breaking down the elements of the recently released draft American Privacy Rights Act. IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, along with Center for Democracy and Technology Vice President of Policy Samir Jain and Future of Privacy Forum Director for U.S. Legislation Keir Lamont, CIPP/US, will discuss the significance of the bill, its noteworthy provisions, and potential implications for privacy professionals and businesses.
Microsoft is going to create alert barriers for its AI chatbots.Date: 08 April 2024
According to Fortune, Microsoft is creating prompt shields for its AI chatbots to prevent users from posing "weird" questions to the chatbots. Potential hackers will also be discouraged by the shield, which promises to "spot suspicious inputs and block them in real time."
According to Fortune, Microsoft is creating prompt shields for its AI chatbots to prevent users from posing "weird" questions to the chatbots. Potential hackers will also be discouraged by the shield, which promises to "spot suspicious inputs and block them in real time."
In 2024, ICO will give children's online privacy top priorityDate: 08 April 2024
With a new Children's Code strategy, the U.K. Information Commissioner's Office will continue to place a high priority on protecting children's online privacy. The code "builds on progress to date" and will concentrate on ways to assure compliance, enforce the law, and limit the collecting of children's data online. John Edwards, the Information Commissioner for the United Kingdom, stated that he is "calling on social media and in 2024, ICO will give children's online privacy top priority.
With a new Children's Code strategy, the U.K. Information Commissioner's Office will continue to place a high priority on protecting children's online privacy. The code "builds on progress to date" and will concentrate on ways to assure compliance, enforce the law, and limit the collecting of children's data online. John Edwards, the Information Commissioner for the United Kingdom, stated that he is "calling on social media and in 2024, ICO will give children's online privacy top priority.
US and UK will collaborate on AI safetyDate: 08 April 2024
A memorandum of understanding was signed between the AI Safety Institutes of the United Kingdom and the United States to collaborate on research, evaluations, and guidelines related to AI safety. Tests for advanced AI models will be developed as part of the partnership, which comes after the U.K.'s AI Safety Summit in November. It also "will see both countries working to align their scientific approaches and working closely to accelerate and rapidly iterate robust suites of evaluations for AI models, systems, and agents."
A memorandum of understanding was signed between the AI Safety Institutes of the United Kingdom and the United States to collaborate on research, evaluations, and guidelines related to AI safety. Tests for advanced AI models will be developed as part of the partnership, which comes after the U.K.'s AI Safety Summit in November. It also "will see both countries working to align their scientific approaches and working closely to accelerate and rapidly iterate robust suites of evaluations for AI models, systems, and agents."
During a data breach, a ransomware organization demanded $30 million from a Las Vegas casinoDate: 08 April 2024
According to The Wall Street Journal, the ransomware gang Star Fraud demanded a USD30 million ransom payment for data that was acquired during a cyberattack on MGM Resorts International in September 2023. A $100 million loss in revenue was caused by the cyberattack that compromised the casino's systems and exposed personally identifying information of its patrons.
According to The Wall Street Journal, the ransomware gang Star Fraud demanded a USD30 million ransom payment for data that was acquired during a cyberattack on MGM Resorts International in September 2023. A $100 million loss in revenue was caused by the cyberattack that compromised the casino's systems and exposed personally identifying information of its patrons.
To resolve a privacy lawsuit pertaining to "incognito," Google will erase user dataDate: 08 April 2024
As part of its settlement in a U.S. lawsuit, Google will wipe data gathered via the incognito Chrome browsing option, according to The Wall Street Journal. Furthermore, Google needs to "maintain a change to Incognito mode that enables users to block third-party cookies by default" in addition to updating the user data it gathers during private surfing. It does not include damages in the settlement, but it does let users make separate claims.
As part of its settlement in a U.S. lawsuit, Google will wipe data gathered via the incognito Chrome browsing option, according to The Wall Street Journal. Furthermore, Google needs to "maintain a change to Incognito mode that enables users to block third-party cookies by default" in addition to updating the user data it gathers during private surfing. It does not include damages in the settlement, but it does let users make separate claims.
The FTC and CFPB want to make consumer reporting businesses answerable for fixing errorsDate: 08 April 2024
The Federal Trade Commission and the U.S. Consumer Financial Protection Bureau filed an amicus brief in the U.S. Court of Appeals for the 11th Circuit, addressing what they described as a "erroneous argument" regarding the Fair Credit Reporting Act's requirement that consumer reporting companies correct errors in consumer data. Responding to Experian Information Solutions' assertion in a lawsuit brought by consumers that the mandate does not extend to personally identifiable information, the CFPB stated its goal is "to help ensure people can hold consumer reporting companies accountable when they violate the law in this manner."
The Federal Trade Commission and the U.S. Consumer Financial Protection Bureau filed an amicus brief in the U.S. Court of Appeals for the 11th Circuit, addressing what they described as a "erroneous argument" regarding the Fair Credit Reporting Act's requirement that consumer reporting companies correct errors in consumer data. Responding to Experian Information Solutions' assertion in a lawsuit brought by consumers that the mandate does not extend to personally identifiable information, the CFPB stated its goal is "to help ensure people can hold consumer reporting companies accountable when they violate the law in this manner."
Garante penalizes trash management firms for violating the privacy of their workersDate: 08 April 2024
Five garbage disposal businesses were penalized by Italy's data protection body, the Garante, for allegedly using facial recognition technology to evaluate staff attendance. According to the DPA, it gave the companies instructions to remove the biometric information and replace it with "less intrusive methods to manage the presence of their workers and associates in the work environment."
Five garbage disposal businesses were penalized by Italy's data protection body, the Garante, for allegedly using facial recognition technology to evaluate staff attendance. According to the DPA, it gave the companies instructions to remove the biometric information and replace it with "less intrusive methods to manage the presence of their workers and associates in the work environment."
Following a data leak, AT&T resets 7.6 million customer passcodesDate: 08 April 2024
7.6 million users' passcodes were changed by AT&T, according to the New York Times, after it discovered that data had been "released on the dark web." The business also discovered that Social Security numbers were present in some of the datasets and that the breach impacted the data of 65.4 million previous account holders. "With the assistance of both internal and external cybersecurity specialists, AT&T has initiated a thorough investigation. The data set looks to be from 2019 or earlier, based on our initial investigation," AT&T said.
7.6 million users' passcodes were changed by AT&T, according to the New York Times, after it discovered that data had been "released on the dark web." The business also discovered that Social Security numbers were present in some of the datasets and that the breach impacted the data of 65.4 million previous account holders. "With the assistance of both internal and external cybersecurity specialists, AT&T has initiated a thorough investigation. The data set looks to be from 2019 or earlier, based on our initial investigation," AT&T said.
Guidelines for the positive credit information registry are released by Finland's DPADate: 08 April 2024
Guidelines on the collecting of personal data for the positive credit information registry were released by the Office of the Data Protection Ombudsman in Finland. Although residents do not have the ability to request that their data be destroyed or to object to its processing, the DPA will oversee the processing of residents' data through the positive credit information register. On April 1st, the positive credit information register became operative.
Guidelines on the collecting of personal data for the positive credit information registry were released by the Office of the Data Protection Ombudsman in Finland. Although residents do not have the ability to request that their data be destroyed or to object to its processing, the DPA will oversee the processing of residents' data through the positive credit information register. On April 1st, the positive credit information register became operative.
OCR and nursing home resolve HIPAA Right of Access Initiative conflictDate: 08 April 2024
The 47th settlement under the Health Insurance Portability and Accountability Act Right of Access Initiative was announced by the Office for Civil Rights of the U.S. Department of Health and Human Services. Phoenix Healthcare, a nursing home operator located in Oklahoma, agreed to pay USD 35,000 as part of the settlement and update its HIPAA policies and procedures to "address the Privacy Rule's requirements concerning an individual's right of access to Protected Health Information."
The 47th settlement under the Health Insurance Portability and Accountability Act Right of Access Initiative was announced by the Office for Civil Rights of the U.S. Department of Health and Human Services. Phoenix Healthcare, a nursing home operator located in Oklahoma, agreed to pay USD 35,000 as part of the settlement and update its HIPAA policies and procedures to "address the Privacy Rule's requirements concerning an individual's right of access to Protected Health Information."
Garante issues guidelines for protecting patient privacy when shopping onlineDate: 01 April 2024
Guidelines on the processing of personal data for online health care portals have been released by the Garante, Italy's data protection body. The goal of the guidelines is to guarantee that patient information shared on the internet with healthcare providers is processed as little as possible and is secure with the right measures in place.
Guidelines on the processing of personal data for online health care portals have been released by the Garante, Italy's data protection body. The goal of the guidelines is to guarantee that patient information shared on the internet with healthcare providers is processed as little as possible and is secure with the right measures in place.
Five-year GDPR compliance study released by CNILDate: 01 April 2024
The Commission nationale de l'informatique et des libertés, France's data protection body, published a report on the development of data protection following the adoption of the EU General Data Protection Regulation. 17,483 data breach notifications have been sent to the CNIL since 2018, with "half of the violations (were notified) in less than 10 hours."
The Commission nationale de l'informatique et des libertés, France's data protection body, published a report on the development of data protection following the adoption of the EU General Data Protection Regulation. 17,483 data breach notifications have been sent to the CNIL since 2018, with "half of the violations (were notified) in less than 10 hours."
The DPA of South Africa provides updates on current data protection inquiriesDate: 01 April 2024
The Promotion of Access to Information Act and the Protection of Personal Information Act were enforced, and the Information Regulator of South Africa provided details of its investigations. The DPA identified infractions when it "conducted (108) PAIA assessments on public and private bodies, including political parties, universities, national (and) provincial government departments and JSE-listed companies.
The Promotion of Access to Information Act and the Protection of Personal Information Act were enforced, and the Information Regulator of South Africa provided details of its investigations. The DPA identified infractions when it "conducted (108) PAIA assessments on public and private bodies, including political parties, universities, national (and) provincial government departments and JSE-listed companies.
OPC outlines the takeaways from the CRA and ESDC breachesDate: 01 April 2024
Key findings from the Office of the Privacy Commissioner of Canada's investigation into the 2020 data breach of Employment and Social Development Canada's "GCKey" authentication program and the Canada Revenue Agency sign-in portal were released. Regular security assessments and the implementation of programs and services to mitigate privacy threats are among the recommendations.
Key findings from the Office of the Privacy Commissioner of Canada's investigation into the 2020 data breach of Employment and Social Development Canada's "GCKey" authentication program and the Canada Revenue Agency sign-in portal were released. Regular security assessments and the implementation of programs and services to mitigate privacy threats are among the recommendations.
Microsoft promises privacy to customers of Copilot and the Azure OpenAI ServiceDate: 01 April 2024
Microsoft pledged to protect the privacy of its customers' data when they use its Copilot and Microsoft Azure OpenAI services in a blog post. The post was written for both commercial and public sectors. Among the commitments made by clients adopting artificial intelligence-powered platforms are the preservation of control over their organization's data and the guarantee that the platforms respect their organizational access policies.
Microsoft pledged to protect the privacy of its customers' data when they use its Copilot and Microsoft Azure OpenAI services in a blog post. The post was written for both commercial and public sectors. Among the commitments made by clients adopting artificial intelligence-powered platforms are the preservation of control over their organization's data and the guarantee that the platforms respect their organizational access policies.
The children's data protection guidance is updated by Singapore's PDPCDate: 01 April 2024
An advisory handbook on adhering to the children's privacy regulations in the Personal Data Protection Act of 2012 was published by Singapore's Personal Data Protection Commission. Stakeholders are advised by the guidance to review the act to see whether any queries are left unanswered by the papers.
An advisory handbook on adhering to the children's privacy regulations in the Personal Data Protection Act of 2012 was published by Singapore's Personal Data Protection Commission. Stakeholders are advised by the guidance to review the act to see whether any queries are left unanswered by the papers.
Cyberattack Reporting Regulations Released by CISADate: 01 April 2024
According to The Wall Street Journal, the U.S. Cybersecurity and Infrastructure Security Agency published cyberattack reporting guidelines for businesses that manage vital infrastructure. Companies are required under the legislation to "report ransom payments within 24 hours and report significant cyberattacks within 72 hours."
According to The Wall Street Journal, the U.S. Cybersecurity and Infrastructure Security Agency published cyberattack reporting guidelines for businesses that manage vital infrastructure. Companies are required under the legislation to "report ransom payments within 24 hours and report significant cyberattacks within 72 hours."
Edtech businesses are under investigation for student privacyDate: 27 March 2024
Government Technology reports on the rising privacy concerns surrounding education technology companies located in the United States. Recent edtech activities highlighted include a letter from U.S. Sen. Tom Cotton, R-Ark., to the U.S. Department of Defense against the usage of Tutor.com and a USD775,000 fine imposed by the New York attorney general's office on College Board.
Government Technology reports on the rising privacy concerns surrounding education technology companies located in the United States. Recent edtech activities highlighted include a letter from U.S. Sen. Tom Cotton, R-Ark., to the U.S. Department of Defense against the usage of Tutor.com and a USD775,000 fine imposed by the New York attorney general's office on College Board.
Hong Kong's PCPD initiates an inquiry into data breachesDate: 27 March 2024
The Office of the Privacy Commissioner for Personal Data in Hong Kong has initiated an inquiry into a cyberattack on the South China Athletic Association, which affected 70,000 members, according to the South China Morning Post. Members' personally identifiable information may have been compromised owing to a "unauthorised third-party intrusion," according to the SCAA.
The Office of the Privacy Commissioner for Personal Data in Hong Kong has initiated an inquiry into a cyberattack on the South China Athletic Association, which affected 70,000 members, according to the South China Morning Post. Members' personally identifiable information may have been compromised owing to a "unauthorised third-party intrusion," according to the SCAA.
Norway's DPA fines public entities NOK20 millionDate: 27 March 2024
Datatilsynet, Norway's data protection authority, penalized the Norwegian Labor and Welfare Office NOK20 million for large-scale personal data processing that lacked adequate safeguards and access restrictions. Datatilysnet began its inquiry in September 2023 and discovered "a number of breaches of the law."
Datatilsynet, Norway's data protection authority, penalized the Norwegian Labor and Welfare Office NOK20 million for large-scale personal data processing that lacked adequate safeguards and access restrictions. Datatilysnet began its inquiry in September 2023 and discovered "a number of breaches of the law."
Finland's DPA fines internet shop for data retention compliance concernsDate: 27 March 2024
Finland's Data Protection Ombudsman penalized online retailer Verkkokauppa.com 856,000 euros for claimed ambiguous data retention rules and asking consumers to create an account to purchase things, both of which violated the EU General Data Protection Regulation. Meanwhile, Finland's Supreme Administrative Court agreed with the DPA in a case involving the removal of Google search results connected to a person's detention in 2010.
Finland's Data Protection Ombudsman penalized online retailer Verkkokauppa.com 856,000 euros for claimed ambiguous data retention rules and asking consumers to create an account to purchase things, both of which violated the EU General Data Protection Regulation. Meanwhile, Finland's Supreme Administrative Court agreed with the DPA in a case involving the removal of Google search results connected to a person's detention in 2010.
US Senate measure would demand consent for AI training dataDate: 27 March 2024
A measure filed by U.S. Senators Ben Ray Luján, D-N.M., and Peter Welch, D-Vt., would compel internet platforms to obtain customers' consent before using their data to train AI systems. The Artificial Intelligence Consumer Opt-In, Notification Standards, and Ethical Norms for Training Act would require firms to warn customers when their data may be utilized and provide an opt-out choice.
A measure filed by U.S. Senators Ben Ray Luján, D-N.M., and Peter Welch, D-Vt., would compel internet platforms to obtain customers' consent before using their data to train AI systems. The Artificial Intelligence Consumer Opt-In, Notification Standards, and Ethical Norms for Training Act would require firms to warn customers when their data may be utilized and provide an opt-out choice.
DOT will probe major US airlines' privacy policiesDate: 27 March 2024
U.S. Secretary of Transportation Pete Buttigieg announced that his administration will investigate the privacy policies of the country's top ten airlines. The investigation will focus on how data is gathered, whether it is adequately safeguarded, and whether airlines illegally sell or share the information with third parties.
U.S. Secretary of Transportation Pete Buttigieg announced that his administration will investigate the privacy policies of the country's top ten airlines. The investigation will focus on how data is gathered, whether it is adequately safeguarded, and whether airlines illegally sell or share the information with third parties.
Iceland's DPA imposes ISK1.5 million employee monitoring penaltiesDate: 27 March 2024
Persónuvernd, Iceland's data protection authority, fined Stjörnuna ehf, the company that operates Iceland's Subway restaurants, ISK 1.5 million. After investigating an employee complaint claiming nonconsensual employer monitoring via surveillance cameras, the Persónuvernd determined that the enterprise "did not comply with the law on personal protection and processing of personal information."
Persónuvernd, Iceland's data protection authority, fined Stjörnuna ehf, the company that operates Iceland's Subway restaurants, ISK 1.5 million. After investigating an employee complaint claiming nonconsensual employer monitoring via surveillance cameras, the Persónuvernd determined that the enterprise "did not comply with the law on personal protection and processing of personal information."
Saudi Arabia's DPA creates restrictions for personal data transfersDate: 27 March 2024
The Saudi Authority for Data and Artificial Intelligence released draft guidelines for transferring personal data outside the country while maintaining acceptable privacy protections. The proposed regulation is available for public comment until April 18.
The Saudi Authority for Data and Artificial Intelligence released draft guidelines for transferring personal data outside the country while maintaining acceptable privacy protections. The proposed regulation is available for public comment until April 18.
CAC issues amended guidelines for cross-border data transfersDate: 27 March 2024
China's Cyberspace Administration has announced amended guidelines controlling cross-border data transfers, including reporting criteria for security evaluations of data exports, according to Reuters. Commerce-generated data, including information related to international trade and transportation that does not contain personal or "important data," is not subject to the new laws.
China's Cyberspace Administration has announced amended guidelines controlling cross-border data transfers, including reporting criteria for security evaluations of data exports, according to Reuters. Commerce-generated data, including information related to international trade and transportation that does not contain personal or "important data," is not subject to the new laws.
Denmark's DPA declined to reopen cookie casesDate: 27 March 2024
Denmark's data protection monitor, Datatilsynet, has decided not to revisit issues involving third-party cookie walls used by JFM and GulogGratis. Both firms challenged the agency's previous finding that neither had established that processing personal data gathered via cookie installation was required.
Denmark's data protection monitor, Datatilsynet, has decided not to revisit issues involving third-party cookie walls used by JFM and GulogGratis. Both firms challenged the agency's previous finding that neither had established that processing personal data gathered via cookie installation was required.
CNIL produces personal data security adviceDate: 27 March 2024
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced a personal data security guide for 2024. It focuses on artificial intelligence, mobile apps, cloud computing, and application programming interfaces, as well as how personal information associated with those areas should be treated.
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced a personal data security guide for 2024. It focuses on artificial intelligence, mobile apps, cloud computing, and application programming interfaces, as well as how personal information associated with those areas should be treated.
FTC's FY25 budget request includes the requirements for enforcementDate: 18 March 2024
In its 2025 budget proposal, the U.S. Federal Trade Commission stated that it would require an extra 55 employees to support its enforcement activities. Of these, 10 would be devoted to the growing complexity of privacy concerns and the advancement of artificial intelligence in the advertising sector. USD 535 million was the projected amount for the suggested request for total financial resources.
In its 2025 budget proposal, the U.S. Federal Trade Commission stated that it would require an extra 55 employees to support its enforcement activities. Of these, 10 would be devoted to the growing complexity of privacy concerns and the advancement of artificial intelligence in the advertising sector. USD 535 million was the projected amount for the suggested request for total financial resources.
EDPS determines that the European Commission's usage of Microsoft 365 breaches EU data protection rulesDate: 18 March 2024
The European Data Protection Supervisor determined that the European Commission's usage of Microsoft 365 infringes various aspects of EU Regulation 2018/1725, "the EU's data protection law for EU institutions, bodies, offices and agencies." Notably, the Commission is accused of failing to put in place necessary measures to ensure that personal data moved outside of the European Economic Area got the same degree of protection as it did within the EU. The EDPS directed the Commission to cease all data transfers via Microsoft 365 before December 9th.
The European Data Protection Supervisor determined that the European Commission's usage of Microsoft 365 infringes various aspects of EU Regulation 2018/1725, "the EU's data protection law for EU institutions, bodies, offices and agencies." Notably, the Commission is accused of failing to put in place necessary measures to ensure that personal data moved outside of the European Economic Area got the same degree of protection as it did within the EU. The EDPS directed the Commission to cease all data transfers via Microsoft 365 before December 9th.
Hearing scheduled for Grindr's fine appeal in NorwayDate: 18 March 2024
The dating app Grindr's appeal against a NOK65 million punishment levied by Datatilsynet, Norway's data protection agency, will be heard by the Oslo District Court. Before Grindr filed a lawsuit against the DPA in October 2023, the Personal Protection Board of Norway upheld the sentence in September 2023. According to Datatilsynet, Grindr improperly disclosed user information to advertisers.
The dating app Grindr's appeal against a NOK65 million punishment levied by Datatilsynet, Norway's data protection agency, will be heard by the Oslo District Court. Before Grindr filed a lawsuit against the DPA in October 2023, the Personal Protection Board of Norway upheld the sentence in September 2023. According to Datatilsynet, Grindr improperly disclosed user information to advertisers.
Organizational security measures are examined by AEPDDate: 18 March 2024
The Agencia Española de Protección de Datos, Spain's data protection body, wrote a blog post about the protection of personal data and the efficacy of security measures used by businesses. The distinction between companies that prioritize compliance over information system protection was brought to light by the AEPD.
The Agencia Española de Protección de Datos, Spain's data protection body, wrote a blog post about the protection of personal data and the efficacy of security measures used by businesses. The distinction between companies that prioritize compliance over information system protection was brought to light by the AEPD.
Turkey modifies the PDPLDate: 18 March 2024
The Kişisel Verileri Koruma Kurumu, Turkey's data protection body, has approved changes to the Personal Data Protection Law. Updates to the regulations on processing special categories of personal data and international data transfers are among the modifications. Changes become operative on June 1st.
The Kişisel Verileri Koruma Kurumu, Turkey's data protection body, has approved changes to the Personal Data Protection Law. Updates to the regulations on processing special categories of personal data and international data transfers are among the modifications. Changes become operative on June 1st.
CJEU regulations DPAs can delete data without raising an objectionDate: 18 March 2024
The EU General Data Protection Regulation permits a member state's data protection authority to lawfully order the deletion of an individual's personal information without the data subject having to file a formal complaint with the DPA. This decision was made by the Court of Justice of the European Union. Following a request for interpretation of Hungary's Budapest High Court's ruling, the decision was taken in response to a local government's request for resident personal data from the Hungarian State Treasury in order to issue COVID-19 relief payments.
The EU General Data Protection Regulation permits a member state's data protection authority to lawfully order the deletion of an individual's personal information without the data subject having to file a formal complaint with the DPA. This decision was made by the Court of Justice of the European Union. Following a request for interpretation of Hungary's Budapest High Court's ruling, the decision was taken in response to a local government's request for resident personal data from the Hungarian State Treasury in order to issue COVID-19 relief payments.
Facebook and Zoom face fines related to data gathering in BrazilDate: 18 March 2024
The Diffuse and Collective Interests Court of São Luís decided that Facebook and Zoom had gathered and exchanged personal information without users' agreement via an integration mechanism, and it ordered the businesses to pay BRL20 million and BRL500 to each Brazilian Apple iOS user. The platforms will need to explain how data is gathered and erased.
The Diffuse and Collective Interests Court of São Luís decided that Facebook and Zoom had gathered and exchanged personal information without users' agreement via an integration mechanism, and it ordered the businesses to pay BRL20 million and BRL500 to each Brazilian Apple iOS user. The platforms will need to explain how data is gathered and erased.
Swedish media licensing scheme introduces claimed GDPR gapDate: 18 March 2024
CyberNews claims that a regulation in Sweden pertaining to the granting of "media licenses" would potentially open a gap in the EU General Data Protection Regulation, citing a complaint from the Austrian privacy rights organization NOYB. The group asserts that regardless of whether they function as news organizations or not, businesses that receive a media license are able to gather and sell personal information about individuals.
CyberNews claims that a regulation in Sweden pertaining to the granting of "media licenses" would potentially open a gap in the EU General Data Protection Regulation, citing a complaint from the Austrian privacy rights organization NOYB. The group asserts that regardless of whether they function as news organizations or not, businesses that receive a media license are able to gather and sell personal information about individuals.
Large language models might be risky for privacyDate: 18 March 2024
According to Axios, the employment of huge language models creates data privacy risks since they tend to divulge personal information scraped from the internet without the data subject's consent. Artificial intelligence data breaches can take numerous forms, including inadvertent exposure or malevolent acts such as creating a model that circumvents privacy measures.
According to Axios, the employment of huge language models creates data privacy risks since they tend to divulge personal information scraped from the internet without the data subject's consent. Artificial intelligence data breaches can take numerous forms, including inadvertent exposure or malevolent acts such as creating a model that circumvents privacy measures.
Understanding EU governments' procedures for accessing private dataDate: 18 March 2024
The IAPP Research and Insights Team prepared an infographic with a non-exhaustive list of important tools used by EU law enforcement agencies and governments to get access to private data. In recent years, tight standards for granting government access to data have evolved, leaving businesses to navigate when contacted by a government agency requesting to evaluate various tranches of data.
The IAPP Research and Insights Team prepared an infographic with a non-exhaustive list of important tools used by EU law enforcement agencies and governments to get access to private data. In recent years, tight standards for granting government access to data have evolved, leaving businesses to navigate when contacted by a government agency requesting to evaluate various tranches of data.
Health insurance business allegedly spent $22 million to retrieve data following a ransomware assaultDate: 11 March 2024
A hacker site said UnitedHealth organization paid the "Blackcat" ransomware organization USD22 million to restore the company's stolen personal health data, according to Reuters. UnitedHealth declined to comment on the purported ransom payment, saying it was focused on its investigation and retrieving sensitive data.
A hacker site said UnitedHealth organization paid the "Blackcat" ransomware organization USD22 million to restore the company's stolen personal health data, according to Reuters. UnitedHealth declined to comment on the purported ransom payment, saying it was focused on its investigation and retrieving sensitive data.
Australia regulator fines telco AUD1.5 millionDate: 11 March 2024
According to Reuters, Optus, a telecommunications company, was fined AUD1.5 million by the Australian Communications and Media Authority for allegedly lacking privacy measures. A database utilized by emergency services was allegedly lacking the necessary customer information, putting almost 200,000 Optus customers—who were owned by Singapore Telecommunications—at risk, according to the ACMA.
According to Reuters, Optus, a telecommunications company, was fined AUD1.5 million by the Australian Communications and Media Authority for allegedly lacking privacy measures. A database utilized by emergency services was allegedly lacking the necessary customer information, putting almost 200,000 Optus customers—who were owned by Singapore Telecommunications—at risk, according to the ACMA.
CNIL urges care about genetic testingDate: 11 March 2024
France's data protection body, the Commission nationale de l'informatique and des libertés, has written about the country's ban on recreational genetic testing due to privacy concerns. The agency advised that such tests may only be conducted in certain situations; any purchases made outside of such circumstances may result in a fine and imprisonment.
France's data protection body, the Commission nationale de l'informatique and des libertés, has written about the country's ban on recreational genetic testing due to privacy concerns. The agency advised that such tests may only be conducted in certain situations; any purchases made outside of such circumstances may result in a fine and imprisonment.
European Court of Human Rights advocates robust encryptionDate: 11 March 2024
According to the Washington Post, the European Court of Human Rights found in Telegram's favor in its appeal against Russian authorities seeking to relax its end-to-end security encryption for messages. The court argued that robust encryption is vital for a private existence, which may reduce pressure on social media firms to grant law enforcement access to user data.
According to the Washington Post, the European Court of Human Rights found in Telegram's favor in its appeal against Russian authorities seeking to relax its end-to-end security encryption for messages. The court argued that robust encryption is vital for a private existence, which may reduce pressure on social media firms to grant law enforcement access to user data.
US House introduces a bill prohibiting data brokers from selling sensitive data to unfriendly countriesDate: 11 March 2024
U.S. Reps. Cathy McMorris Rodgers, R-Wash., and Frank Pallone Jr., D-N.J., sponsored the Protecting Americans' Data from Foreign foes Act, which would prohibit data brokers from selling individuals' sensitive data to foreign foes or businesses they control. The measure would allow the Federal Trade Commission to impose fines exceeding USD50,000 for any breach of the law by a data broker.
U.S. Reps. Cathy McMorris Rodgers, R-Wash., and Frank Pallone Jr., D-N.J., sponsored the Protecting Americans' Data from Foreign foes Act, which would prohibit data brokers from selling individuals' sensitive data to foreign foes or businesses they control. The measure would allow the Federal Trade Commission to impose fines exceeding USD50,000 for any breach of the law by a data broker.
American Express reveals data breachDate: 11 March 2024
American Express reported a data breach to the Massachusetts Office of Consumer Affairs and Business Regulation, according to The Washington Post. Following a data breach at a third-party organization, American Express stated that an unspecified number of customers' names, account numbers, and card information had been exposed.
American Express reported a data breach to the Massachusetts Office of Consumer Affairs and Business Regulation, according to The Washington Post. Following a data breach at a third-party organization, American Express stated that an unspecified number of customers' names, account numbers, and card information had been exposed.
New Zealand's privacy commissioner advocates for higher data privacy finesDate: 11 March 2024
Michael Webster, the New Zealand Privacy Commissioner, has stated that he seeks higher sanctions for data privacy crimes. The statements at the National Cyber Security Summit came after two surveys revealed that the public feels entities should face harsher punishments for transgressions.
Michael Webster, the New Zealand Privacy Commissioner, has stated that he seeks higher sanctions for data privacy crimes. The statements at the National Cyber Security Summit came after two surveys revealed that the public feels entities should face harsher punishments for transgressions.
South Korea's PIPC is probing data processing by international merchantsDate: 11 March 2024
South Korea's Personal Information Protection Committee has declared that it is examining overseas merchants' personal data processing operations. The purpose of the PIPC is to "check the adequacy of personal information processing policies, overseas transfers, and safety measure obligations under the Personal Information Protection Act."
South Korea's Personal Information Protection Committee has declared that it is examining overseas merchants' personal data processing operations. The purpose of the PIPC is to "check the adequacy of personal information processing policies, overseas transfers, and safety measure obligations under the Personal Information Protection Act."
Ransomware gang compromises crucial data from the Swiss governmentDate: 11 March 2024
Infosecurity Magazine says that a ransomware organization obtained and released critical material from the Swiss government, including around 65,000 secret papers. The incident also compromised citizens' personally identifying information.
Infosecurity Magazine says that a ransomware organization obtained and released critical material from the Swiss government, including around 65,000 secret papers. The incident also compromised citizens' personally identifying information.
Garante fines bank over data breachDate: 11 March 2024
The Garante, Italy's data protection regulator, fined UniCredit Bank 2.8 million euros for allegedly failing to implement necessary cybersecurity measures to avoid a data breach. The commission also penalized security company NTT Data Italia 800,000 euros for disclosing the intrusion beyond the deadline.
The Garante, Italy's data protection regulator, fined UniCredit Bank 2.8 million euros for allegedly failing to implement necessary cybersecurity measures to avoid a data breach. The commission also penalized security company NTT Data Italia 800,000 euros for disclosing the intrusion beyond the deadline.
OPC opens probe into Global Affairs Canada data breachDate: 04 March 2024
The Office of the Privacy Commissioner of Canada has declared that it will investigate Global Affairs Canada's data breach, which took personal information from workers and internet users. The Ombudsman's Office will "examine the adequacy of the safeguards that are in place to protect personal information and assess compliance with the Privacy Act.
The Office of the Privacy Commissioner of Canada has declared that it will investigate Global Affairs Canada's data breach, which took personal information from workers and internet users. The Ombudsman's Office will "examine the adequacy of the safeguards that are in place to protect personal information and assess compliance with the Privacy Act.
South Africa's DPA issued the first POPIA direct marketing orderDate: 04 March 2024
South Africa's Information Regulator has announced the first direct marketing enforcement under the Protection of Personal Information Act. The regulator ordered IT firm FR Ram Consulting to change its direct marketing procedures to gain sufficient consent before engaging with customers through different marketing messages. The corporation has 90 days to comply with the ruling or risk a punishment of up to ZAR 10 million.
South Africa's Information Regulator has announced the first direct marketing enforcement under the Protection of Personal Information Act. The regulator ordered IT firm FR Ram Consulting to change its direct marketing procedures to gain sufficient consent before engaging with customers through different marketing messages. The corporation has 90 days to comply with the ruling or risk a punishment of up to ZAR 10 million.
Railway corporation to pay $75 million to settle biometrics lawsuitDate: 04 March 2024
A class-action lawsuit alleging that BNSF Railway's use of biometrics violated the Illinois Biometric Information Privacy Act was settled for USD 75 million, according to Reuters. According to the lawsuit, the business used automatic gate systems to gather fingerprints. Liability was denied by BNSF.
A class-action lawsuit alleging that BNSF Railway's use of biometrics violated the Illinois Biometric Information Privacy Act was settled for USD 75 million, according to Reuters. According to the lawsuit, the business used automatic gate systems to gather fingerprints. Liability was denied by BNSF.
EDPB launches a coordinated enforcement operation for the right of accessDate: 04 March 2024
The European Data Protection Board has begun an investigation into whether organizations are complying with data access requirements outlined in the EU General Data Protection Regulation. The board's third coordinated enforcement action will include thirty-one data protection agencies as well as the European Data Protection Supervisor.
The European Data Protection Board has begun an investigation into whether organizations are complying with data access requirements outlined in the EU General Data Protection Regulation. The board's third coordinated enforcement action will include thirty-one data protection agencies as well as the European Data Protection Supervisor.
BEUC members register concerns over Meta's 'pay or OK' modelDate: 04 March 2024
According to Euractiv, eight members of the European Consumer Organisation submitted objections with their national data protection authorities, protesting to Meta's so-called "pay or OK" strategy. Each data protection authority will combine the complaints and report them to Ireland's Data Protection Commission. The objections often contend that the "pay or OK" approach violates the EU General Data Protection Regulation's principles of fair processing, data minimization, and purpose limitation.
According to Euractiv, eight members of the European Consumer Organisation submitted objections with their national data protection authorities, protesting to Meta's so-called "pay or OK" strategy. Each data protection authority will combine the complaints and report them to Ireland's Data Protection Commission. The objections often contend that the "pay or OK" approach violates the EU General Data Protection Regulation's principles of fair processing, data minimization, and purpose limitation.
Open Rights Group files complaints against data brokers with CNIL and ICODate: 04 March 2024
Open Rights Group, a digital rights group, filed complaints with France's data protection regulator, the Commission Nationale de l'informatique et des libertés, and the United Kingdom's Information Commissioner's Office, accusing data broker LiveRamp of breaking privacy regulations. According to the lawsuit, LiveRamp's profiling technology ties their browser activity to their personal identification, and the corporation collects personal data without a legal basis.
Open Rights Group, a digital rights group, filed complaints with France's data protection regulator, the Commission Nationale de l'informatique et des libertés, and the United Kingdom's Information Commissioner's Office, accusing data broker LiveRamp of breaking privacy regulations. According to the lawsuit, LiveRamp's profiling technology ties their browser activity to their personal identification, and the corporation collects personal data without a legal basis.
Singapore's PDPC provides rules for AI-powered automated decision-makingDate: 04 March 2024
Singapore's Personal Data Protection Commission has released rules for the use of personal data in AI-powered automated decision systems. The guideline clarifies the use of personal data to train and build AI systems, includes information for consumers seeking lawful consent, information for third-party developers using AI models, and best practices for compliance with the Personal Data Protection Act.
Singapore's Personal Data Protection Commission has released rules for the use of personal data in AI-powered automated decision systems. The guideline clarifies the use of personal data to train and build AI systems, includes information for consumers seeking lawful consent, information for third-party developers using AI models, and best practices for compliance with the Personal Data Protection Act.
US Commerce Secretary would explore a restriction on Chinese corporations accessing US residents' dataDate: 04 March 2024
U.S. Secretary of Commerce Gina Raimondo said in an interview with Politico she would consider banning Chinese companies that access U.S. citizens' data from operating within the U.S. Although Raimondo said she would not proceed to do so without bipartisan legislation that would place restrictions on Chinese businesses that collect U.S. citizens' personal data.
U.S. Secretary of Commerce Gina Raimondo said in an interview with Politico she would consider banning Chinese companies that access U.S. citizens' data from operating within the U.S. Although Raimondo said she would not proceed to do so without bipartisan legislation that would place restrictions on Chinese businesses that collect U.S. citizens' personal data.
Garante claims OpenAI's ChatGPT breached the GDPRDate: 04 March 2024
After a fact-finding investigation, Italy's data protection body, the Garante, determined that OpenAI's artificial intelligence chatbot ChatGPT violated multiple rules of the EU General Data Protection Regulation. OpenAI has 30 days to respond with counterclaims. Meanwhile, the Garante fined energy provider Enel Energia 79 million euros for allegedly illegally processing personal data for telemarketing purposes in breach of the GDPR.
After a fact-finding investigation, Italy's data protection body, the Garante, determined that OpenAI's artificial intelligence chatbot ChatGPT violated multiple rules of the EU General Data Protection Regulation. OpenAI has 30 days to respond with counterclaims. Meanwhile, the Garante fined energy provider Enel Energia 79 million euros for allegedly illegally processing personal data for telemarketing purposes in breach of the GDPR.
CalChamber petitions state Supreme Court against the execution of CPRA regulationsDate: 26 February 2024
The California Chamber of Commerce asked the state Supreme Court to reconsider an appellate court ruling that allowed the California Privacy Protection Agency to start implementing California Privacy Rights Act restrictions. CalChamber contended that because the CPPA failed to create final rules as needed by the ballot question that approved the CPRA, enforcement cannot commence until after a year-long grace period for businesses to comply with the statute has expired.
The California Chamber of Commerce asked the state Supreme Court to reconsider an appellate court ruling that allowed the California Privacy Protection Agency to start implementing California Privacy Rights Act restrictions. CalChamber contended that because the CPPA failed to create final rules as needed by the ballot question that approved the CPRA, enforcement cannot commence until after a year-long grace period for businesses to comply with the statute has expired.
South Korea's PIPC initiates evaluation of information processing systemsDate: 26 February 2024
South Korea's Personal Information Protection Committee began analyzing personal information processing practices in accordance with the country's updated privacy protection statute. The PIPC will investigate how much and what types of personal information are handled, whether a corporation has the authority to process such data, and what sanctions, if any, will be imposed.
South Korea's Personal Information Protection Committee began analyzing personal information processing practices in accordance with the country's updated privacy protection statute. The PIPC will investigate how much and what types of personal information are handled, whether a corporation has the authority to process such data, and what sanctions, if any, will be imposed.
Signal offers phone number privacy settingsDate: 26 February 2024
Signal Messenger included a phone number privacy mode, allowing users to message other users using a secret username rather than their phone numbers. Signal's new usernames are not searchable in a directory, but rather serve as a "quick way to connect without sharing a phone number."
Signal Messenger included a phone number privacy mode, allowing users to message other users using a secret username rather than their phone numbers. Signal's new usernames are not searchable in a directory, but rather serve as a "quick way to connect without sharing a phone number."
Nigeria DPC provides guidelines for data controller and processor registration requirementsDate: 26 February 2024
The Nigeria Data Protection Commission published recommendations regarding the registration requirements for data controllers and processors having "particular value or significance to the economy, society, or security of Nigeria" under the Data Protection Act. The criteria apply to every controller or processor who handles the personal data of more than 200 data subjects every six months or processes personal data in critical areas such as finance, health care, education, and energy.
The Nigeria Data Protection Commission published recommendations regarding the registration requirements for data controllers and processors having "particular value or significance to the economy, society, or security of Nigeria" under the Data Protection Act. The criteria apply to every controller or processor who handles the personal data of more than 200 data subjects every six months or processes personal data in critical areas such as finance, health care, education, and energy.
OAIC issues a report on data breachesDate: 26 February 2024
The Office of the Australian Information Commissioner published a study on data breaches, stating that personal information acquired by many parties increases the likelihood of a data breach. From July to December 2023, the OAIC received 483 data breach notifications, with health and financial companies being the most targeted.
The Office of the Australian Information Commissioner published a study on data breaches, stating that personal information acquired by many parties increases the likelihood of a data breach. From July to December 2023, the OAIC received 483 data breach notifications, with health and financial companies being the most targeted.
Hong Kong's PCPD performs AI privacy compliance auditsDate: 26 February 2024
The Hong Kong Office of the Privacy Commissioner for Personal Data examined 28 organizations to ensure that their acquisition and use of personal data using artificial intelligence complied with the law. The exercise revealed that 21 organizations employed AI in their regular operations, but only half of them gathered data using the technology.
The Hong Kong Office of the Privacy Commissioner for Personal Data examined 28 organizations to ensure that their acquisition and use of personal data using artificial intelligence complied with the law. The exercise revealed that 21 organizations employed AI in their regular operations, but only half of them gathered data using the technology.
FTC determines that X, previously Twitter, did not violate data security agreementDate: 26 February 2024
According to The Washington Post, the US Federal Trade Commission determined that X CEO Elon Musk did not break a settlement imposing strict limits on user access data by attempting to provide an outside group of writers access to information. The investigation discovered that staff at the site formerly known as Twitter upheld user data protection measures.
According to The Washington Post, the US Federal Trade Commission determined that X CEO Elon Musk did not break a settlement imposing strict limits on user access data by attempting to provide an outside group of writers access to information. The investigation discovered that staff at the site formerly known as Twitter upheld user data protection measures.
California Attorney General Reached Second CCPA SettlementDate: 26 February 2024
California Attorney General Rob Bonta stated that DoorDash, an app-based meal delivery service, has reached a settlement over breaches of the California Consumer Privacy Act and the California Online Privacy Protection Act. DoorDash will pay a USD375,000 punishment for selling its customers' personal information without prior warning or a chance to opt out of the transaction. In addition to the penalty, DoorDash must evaluate contracts with marketing and analytics providers to see whether their technology sells personal information.
California Attorney General Rob Bonta stated that DoorDash, an app-based meal delivery service, has reached a settlement over breaches of the California Consumer Privacy Act and the California Online Privacy Protection Act. DoorDash will pay a USD375,000 punishment for selling its customers' personal information without prior warning or a chance to opt out of the transaction. In addition to the penalty, DoorDash must evaluate contracts with marketing and analytics providers to see whether their technology sells personal information.
CJEU Advocate General offers an opinion on selling databases including personal informationDate: 26 February 2024
Advocate General Priit Pikamäe of the Court of Justice of the European Union ruled that a court enforcement officer can legitimately sell a database containing personal information in order to estimate its worth in a civil law procedure without the data subjects' consent. Pikamäe believed that the court enforcement officer should be identified as the data controller in such a case, and that the processing of personal data was legal under the EU General Data Protection Regulation.
Advocate General Priit Pikamäe of the Court of Justice of the European Union ruled that a court enforcement officer can legitimately sell a database containing personal information in order to estimate its worth in a civil law procedure without the data subjects' consent. Pikamäe believed that the court enforcement officer should be identified as the data controller in such a case, and that the processing of personal data was legal under the EU General Data Protection Regulation.
FTC imposes $16.5 million penalties for suspected data sales and fraudulent privacy claimsDate: 26 February 2024
The US Federal Trade Commission imposed a USD16.5 million punishment and remedial actions on software company Avast for claimed unmet privacy assurances that resulted in the nonconsensual selling of user browser data. Avast reportedly said that their solutions would prevent third-party monitoring while gathering, storing, and selling data without adequate notification or authorization. Additional safeguards include a prohibition on "selling or licensing any web browsing data for advertising purposes."
The US Federal Trade Commission imposed a USD16.5 million punishment and remedial actions on software company Avast for claimed unmet privacy assurances that resulted in the nonconsensual selling of user browser data. Avast reportedly said that their solutions would prevent third-party monitoring while gathering, storing, and selling data without adequate notification or authorization. Additional safeguards include a prohibition on "selling or licensing any web browsing data for advertising purposes."
A white paper provides recommendations for protecting data privacy as AI technology advancesDate: 26 February 2024
The Institute for Human Centered Artificial Intelligence at Stanford University examined the effects that international data privacy and security laws are having on AI advancements in a white paper that was released. The study offers three recommendations for protecting personal data privacy as artificial intelligence (AI) technologies advance. These include supporting new governance frameworks that give people more control over how their data is used, deformalizing data collection from opt-out to opt-in by leveraging privacy by design, and encouraging transparency across the AI data supply chain.
The Institute for Human Centered Artificial Intelligence at Stanford University examined the effects that international data privacy and security laws are having on AI advancements in a white paper that was released. The study offers three recommendations for protecting personal data privacy as artificial intelligence (AI) technologies advance. These include supporting new governance frameworks that give people more control over how their data is used, deformalizing data collection from opt-out to opt-in by leveraging privacy by design, and encouraging transparency across the AI data supply chain.
Google discontinues publisher notifications of 'right to be forgotten' material removalDate: 19 February 2024
The Guardian says that Google has ceased informing publishers about material removal from search results under the EU General Data Protection Regulation's "right to be forgotten" guidelines. Last year, the Stockholm Administrative Court held that "informing webmasters that the search engine had removed links to their content was itself a breach of privacy of the person making the right to be forgotten request."
The Guardian says that Google has ceased informing publishers about material removal from search results under the EU General Data Protection Regulation's "right to be forgotten" guidelines. Last year, the Stockholm Administrative Court held that "informing webmasters that the search engine had removed links to their content was itself a breach of privacy of the person making the right to be forgotten request."
Bavaria DPA identifies cookie compliance concernsDate: 19 February 2024
About one-third of the 1,000 websites examined by the Bavarian State Office for Data Protection Supervision had cookie banners that did not adhere to legal requirements, according to Netzpolitik. Operators are given an opportunity to correct the mistakes before facing enforcement action.
About one-third of the 1,000 websites examined by the Bavarian State Office for Data Protection Supervision had cookie banners that did not adhere to legal requirements, according to Netzpolitik. Operators are given an opportunity to correct the mistakes before facing enforcement action.
Czech DPA releases technique for camera systemsDate: 19 February 2024
The Czech Republic's data protection body, Úřad pro ochranu osobních údajů, has developed methods for camera systems to guarantee personal data is secure. The technique aligns with the EU General Data Protection Regulation and aims to "facilitate the position of small personal data managers, especially in cases of common camera systems."
The Czech Republic's data protection body, Úřad pro ochranu osobních údajů, has developed methods for camera systems to guarantee personal data is secure. The technique aligns with the EU General Data Protection Regulation and aims to "facilitate the position of small personal data managers, especially in cases of common camera systems."
FTC privacy director discusses AI and employee spyingDate: 19 February 2024
Employers are violating workers' privacy rights by deploying surveillance technologies and artificial intelligence, according to U.S. Federal Trade Commission Division of Privacy and Identity Protection Associate Director Benjamin Wiseman, speaking at Harvard Law School. He stated that the use of these technologies also entails the collecting of personal data, which is not always adequately protected.
Employers are violating workers' privacy rights by deploying surveillance technologies and artificial intelligence, according to U.S. Federal Trade Commission Division of Privacy and Identity Protection Associate Director Benjamin Wiseman, speaking at Harvard Law School. He stated that the use of these technologies also entails the collecting of personal data, which is not always adequately protected.
New York Attorney General reached a privacy settlement with the College BoardDate: 19 February 2024
College Board agreed to pay the New York Attorney General's Office USD750,000 to resolve charges that it illegally marketed students' personal information to schools and other businesses. According to The Record, New Jersey law enforcement officials have sued 118 data brokers for failing to remove their personal information from the internet, which is illegal.
College Board agreed to pay the New York Attorney General's Office USD750,000 to resolve charges that it illegally marketed students' personal information to schools and other businesses. According to The Record, New Jersey law enforcement officials have sued 118 data brokers for failing to remove their personal information from the internet, which is illegal.
AEPD punishes a power firm 6.1 million euros for GDPR breachesDate: 19 February 2024
The Agencia Española de Protección de Datos penalized Endesa Energía 6.1 million euros for allegedly violating the EU General Data Protection Regulation. The AEPD said that the corporation lacked adequate data security procedures and did not inform customers of a data breach.
The Agencia Española de Protección de Datos penalized Endesa Energía 6.1 million euros for allegedly violating the EU General Data Protection Regulation. The AEPD said that the corporation lacked adequate data security procedures and did not inform customers of a data breach.
White House has added data privacy and security to the essential and emerging tech listDate: 19 February 2024
The White House Office of Science and Technology Policy has enlarged its list of vital and emerging technologies to include data privacy, security, and other forms of artificial intelligence. The list might serve as an indicator of which policy topics the government intends to focus on in the future year.
The White House Office of Science and Technology Policy has enlarged its list of vital and emerging technologies to include data privacy, security, and other forms of artificial intelligence. The list might serve as an indicator of which policy topics the government intends to focus on in the future year.
ICO: Right to information may be safeguarded by data securityDate: 19 February 2024
The Information Commissioner's Office in the United Kingdom issued recommendations on how to meet data protection duties while guaranteeing people's access to information. The notification aims to prevent a user's material from being wrongly labeled as unlawful information or being removed from a platform without cause.
The Information Commissioner's Office in the United Kingdom issued recommendations on how to meet data protection duties while guaranteeing people's access to information. The notification aims to prevent a user's material from being wrongly labeled as unlawful information or being removed from a platform without cause.
Ireland's High Court will accept Schrems into the Meta data transfer caseDate: 19 February 2024
Max Schrems of the privacy rights organization NOYB will be able to take part in two lawsuits pertaining to Meta's ban from sending EU user data to the United States in Ireland's High Court, according to The Irish Times. These are two cases: Meta's appeal against Ireland's Data Protection Commission's ban on Meta's transfer of user data, and Meta's subsequent payment of a 1.2 billion euro DPC fine for those transfers. In the meanwhile, Reuters notes that 27 advocacy organizations for data privacy signed a NOYB letter urging EU data protection regulators to declare Meta's payment or agree to targeted advertising model illegal.
Max Schrems of the privacy rights organization NOYB will be able to take part in two lawsuits pertaining to Meta's ban from sending EU user data to the United States in Ireland's High Court, according to The Irish Times. These are two cases: Meta's appeal against Ireland's Data Protection Commission's ban on Meta's transfer of user data, and Meta's subsequent payment of a 1.2 billion euro DPC fine for those transfers. In the meanwhile, Reuters notes that 27 advocacy organizations for data privacy signed a NOYB letter urging EU data protection regulators to declare Meta's payment or agree to targeted advertising model illegal.
PDPA Center launches to provide personal information protection servicesDate: 12 February 2024
Thailand's Personal Data Protection Act Center created an office to provide personal information protection services in collaboration with the Personal Data Protection Committee. The PDPA Center attempts to expand "contact channels for citizens and various agencies," encourage compliance with personal data protection laws, and handle objections about noncompliance.
Thailand's Personal Data Protection Act Center created an office to provide personal information protection services in collaboration with the Personal Data Protection Committee. The PDPA Center attempts to expand "contact channels for citizens and various agencies," encourage compliance with personal data protection laws, and handle objections about noncompliance.
PIPC revises pseudonymised information processing proceduresDate: 12 February 2024
South Korea's Personal Information Protection Committee changed the pseudonymized information processing standards to encourage enterprises and researchers to practice safe data processing while using artificial intelligence. Personal identification through AI research must enhance "the level of pseudonymization of other information, controlling access rights, restricting the introduction of software (SW) that can be misused for identification, and requiring a security pledge are implemented."
South Korea's Personal Information Protection Committee changed the pseudonymized information processing standards to encourage enterprises and researchers to practice safe data processing while using artificial intelligence. Personal identification through AI research must enhance "the level of pseudonymization of other information, controlling access rights, restricting the introduction of software (SW) that can be misused for identification, and requiring a security pledge are implemented."
Netherlands' AP takes on deceptive cookie adsDate: 12 February 2024
The Autoriteit Persoonsgegevens, the Netherlands' data protection body, has stated that it would focus more on how websites request permission to track internet activity using cookie advertisements. The AP will ensure that websites do not employ deceptive cookie notices or make it difficult for consumers to comprehend when they provide consent for tracking.
The Autoriteit Persoonsgegevens, the Netherlands' data protection body, has stated that it would focus more on how websites request permission to track internet activity using cookie advertisements. The AP will ensure that websites do not employ deceptive cookie notices or make it difficult for consumers to comprehend when they provide consent for tracking.
Op-ed: US senator calls on government agency to protect individuals' data privacyDate: 12 February 2024
U.S. Sen. Kirsten Gillibrand, D-N.Y., wrote an op-ed in The Hill advocating for the creation of a government regulatory body charged with implementing a national consumer data privacy legislation. The agency would be established by her proposed Data Protection Act and "would be able to set and enforce data protection rules to mitigate data breaches, minimize their effects, and fight against phishing and other scams, including those utilizing artificial intelligence."
U.S. Sen. Kirsten Gillibrand, D-N.Y., wrote an op-ed in The Hill advocating for the creation of a government regulatory body charged with implementing a national consumer data privacy legislation. The agency would be established by her proposed Data Protection Act and "would be able to set and enforce data protection rules to mitigate data breaches, minimize their effects, and fight against phishing and other scams, including those utilizing artificial intelligence."
Garante sanctioned many municipalitiesDate: 12 February 2024
The Garante, Italy's data protection body, fined four towns for failing to give the agency with the contact information for their local data protection office. The punishments are part of the Garante's continuous drive to ensure that municipalities publish contact information. The Garante also asked staff to check to see whether their email management IT services allow them to change settings to shorten the duration of metadata retention on various platforms.
The Garante, Italy's data protection body, fined four towns for failing to give the agency with the contact information for their local data protection office. The punishments are part of the Garante's continuous drive to ensure that municipalities publish contact information. The Garante also asked staff to check to see whether their email management IT services allow them to change settings to shorten the duration of metadata retention on various platforms.
Clearview AI is supposedly still gathering Australians' infoDate: 12 February 2024
Clearview AI is supposedly still gathering data from Australians, despite being barred from doing so since 2021, according to Crikey. The face recognition software business stated it cannot distinguish whether photographs are of Australian people if the data is accessed from a non-Australian server.
Clearview AI is supposedly still gathering data from Australians, despite being barred from doing so since 2021, according to Crikey. The face recognition software business stated it cannot distinguish whether photographs are of Australian people if the data is accessed from a non-Australian server.
ICO cautions app creators about privacy requirementsDate: 12 February 2024
Following an assessment of the data processing features of fertility apps, the United Kingdom Information Commissioner's Office reminded app producers of their responsibility to protect users' privacy. According to the ICO, app developers should be clear about how they use personal information, get valid consent, create a legitimate basis for processing personal data, and hold themselves accountable to their users.
Following an assessment of the data processing features of fertility apps, the United Kingdom Information Commissioner's Office reminded app producers of their responsibility to protect users' privacy. According to the ICO, app developers should be clear about how they use personal information, get valid consent, create a legitimate basis for processing personal data, and hold themselves accountable to their users.
Poland's DPA fined an e-commerce platform for GDPR infringementDate: 12 February 2024
The e-commerce portal Morele.net was fined PLN3.8 million by Poland's data protection authorities, Urząd Ochrony Danych Osobowych, for allegedly violating the EU General Data Protection Regulation. The company's purportedly inadequate cybersecurity procedures resulted in a data breach that impacted 2.2 million customers.
The e-commerce portal Morele.net was fined PLN3.8 million by Poland's data protection authorities, Urząd Ochrony Danych Osobowych, for allegedly violating the EU General Data Protection Regulation. The company's purportedly inadequate cybersecurity procedures resulted in a data breach that impacted 2.2 million customers.
Iceland's DPA will emphasize monitoring personal data processingDate: 12 February 2024
Iceland's data protection authority, will actively oversee the processing of personal data in 2024. Personal data processed by health technology, insurance businesses, and financial software will be monitored to guarantee that companies protect personal information.
Iceland's data protection authority, will actively oversee the processing of personal data in 2024. Personal data processed by health technology, insurance businesses, and financial software will be monitored to guarantee that companies protect personal information.
Data Security Council of India releases FAQ about DPDPADate: 12 February 2024
The Data Security Council of India has issued a FAQ to help people comprehend the Digital Personal Data Protection Act. It discusses data fiduciary responsibilities, cross-border data transfer regulations, and enforcement measures.
The Data Security Council of India has issued a FAQ to help people comprehend the Digital Personal Data Protection Act. It discusses data fiduciary responsibilities, cross-border data transfer regulations, and enforcement measures.
A tech organization contends that the California Age-Appropriate Design Code Act "censors the internet"Date: 12 February 2024
In an appeals court petition contesting the state's capacity to implement the rule, technology industry organization NetChoice restated its position that California's Age-Appropriate Design Code Act is unconstitutional, according to MediaPost. The bill mandates web corporations to gather minimal data from kids and prioritize their well-being, which businesses argue would limit their First Amendment free speech rights by limiting what they may broadcast.
In an appeals court petition contesting the state's capacity to implement the rule, technology industry organization NetChoice restated its position that California's Age-Appropriate Design Code Act is unconstitutional, according to MediaPost. The bill mandates web corporations to gather minimal data from kids and prioritize their well-being, which businesses argue would limit their First Amendment free speech rights by limiting what they may broadcast.
Breach took raw genetic data from 6.9 million peopleDate: 5 February 2024
A data breach at 23andMe acquired raw genetic data and health reports from 6.9 million consumers, according to SC Magazine. The business stated that hackers were able to obtain access to 14,000 accounts and about 6.9 million consumers' data for five months before being noticed.
A data breach at 23andMe acquired raw genetic data and health reports from 6.9 million consumers, according to SC Magazine. The business stated that hackers were able to obtain access to 14,000 accounts and about 6.9 million consumers' data for five months before being noticed.
TikTok staffers allege the firm is still sharing Americans' dataDate: 5 February 2024
TikTok employees alleged that the firm's American division still exchanges certain data with its Chinese parent company, ByteDance, according to The Wall Street Journal. Employees alleged the corporation continued to communicate certain users' personally identifying information with ByteDance despite claims that American data was "walled off" from China.
TikTok employees alleged that the firm's American division still exchanges certain data with its Chinese parent company, ByteDance, according to The Wall Street Journal. Employees alleged the corporation continued to communicate certain users' personally identifying information with ByteDance despite claims that American data was "walled off" from China.
The ICO campaign encourages appropriate data sharing to keep youngsters safeDate: 5 February 2024
The UK Information Commissioner's Office has launched a campaign called "Think. Check. Share." to raise awareness about responsible data sharing in order to safeguard children. The ICO is working with educational institutions, law enforcement, and social care agencies to raise awareness about how data protection rules may assist organizations safely disclose personal information. As part of the campaign, the ICO created a toolbox of free resources, including posters, films, and infographics.
The UK Information Commissioner's Office has launched a campaign called "Think. Check. Share." to raise awareness about responsible data sharing in order to safeguard children. The ICO is working with educational institutions, law enforcement, and social care agencies to raise awareness about how data protection rules may assist organizations safely disclose personal information. As part of the campaign, the ICO created a toolbox of free resources, including posters, films, and infographics.
Alberta pledges stronger privacy safeguards over the next 18 monthsDate: 5 February 2024
The Alberta Ministry of Technology and Innovation has said that it will introduce legislation to enhance penalties for abusing information or violating a person's privacy, according to DiscoverAirdrie. The agency will also set up a webpage where Albertans may view how their data is being used and raise complaints if they believe it is being misused.
The Alberta Ministry of Technology and Innovation has said that it will introduce legislation to enhance penalties for abusing information or violating a person's privacy, according to DiscoverAirdrie. The agency will also set up a webpage where Albertans may view how their data is being used and raise complaints if they believe it is being misused.
Op-Ed: US state privacy legislation must include data reductionDate: 5 February 2024
In an op-ed published by the Center for Democracy and Technology, CDT co-Director of the Privacy and Data Project Eric Null stated that U.S. state privacy laws that do not include data minimization are missing a crucial component of data security. "Data minimization requirements place the privacy-protecting burden primarily on companies that collect and exploit the data, rather than on the already overburdened consumer," he stated.
In an op-ed published by the Center for Democracy and Technology, CDT co-Director of the Privacy and Data Project Eric Null stated that U.S. state privacy laws that do not include data minimization are missing a crucial component of data security. "Data minimization requirements place the privacy-protecting burden primarily on companies that collect and exploit the data, rather than on the already overburdened consumer," he stated.
Netherlands' AP fines ride-sharing business 10 million eurosDate: 5 February 2024
The Netherlands' data protection authority, the Autoriteit Persoonsgegevens, in collaboration with France's DPA, the Commission Nationale de l'Informatique et des Libertes, fined Uber 10 million euros for allegedly failing to disclose its data retention period for European drivers' data, as well as failing to report the non-EU countries with which it shares data. Reuters "acknowledged that Uber fixed the small number of 'low impact' issues raised by the drivers, while dismissing the vast majority of their claims as unfounded."
The Netherlands' data protection authority, the Autoriteit Persoonsgegevens, in collaboration with France's DPA, the Commission Nationale de l'Informatique et des Libertes, fined Uber 10 million euros for allegedly failing to disclose its data retention period for European drivers' data, as well as failing to report the non-EU countries with which it shares data. Reuters "acknowledged that Uber fixed the small number of 'low impact' issues raised by the drivers, while dismissing the vast majority of their claims as unfounded."
ICO receives encouraging replies to its surfing cookie compliance warningDate: 5 February 2024
The U.K. Information Commissioner's Office Executive Director for Regulatory Risk Stephen Almond claimed the agency had a "overwhelmingly positive response" to its November 2023 warning to 53 of the U.K.'s top 100 websites to update their cookie systems. Of the websites that got official warnings, the ICO stated that 38 had modified their cookie banners, with four more promising to comply by the end of February. Almond stated that the ICO will continue to send warnings to the next 200 most popular websites.
The U.K. Information Commissioner's Office Executive Director for Regulatory Risk Stephen Almond claimed the agency had a "overwhelmingly positive response" to its November 2023 warning to 53 of the U.K.'s top 100 websites to update their cookie systems. Of the websites that got official warnings, the ICO stated that 38 had modified their cookie banners, with four more promising to comply by the end of February. Almond stated that the ICO will continue to send warnings to the next 200 most popular websites.
New Zealand offers a toolbox for privacy impact assessmentsDate: 5 February 2024
The New Zealand Office of the Privacy Commissioner has produced a toolbox for creating and evaluating privacy impact assessments. It contains instructions on how to conduct an assessment, a blueprint for creating one, and a risk and mitigation preventive template.
The New Zealand Office of the Privacy Commissioner has produced a toolbox for creating and evaluating privacy impact assessments. It contains instructions on how to conduct an assessment, a blueprint for creating one, and a risk and mitigation preventive template.
A survey found that some customers are prepared to share data with marketers "on their own terms"Date: 5 February 2024
Being upfront with clients and vowing not to sell their data to third parties is one method to develop trust, according to MediaPost, citing a poll performed by consumer research firm Attest. According to the report, nearly one-third of US customers would refuse nonessential cookies if asked, while 58% would opt out of mailing lists. However, 47% of customers are comfortable providing their data with a corporation on their own terms.
Being upfront with clients and vowing not to sell their data to third parties is one method to develop trust, according to MediaPost, citing a poll performed by consumer research firm Attest. According to the report, nearly one-third of US customers would refuse nonessential cookies if asked, while 58% would opt out of mailing lists. However, 47% of customers are comfortable providing their data with a corporation on their own terms.
FTC compels data servicers to erase superfluous personal informationDate: 5 February 2024
As part of a data breach settlement, the US Federal Trade Commission will order software company Blackbaud to erase unnecessary personal information. The corporation reportedly failed to implement robust enough security measures to safeguard consumer information from attack. Meanwhile, the Federal Trade Commission published on how to uphold your privacy pledges.
As part of a data breach settlement, the US Federal Trade Commission will order software company Blackbaud to erase unnecessary personal information. The corporation reportedly failed to implement robust enough security measures to safeguard consumer information from attack. Meanwhile, the Federal Trade Commission published on how to uphold your privacy pledges.
CNIL publishes cloud computing practical sheetsDate: 29 January 2024
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced two practical papers on data encryption and cloud computing security. The practical sheets analyze data encryption technologies, such as end-to-end encryption, as well as the necessity of cloud data security.
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced two practical papers on data encryption and cloud computing security. The practical sheets analyze data encryption technologies, such as end-to-end encryption, as well as the necessity of cloud data security.
CNIL punishes Amazon for employee surveillance violationsDate: 29 January 2024
The Commission Nationale de l'Informatique et des Libertés, France's data protection regulator, penalized Amazon France Logistique 32 million euros for allegedly over-surveilling its warehouse employees and retaining data on their actions for longer than was required. In a response to the BBC, the corporation said CNIL's conclusions were "factually incorrect" and that its methods adhere to a "industry standard."
The Commission Nationale de l'Informatique et des Libertés, France's data protection regulator, penalized Amazon France Logistique 32 million euros for allegedly over-surveilling its warehouse employees and retaining data on their actions for longer than was required. In a response to the BBC, the corporation said CNIL's conclusions were "factually incorrect" and that its methods adhere to a "industry standard."
OPC describes its strategy plan until 2027Date: 29 January 2024
The Office of the Privacy Commissioner of Canada has produced a strategy plan outlining three important targets for the next three years. The approach focuses on safeguarding privacy, campaigning for privacy in technology, and pushing for more children's privacy rights.
The Office of the Privacy Commissioner of Canada has produced a strategy plan outlining three important targets for the next three years. The approach focuses on safeguarding privacy, campaigning for privacy in technology, and pushing for more children's privacy rights.
White House is planning an executive order banning foreign access to sensitive US dataDate: 29 January 2024
According to a document acquired by Bloomberg, US President Joe Biden will soon issue an executive order targeting foreign enemies' attempts to access sensitive personal data of US residents as well as the personal data of government employees. According to reports, the order would require the United States Attorney General and the Department of Homeland Security to create limitations on data transfers that "could threaten national security."
According to a document acquired by Bloomberg, US President Joe Biden will soon issue an executive order targeting foreign enemies' attempts to access sensitive personal data of US residents as well as the personal data of government employees. According to reports, the order would require the United States Attorney General and the Department of Homeland Security to create limitations on data transfers that "could threaten national security."
Andorra DPA modifies cookie usage and privacy notification guidelinesDate: 29 January 2024
Andorra's Data Protection Agency has amended its cookie usage, privacy notice, and legal notice guidelines. Changes include cookie storage, consumer permission, and increased consumer openness. The APDA is trying to improve compliance with the ePrivacy Directive.
Andorra's Data Protection Agency has amended its cookie usage, privacy notice, and legal notice guidelines. Changes include cookie storage, consumer permission, and increased consumer openness. The APDA is trying to improve compliance with the ePrivacy Directive.
The Netherlands' DPA asks for privacy norms and AI usage in educationDate: 29 January 2024
The Autoriteit Persoonsgegevens, the Netherlands' data protection body, stated that tighter privacy rules are required in the education sector, particularly since artificial intelligence technology are increasingly used. A study of procedures revealed that instructors have made measures to comply with privacy laws, but there is no oversight around the usage of AI software.
The Autoriteit Persoonsgegevens, the Netherlands' data protection body, stated that tighter privacy rules are required in the education sector, particularly since artificial intelligence technology are increasingly used. A study of procedures revealed that instructors have made measures to comply with privacy laws, but there is no oversight around the usage of AI software.
A perspective from DC: How privacy translates across languagesDate: 29 January 2024
Cobun Zweifel-Keegan, IAPP Managing Director in Washington, D.C., discusses the most recent advancements in privacy and artificial intelligence governance in the nation's capital and across the United States. This week, he imagines a future without the name "privacy" and how its meaning may still exist and spread over the world.
Cobun Zweifel-Keegan, IAPP Managing Director in Washington, D.C., discusses the most recent advancements in privacy and artificial intelligence governance in the nation's capital and across the United States. This week, he imagines a future without the name "privacy" and how its meaning may still exist and spread over the world.
ICO punishes two home improvement businesses for making unauthorized marketing callsDate: 22 January 2024
The UK Information Commissioner's Office has fined two corporations a total of 250,000 GBP for selling phone calls to persons on the UK's "do not call" list. Poxell was fined £150,000 GBP for allegedly conducting over 2.6 million marketing phone calls without customer authorization. Skean Homes was fined 100,000 GBP for "instigating over 600,000 unsolicited marketing calls between March and May 2022."
The UK Information Commissioner's Office has fined two corporations a total of 250,000 GBP for selling phone calls to persons on the UK's "do not call" list. Poxell was fined £150,000 GBP for allegedly conducting over 2.6 million marketing phone calls without customer authorization. Skean Homes was fined 100,000 GBP for "instigating over 600,000 unsolicited marketing calls between March and May 2022."
Malaysian prime minister establishes data protection guidelinesDate: 22 January 2024
Malaymail claims that the Malaysian Department of Personal Data Protection would shortly issue seven rules for managing personal data. The guidelines, which will be drafted under the Personal Data Protection Act of 2010, will include data protection officers, data breach notices, portability, cross-border data transfers, and other issues. A personal data protection site will also be established.
Malaymail claims that the Malaysian Department of Personal Data Protection would shortly issue seven rules for managing personal data. The guidelines, which will be drafted under the Personal Data Protection Act of 2010, will include data protection officers, data breach notices, portability, cross-border data transfers, and other issues. A personal data protection site will also be established.
FTC signs worldwide data privacy and security legislation enforcement agreementDate: 22 January 2024
The US Federal Trade Commission will sign a new multinational pact, the Global Cooperation Arrangement for Privacy. Participation in the Global CAPE will enable the FTC to collaborate with other agencies on data privacy and security law enforcement concerns without engaging into individual memoranda of understanding with each institution.
The US Federal Trade Commission will sign a new multinational pact, the Global Cooperation Arrangement for Privacy. Participation in the Global CAPE will enable the FTC to collaborate with other agencies on data privacy and security law enforcement concerns without engaging into individual memoranda of understanding with each institution.
CNIL fines Yahoo 10 million euros for suspected cookie consent breachesDate: 22 January 2024
The Commission nationale de l'informatique et des libertés, France's data protection regulator, penalized Yahoo EMEA ten million euros for allegedly violating the ePrivacy Directive. The CNIL discovered that visitors to the Yahoo website had cookies planted on their computers without their knowledge, and it was difficult for users to revoke their involvement in cookie gathering.
The Commission nationale de l'informatique et des libertés, France's data protection regulator, penalized Yahoo EMEA ten million euros for allegedly violating the ePrivacy Directive. The CNIL discovered that visitors to the Yahoo website had cookies planted on their computers without their knowledge, and it was difficult for users to revoke their involvement in cookie gathering.
How changes to Ireland's DPC might affect GDPR enforcement throughout the EUDate: 22 January 2024
In an interview with Politico, Ireland's Data privacy Commissioner Helen Dixon covered a variety of data privacy issues prior to her resignation from the DPC in February. Dixon discussed the efficiency and enforcement of the EU General Data Protection Regulation, the controversy surrounding the "pay or OK" consent model, EU data transfer issues, and the role of data protection agencies in monitoring artificial intelligence.
In an interview with Politico, Ireland's Data privacy Commissioner Helen Dixon covered a variety of data privacy issues prior to her resignation from the DPC in February. Dixon discussed the efficiency and enforcement of the EU General Data Protection Regulation, the controversy surrounding the "pay or OK" consent model, EU data transfer issues, and the role of data protection agencies in monitoring artificial intelligence.
South Korea's PIPC intends to review public entities' data protectionsDate: 22 January 2024
South Korea's Personal Information Protection Commission stated that it will begin assessing the personal data safeguards of 1,600 public entities this year. The action follows the revision of the Personal Information Protection Act to provide greater protection for personal data.
South Korea's Personal Information Protection Commission stated that it will begin assessing the personal data safeguards of 1,600 public entities this year. The action follows the revision of the Personal Information Protection Act to provide greater protection for personal data.
FTC prohibits data aggregators from selling location dataDate: 22 January 2024
The Federal Trade Commission prohibited data aggregator InMarket Media from selling exact location data for marketing purposes, alleging that the business did not get customer consent. Meanwhile, the Electronic Privacy Information Center encouraged the FTC to examine Google's collection of comparable data for sites such as abortion clinics, despite assurances to erase the information.
The Federal Trade Commission prohibited data aggregator InMarket Media from selling exact location data for marketing purposes, alleging that the business did not get customer consent. Meanwhile, the Electronic Privacy Information Center encouraged the FTC to examine Google's collection of comparable data for sites such as abortion clinics, despite assurances to erase the information.
A comprehensive privacy measure passes the New Hampshire legislatureDate: 22 January 2024
The New Hampshire Senate agreed by voice vote to House revisions to Senate law 255, clearing the road for the comprehensive privacy law to pass the state. The bill applies to firms who process data on more than 35,000 state residents or generate more than 25% of their revenue from data sales. It contains support for universal opt-out procedures, a 60-day cure period that expires in 2026, and a limited regulatory authority under the Secretary of State. Following enrollment and governor approval, the measure will go into effect on January 1, 2025.
The New Hampshire Senate agreed by voice vote to House revisions to Senate law 255, clearing the road for the comprehensive privacy law to pass the state. The bill applies to firms who process data on more than 35,000 state residents or generate more than 25% of their revenue from data sales. It contains support for universal opt-out procedures, a 60-day cure period that expires in 2026, and a limited regulatory authority under the Secretary of State. Following enrollment and governor approval, the measure will go into effect on January 1, 2025.
ANPD presents a strategy for data protection educationDate: 22 January 2024
Brazil's data protection body, the Autoridade Nacional de Proteção de Dados, has revised its strategy to educate individuals on the importance of personal data security and the regulations that regulate it. The strategy calls for the development of instructional materials, the publication of new rules, and collaboration with institutions to achieve these objectives.
Brazil's data protection body, the Autoridade Nacional de Proteção de Dados, has revised its strategy to educate individuals on the importance of personal data security and the regulations that regulate it. The strategy calls for the development of instructional materials, the publication of new rules, and collaboration with institutions to achieve these objectives.
Companies collaborate to release suggested data provenance standardsDate: 22 January 2024
As artificial intelligence technologies pervade all aspects of business, the use of reliable data becomes increasingly important. The Data and Trust Alliance established new data provenance guidelines to provide a baseline quality standard for the data that will eventually fuel widely deployed AI systems across several sectors. IAPP Staff Writer Alex LaCasse met with officials from two alliance members to see how businesses might incorporate these guidelines into their operations.
As artificial intelligence technologies pervade all aspects of business, the use of reliable data becomes increasingly important. The Data and Trust Alliance established new data provenance guidelines to provide a baseline quality standard for the data that will eventually fuel widely deployed AI systems across several sectors. IAPP Staff Writer Alex LaCasse met with officials from two alliance members to see how businesses might incorporate these guidelines into their operations.
Microsoft permits cloud users in the EU to store data locallyDate: 16 January 2024
As part of the company's strategy to adhere to privacy and security regulations, customers in the EU will be permitted to store and process their Microsoft cloud data locally, according to Reuters. This action makes it easier for other multinational companies to comply with EU data storage regulations.
As part of the company's strategy to adhere to privacy and security regulations, customers in the EU will be permitted to store and process their Microsoft cloud data locally, according to Reuters. This action makes it easier for other multinational companies to comply with EU data storage regulations.
Nothing wrong with credit firms' security compliance, according to the Hong Kong DPADate: 16 January 2024
Following an examination into permitted access to credit data last year, the Hong Kong Office of the Privacy Commissioner for Personal Data announced that a review of the security and data preservation policies of credit reference firms revealed no problems. To guarantee compliance, periodically assess access to credit databases, and take other preventative steps, the PCPD advised agencies to designate data protection officers.
Following an examination into permitted access to credit data last year, the Hong Kong Office of the Privacy Commissioner for Personal Data announced that a review of the security and data preservation policies of credit reference firms revealed no problems. To guarantee compliance, periodically assess access to credit databases, and take other preventative steps, the PCPD advised agencies to designate data protection officers.
Pay or OK' claims are added by NOYB to the ongoing Meta complaintDate: 16 January 2024
According to Reuters, the Austrian Data Protection Authority was tasked by the privacy advocacy group NOYB with looking into Meta's free product alternative, citing the difficulty of withdrawing consent unless one desires the paid membership service. The group's first case, which opposed charging Meta customers for privacy protection while using the software, is expanded upon in this new filing.
According to Reuters, the Austrian Data Protection Authority was tasked by the privacy advocacy group NOYB with looking into Meta's free product alternative, citing the difficulty of withdrawing consent unless one desires the paid membership service. The group's first case, which opposed charging Meta customers for privacy protection while using the software, is expanded upon in this new filing.
Personal records of Brazilian residents are made available to the publicDate: 16 January 2024
According to Cybernews investigation, a cloud server provided unrestricted access to a "staggering amount of private data belonging to Brazilian individuals." reports on security affairs. More than 223 million records containing personally identifiable information of people together with their 11-digit taxpayer identification numbers were included in the data.
According to Cybernews investigation, a cloud server provided unrestricted access to a "staggering amount of private data belonging to Brazilian individuals." reports on security affairs. More than 223 million records containing personally identifiable information of people together with their 11-digit taxpayer identification numbers were included in the data.
Amazon challenges the Luxembourg fine and charges CNPD of unethical behaviorDate: 16 January 2024
Amazon contested a 746 million euro fine from Luxembourg's National Commission for Data Protection after it was found in 2021 to be processing user data for adverts without requesting permission, Bloomberg reports. The business claimed that the CNPD had taken punitive action against it by not providing it with an opportunity to modify its operations in order to comply with the EU General Data Protection Regulation.
Amazon contested a 746 million euro fine from Luxembourg's National Commission for Data Protection after it was found in 2021 to be processing user data for adverts without requesting permission, Bloomberg reports. The business claimed that the CNPD had taken punitive action against it by not providing it with an opportunity to modify its operations in order to comply with the EU General Data Protection Regulation.
An alleged T-Mobile hacker might be charged in the USDate: 16 January 2024
According to 404 Media, the hacker involved in the T-Mobile data breach of 2021, who took 40 million customers' personal information, may be charged in the United States. John Erin Binns came clean about breaking into T-Mobile's database and selling the information to an outsider. Allegations against Binns include hacking, identity theft, money laundering, and wire fraud.
According to 404 Media, the hacker involved in the T-Mobile data breach of 2021, who took 40 million customers' personal information, may be charged in the United States. John Erin Binns came clean about breaking into T-Mobile's database and selling the information to an outsider. Allegations against Binns include hacking, identity theft, money laundering, and wire fraud.
Australia is the most recent country to examine TikTok's data harvesting methodsDate: 16 January 2024
According to the Guardian, the Office of the Australian Information Commissioner initiated a preliminary investigation to determine if TikTok is collecting users' personal information without authorization. The use of marketing pixels, which track users' internet activities and can gather data even when they aren't using the app, will be investigated. According to a representative for TikTok, pixels are legal.
According to the Guardian, the Office of the Australian Information Commissioner initiated a preliminary investigation to determine if TikTok is collecting users' personal information without authorization. The use of marketing pixels, which track users' internet activities and can gather data even when they aren't using the app, will be investigated. According to a representative for TikTok, pixels are legal.
A comprehensive privacy bill is passed by New Jersey on the last day of the legislatureDate: 16 January 2024
On the last day of the 2023 legislative session, Senate Bill 332—a comprehensive privacy bill—was finally passed by the New Jersey Legislature. The entire measure was revised in December 2023, and on January 8, 2024, the Senate and Assembly approved it on the same day. Notably, SB 332 includes special child privacy provisions, universal opt-out methods, and attorney general rulemaking authority. The plan will go into effect a year after it is enacted, pending final action from Gov. Phil Murphy, D-N.J., who has 45 days to sign it.
On the last day of the 2023 legislative session, Senate Bill 332—a comprehensive privacy bill—was finally passed by the New Jersey Legislature. The entire measure was revised in December 2023, and on January 8, 2024, the Senate and Assembly approved it on the same day. Notably, SB 332 includes special child privacy provisions, universal opt-out methods, and attorney general rulemaking authority. The plan will go into effect a year after it is enacted, pending final action from Gov. Phil Murphy, D-N.J., who has 45 days to sign it.
Explanation of the complainant's ChatGPT privacy allegation to the Polish DPADate: 16 January 2024
Security and privacy researcher Lukasz Olejnik gave Poland's data protection authority an explanation of his complaint under the EU General Data Protection Regulation concerning OpenAI's ChatGPT data processing standards in a blog post. The artificial intelligence program, according to Olejnik, "systemically ignores the provisions of the GDPR regarding the processing of data for the purposes of training models within Chat-GPT."
Security and privacy researcher Lukasz Olejnik gave Poland's data protection authority an explanation of his complaint under the EU General Data Protection Regulation concerning OpenAI's ChatGPT data processing standards in a blog post. The artificial intelligence program, according to Olejnik, "systemically ignores the provisions of the GDPR regarding the processing of data for the purposes of training models within Chat-GPT."
Estee Lauder's BIPA lawsuit is dismissed by a US courtDate: 16 January 2024
Estee Lauder's biometric privacy lawsuit was dismissed by the U.S. District Court for the Northern District of Illinois, according to Reuters. The lawsuit accused the company of violating the Illinois Biometric Information Privacy Act with its virtual "try on" tool. The case was dismissed after the judge said there was no evidence to suggest the tool could identify consumers. Reuters reports that the company Estee Lauder is being sued for violating the Illinois Biometric Information Privacy Act by its virtual "try on" tool. According to the judge, there was no evidence the tool could identify consumers.
Estee Lauder's biometric privacy lawsuit was dismissed by the U.S. District Court for the Northern District of Illinois, according to Reuters. The lawsuit accused the company of violating the Illinois Biometric Information Privacy Act with its virtual "try on" tool. The case was dismissed after the judge said there was no evidence to suggest the tool could identify consumers. Reuters reports that the company Estee Lauder is being sued for violating the Illinois Biometric Information Privacy Act by its virtual "try on" tool. According to the judge, there was no evidence the tool could identify consumers.
Children's online privacy law to be discussed by the FTCDate: 16 January 2024
In its meeting on 18 January, the Federal Trade Commission will discuss possible changes to the Children's Online Privacy Protection Act Rule. Other measures include limiting "nudging" children without consent and requiring a separate opt-in for targeted advertising. 11 March is the deadline for comments.
In its meeting on 18 January, the Federal Trade Commission will discuss possible changes to the Children's Online Privacy Protection Act Rule. Other measures include limiting "nudging" children without consent and requiring a separate opt-in for targeted advertising. 11 March is the deadline for comments.
The European strategy for data is taking shape from BrusselsDate: 16 January 2024
The European Health Data Space is slowly, but surely, taking shape according to Isabelle Roccia, Managing Director, Europe, CIPP/E. In the proposed regulation, trilogue negotiations have begun to ensure health data are more accessible within Europe for health care, research, and innovation, and improved policymaking, while at the same time ensuring individual control.
The European Health Data Space is slowly, but surely, taking shape according to Isabelle Roccia, Managing Director, Europe, CIPP/E. In the proposed regulation, trilogue negotiations have begun to ensure health data are more accessible within Europe for health care, research, and innovation, and improved policymaking, while at the same time ensuring individual control.
Credit Protection Association is accused of collecting fees for copies of its dataDate: 08 January 2024
The credit protection association KSV 1870 is allegedly charging foreign customers for a copy of their data, according to a complaint lodged by privacy rights group NOYB with Austria's Data Protection Authority, derStandard details. When a user requests a free copy of the data gathered by the organization, the EU General Data Protection Regulation mandates that they comply.
The credit protection association KSV 1870 is allegedly charging foreign customers for a copy of their data, according to a complaint lodged by privacy rights group NOYB with Austria's Data Protection Authority, derStandard details. When a user requests a free copy of the data gathered by the organization, the EU General Data Protection Regulation mandates that they comply.
In a privacy complaint, TikTok defends third-party trackingDate: 08 January 2024
Rejecting customer permission, TikTok maintains its user tracking policies via other websites, as reported by MediaPost. TikTok stated that users who visited websites with the TikTok pixel tool installed, such as Hulu and Etsy, gave their agreement to being tracked for advertisements in response to a privacy complaint that was filed with the U.S. District Court for the Central District of California.
Rejecting customer permission, TikTok maintains its user tracking policies via other websites, as reported by MediaPost. TikTok stated that users who visited websites with the TikTok pixel tool installed, such as Hulu and Etsy, gave their agreement to being tracked for advertisements in response to a privacy complaint that was filed with the U.S. District Court for the Central District of California.
DNA testing business attributes the hack to users who reuse passwordsDate: 08 January 2024
Customers using the same passwords across many websites led to a data breach that affected 6.9 million people, according to information provided by DNA testing business 23andMe, as reported by The Messenger. Due to the leak, the corporation is facing several lawsuits from people who claim 23andMe failed to secure their data.
Customers using the same passwords across many websites led to a data breach that affected 6.9 million people, according to information provided by DNA testing business 23andMe, as reported by The Messenger. Due to the leak, the corporation is facing several lawsuits from people who claim 23andMe failed to secure their data.
How adtech DPOs can safeguard customers' privacy while still fostering innovationDate: 08 January 2024
Marketing companies should rely on their company's data protection officer (DPO) to help ensure that businesses can continue to access their customers in a way that complies with the law. DPOs are uniquely positioned to balance safeguarding a brand's customers from misuses of their personal data with promoting an environment that encourages innovation and complies with international privacy regulations.
Marketing companies should rely on their company's data protection officer (DPO) to help ensure that businesses can continue to access their customers in a way that complies with the law. DPOs are uniquely positioned to balance safeguarding a brand's customers from misuses of their personal data with promoting an environment that encourages innovation and complies with international privacy regulations.
Colorado Attorney General will compel data controllers to provide universal opt-out optionsDate: 08 January 2024
Under the Colorado Privacy Act, Colorado Attorney General Phil Weiser issued a notification to entities that satisfy specific qualifications as data controllers. Beginning July 1, 2024, these businesses must provide consumers with a uniform opt-out method for the selling and processing of their personal data for targeted advertising. Weiser's office will keep a list of universal opt-out procedures that "have been recognized to meet the (opt-out) standards" mandated by law.
Under the Colorado Privacy Act, Colorado Attorney General Phil Weiser issued a notification to entities that satisfy specific qualifications as data controllers. Beginning July 1, 2024, these businesses must provide consumers with a uniform opt-out method for the selling and processing of their personal data for targeted advertising. Weiser's office will keep a list of universal opt-out procedures that "have been recognized to meet the (opt-out) standards" mandated by law.
Brussels: The obstacles that lie ahead in 2024Date: 08 January 2024
The Spanish Presidency of the Council of the European Union passed to the Belgian Presidency on January 1. According to Roccia, 2024 will see more enforcement, action surrounding the EU General Data Protection Regulation cross-border enforcement and AI, and the implementation of several regulations completed last year, "further complexifying the data privacy and governance environment.
The Spanish Presidency of the Council of the European Union passed to the Belgian Presidency on January 1. According to Roccia, 2024 will see more enforcement, action surrounding the EU General Data Protection Regulation cross-border enforcement and AI, and the implementation of several regulations completed last year, "further complexifying the data privacy and governance environment.
FTC intends to update the COPPA RuleDate: 03 January 2024
US Federal Trade Commission issued a Notice of Proposed Rulemaking to amend its Children's Online Privacy Protection Act Rule at a time when there has never been a greater need to protect children's online privacy in the United States. The proposed revisions would include new criteria for the gathering and use of children's data, as well as an examination of how such data practices contribute to the perception of "screen addiction" among youngsters. Joe Duball, IAPP News Editor, reports on the proposed revisions and the FTC's possible reasons.
US Federal Trade Commission issued a Notice of Proposed Rulemaking to amend its Children's Online Privacy Protection Act Rule at a time when there has never been a greater need to protect children's online privacy in the United States. The proposed revisions would include new criteria for the gathering and use of children's data, as well as an examination of how such data practices contribute to the perception of "screen addiction" among youngsters. Joe Duball, IAPP News Editor, reports on the proposed revisions and the FTC's possible reasons.
Researchers claim to have discovered personal information using AIDate: 03 January 2024
According to The New York Times, an Indiana University Bloomington Ph.D. candidate said he obtained email addresses using OpenAI's ChatGPT. During an experiment utilizing ChatGPT's GPT-3.5 Turbo model, Rui Zhu claimed he collected the email addresses of more than 30 New York Times workers. The experiment demonstrated that users may "bypass the model's restrictions on responding to privacy-related queries," he explained.
According to The New York Times, an Indiana University Bloomington Ph.D. candidate said he obtained email addresses using OpenAI's ChatGPT. During an experiment utilizing ChatGPT's GPT-3.5 Turbo model, Rui Zhu claimed he collected the email addresses of more than 30 New York Times workers. The experiment demonstrated that users may "bypass the model's restrictions on responding to privacy-related queries," he explained.
Finland's DPA releases a notification seeking faster handling of data protection complaintsDate: 03 January 2024
The Office of the Data Protection Ombudsman in Finland issued a notice of modifications to the Data Protection Act and the Criminal Matters Data Protection Act. The modifications take into consideration changes to EU privacy legislation and now require the Office of the Data Protection Ombudsman to either address a citizen data protection complaint or notify the party of the expected time to complete a resolution within three months.
The Office of the Data Protection Ombudsman in Finland issued a notice of modifications to the Data Protection Act and the Criminal Matters Data Protection Act. The modifications take into consideration changes to EU privacy legislation and now require the Office of the Data Protection Ombudsman to either address a citizen data protection complaint or notify the party of the expected time to complete a resolution within three months.
South Korea's PIPC issues a handbook for the new PIPA revisionDate: 03 January 2024
South Korea's Personal Information Protection Committee issued a handbook and an enforcement directive for the latest modification to the Personal Information Protection Act. The PIPA has been revised to oblige commercial businesses to engage in dispute resolution, whereas previous to the new amendment, only governmental agencies were required to react to citizen data privacy concerns.
South Korea's Personal Information Protection Committee issued a handbook and an enforcement directive for the latest modification to the Personal Information Protection Act. The PIPA has been revised to oblige commercial businesses to engage in dispute resolution, whereas previous to the new amendment, only governmental agencies were required to react to citizen data privacy concerns.
Colorado Attorney General will demand that data controllers provide universal opt-out methodsDate: 03 January 2024
Under the Colorado Privacy Act, Colorado Attorney General Phil Weiser issued a notification to entities that satisfy specific qualifications as data controllers. Beginning July 1, 2024, these businesses must provide consumers with a uniform opt-out method for the selling and processing of their personal data for targeted advertising. Weiser's office will keep a list of universal opt-out procedures that "have been recognized to meet the (opt-out) standards" mandated by law.
Under the Colorado Privacy Act, Colorado Attorney General Phil Weiser issued a notification to entities that satisfy specific qualifications as data controllers. Beginning July 1, 2024, these businesses must provide consumers with a uniform opt-out method for the selling and processing of their personal data for targeted advertising. Weiser's office will keep a list of universal opt-out procedures that "have been recognized to meet the (opt-out) standards" mandated by law.
Utah is contemplating measures to handle student data sharingDate: 25 December 2023
The Salt Lake Tribune reports that the Utah State Board of Education is exploring a regulation that would require public schools to share student data with charter schools for advertising reasons. Existing federal and state rules permit the exchange of student data to enable targeted charter school advertising, with parents having the choice to opt out of data sharing.
The Salt Lake Tribune reports that the Utah State Board of Education is exploring a regulation that would require public schools to share student data with charter schools for advertising reasons. Existing federal and state rules permit the exchange of student data to enable targeted charter school advertising, with parents having the choice to opt out of data sharing.
DPA of Quebec publishes privacy notice guidelinesDate: 25 December 2023
The Commission d'acces an L'information du Quebec, Quebec's data protection body, has issued recommendations for creating privacy notifications under Law 25. The guideline suggests what should be included in a privacy notice as well as key data protection components for customers. The goal is to increase compliance and awareness of privacy standards in order to protect the personal information of consumers.
The Commission d'acces an L'information du Quebec, Quebec's data protection body, has issued recommendations for creating privacy notifications under Law 25. The guideline suggests what should be included in a privacy notice as well as key data protection components for customers. The goal is to increase compliance and awareness of privacy standards in order to protect the personal information of consumers.
How Microsoft is addressing AI trust and privacyDate: 25 December 2023
Microsoft Vice President, Global Privacy and Regulatory Affairs and Chief Privacy Officer Julie Brill discusses the company's attempts to create trust and preserve privacy while deploying artificial intelligence technologies in a blog post. The post outlined Microsoft's approach to data security and openness, as well as the options available to users to secure their data. Brill also alluded to ongoing regulatory work, assuring Microsoft is in compliance with all data protection rules in the countries where it operates.
Microsoft Vice President, Global Privacy and Regulatory Affairs and Chief Privacy Officer Julie Brill discusses the company's attempts to create trust and preserve privacy while deploying artificial intelligence technologies in a blog post. The post outlined Microsoft's approach to data security and openness, as well as the options available to users to secure their data. Brill also alluded to ongoing regulatory work, assuring Microsoft is in compliance with all data protection rules in the countries where it operates.
ICO sends a letter to major websites outlining cookie compliance flawsDate: 25 December 2023
The UK Information Commissioner's Office made public a letter sent in November to the top 100 most-visited websites informing some of them that their cookie banners may not be compliant with the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations. The letter highlighted how organizations might rectify the problems; the ICO stated that it distributed the letters to assist other sites in becoming compliant.
The UK Information Commissioner's Office made public a letter sent in November to the top 100 most-visited websites informing some of them that their cookie banners may not be compliant with the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations. The letter highlighted how organizations might rectify the problems; the ICO stated that it distributed the letters to assist other sites in becoming compliant.
FTC has proposed COPPA modificationsDate: 25 December 2023
The Federal Trade Commission of the United States issued a Notice of Proposed Rulemaking to improve the Children's Online Privacy Protection Act. The proposed modifications are the first since 2013, and include mandatory targeted advertising opt-ins, greater data retention restrictions, better data security measures, and more. Lina Khan, chair of the Federal Trade Commission, stated, "By requiring firms to better safeguard kids' data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents."
The Federal Trade Commission of the United States issued a Notice of Proposed Rulemaking to improve the Children's Online Privacy Protection Act. The proposed modifications are the first since 2013, and include mandatory targeted advertising opt-ins, greater data retention restrictions, better data security measures, and more. Lina Khan, chair of the Federal Trade Commission, stated, "By requiring firms to better safeguard kids' data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents."
EDPB reacts to the European Commission's proposal for a voluntary cookie commitmentDate: 25 December 2023
In its most recent plenary meeting, the European Data Protection Board issued a letter in response to the European Commission's voluntary cookie pledge initiative. The Commission had earlier requested that the EDPB investigate if any components of the proposed commitment were "contrary to the (General Data Protection Regulation) and the ePrivacy Directive." While the EDPB mainly authorized the commitment as written, it advised firms not to ask for approval to collect user personal data for a full year after consent was rejected in order to avoid "cookie fatigue."
In its most recent plenary meeting, the European Data Protection Board issued a letter in response to the European Commission's voluntary cookie pledge initiative. The Commission had earlier requested that the EDPB investigate if any components of the proposed commitment were "contrary to the (General Data Protection Regulation) and the ePrivacy Directive." While the EDPB mainly authorized the commitment as written, it advised firms not to ask for approval to collect user personal data for a full year after consent was rejected in order to avoid "cookie fatigue."
Joe Jones hosts a podcast about privacy in 2023Date: 25 December 2023
Each year appears to offer a flood of newsworthy information for those who follow data security and privacy advancements. This year was no exception. 2023 was as robust as ever, with a completed EU-US Data Privacy Framework, substantial enforcement efforts against Big Tech, a slew of new data protection regulations in India and at least seven U.S. states, and the spectacular rise of AI governance. IAPP Editorial Director Jedidiah Bracy spoke with IAPP Research and Insights Director Joe Jones, who joined the IAPP at the start of 2023, to help flesh out some of the year's key insights.
Each year appears to offer a flood of newsworthy information for those who follow data security and privacy advancements. This year was no exception. 2023 was as robust as ever, with a completed EU-US Data Privacy Framework, substantial enforcement efforts against Big Tech, a slew of new data protection regulations in India and at least seven U.S. states, and the spectacular rise of AI governance. IAPP Editorial Director Jedidiah Bracy spoke with IAPP Research and Insights Director Joe Jones, who joined the IAPP at the start of 2023, to help flesh out some of the year's key insights.
Utah consumer privacy legislation goes into effect on December 31Date: 18 December 2023
The Utah Attorney General's Office has issued revised guidance on what companies and consumers should anticipate when the state's Protection of Personal Information Act goes into effect on December 31. The legislation compels enterprises to employ data security policies to preserve users' confidentiality, and customers have the right to know what data is collected on them and to opt out of personal data collecting for advertising purposes.
The Utah Attorney General's Office has issued revised guidance on what companies and consumers should anticipate when the state's Protection of Personal Information Act goes into effect on December 31. The legislation compels enterprises to employ data security policies to preserve users' confidentiality, and customers have the right to know what data is collected on them and to opt out of personal data collecting for advertising purposes.
Proposal mandating internet browsers to provide opt-out signals is approved by the CPPA BoardDate: 18 December 2023
The California Privacy Protection Agency Board adopted a legislative proposal requiring internet browsers to advise users of their ability to opt out of the sharing and selling of their personal information. If passed, the regulation would require users to opt-out just once via a preference signal, something that major internet browsers such as Google Chrome, Microsoft Edge, and Apple Safari have refused to provide, according to the board.
The California Privacy Protection Agency Board adopted a legislative proposal requiring internet browsers to advise users of their ability to opt out of the sharing and selling of their personal information. If passed, the regulation would require users to opt-out just once via a preference signal, something that major internet browsers such as Google Chrome, Microsoft Edge, and Apple Safari have refused to provide, according to the board.
Meta's end-to-end encryption scheme, according to NCMEC, poses a kid safety dangerDate: 18 December 2023
The organization National Center for Missing & Exploited Children, according to The Guardian, believes that Meta's end-to-end encrypted communications might deal a "devastating blow" to privacy and safety measures for children. Meta states that while end-to-end encryption protects user privacy, users may report actions that go against the company's social network policies.
The organization National Center for Missing & Exploited Children, according to The Guardian, believes that Meta's end-to-end encrypted communications might deal a "devastating blow" to privacy and safety measures for children. Meta states that while end-to-end encryption protects user privacy, users may report actions that go against the company's social network policies.
Norwegian DPA fines a fitness chain NOK10 millionDate: 18 December 2023
Datatilsynet, Norway's data protection authority, announced a NOK10 million punishment against fitness club SATS for allegedly breaking the EU General Data Protection Regulation. As Datatilsynet received "several complaints" between 2018 and 2021, SATS reportedly violated GDPR regulations for data subject rights to access and deletion.
Datatilsynet, Norway's data protection authority, announced a NOK10 million punishment against fitness club SATS for allegedly breaking the EU General Data Protection Regulation. As Datatilsynet received "several complaints" between 2018 and 2021, SATS reportedly violated GDPR regulations for data subject rights to access and deletion.
ICO has released transfer risk assessment guidelines for US transactionsDate: 18 December 2023
The United Kingdom's Information Commissioner's Office issued guidelines for organizations wanting to transfer personal information to the United States under Article 46 of the United Kingdom's General Data Protection Regulation, which addresses how to conduct transactions safely. Details include how to conduct risk transfer evaluations and when Article 46 applies.
The United Kingdom's Information Commissioner's Office issued guidelines for organizations wanting to transfer personal information to the United States under Article 46 of the United Kingdom's General Data Protection Regulation, which addresses how to conduct transactions safely. Details include how to conduct risk transfer evaluations and when Article 46 applies.
Provincial privacy commissioners testify in opposition to Canada's planned PIDPTADate: 18 December 2023
According to IT World Canada, privacy commissioners from many Canadian provinces testified before the House of Commons that the proposed Personal Information and Data Protection Tribunal Act, which is part of the omnibus Bill C-27, is superfluous. Instead of establishing a tribunal to react to appeals from Office of the Privacy Commissioner rulings, the commissioners stated that appellees should continue to use the legal system.
According to IT World Canada, privacy commissioners from many Canadian provinces testified before the House of Commons that the proposed Personal Information and Data Protection Tribunal Act, which is part of the omnibus Bill C-27, is superfluous. Instead of establishing a tribunal to react to appeals from Office of the Privacy Commissioner rulings, the commissioners stated that appellees should continue to use the legal system.
Google takes precautions to safeguard location recordsDate: 18 December 2023
"As reported by TechCrunch Google said it will allow users to remove their location data from its devices at any moment, reduce the amount of time it is kept on the device, and keep their chronology of locations. The modification may significantly restrict the use of geofence warrants by governments, which force corporations to provide data about a device's position inside a specific area."
"As reported by TechCrunch Google said it will allow users to remove their location data from its devices at any moment, reduce the amount of time it is kept on the device, and keep their chronology of locations. The modification may significantly restrict the use of geofence warrants by governments, which force corporations to provide data about a device's position inside a specific area."
FCC votes to establish guidelines for data breach notificationDate: 18 December 2023
The Federal Communications Commission of the United States has decided to adopt new data breach notification regulations for telecommunications, interconnected voice over internet protocol, and telecommunications relay services. The criteria include broadening the scope of notification procedures for some categories of personally identifiable information collected by providers, as well as broadening the definition of "breach" to encompass "inadvertent access, use, or disclosure of customer information."
The Federal Communications Commission of the United States has decided to adopt new data breach notification regulations for telecommunications, interconnected voice over internet protocol, and telecommunications relay services. The criteria include broadening the scope of notification procedures for some categories of personally identifiable information collected by providers, as well as broadening the definition of "breach" to encompass "inadvertent access, use, or disclosure of customer information."
Jamaican Data Protection Act goes into effectDate: 11 December 2023
The Data Protection Act of Jamaica went into force on December 1st. The agency of the Information Commissioner issued a six-month extension for data controllers to register with the agency in order to prove compliance. Data controllers can utilize the grace period to select a data protection officer, according to the OIC, and are advised to "take advantage of the grace period by using the time to ensure their readiness for registration."
The Data Protection Act of Jamaica went into force on December 1st. The agency of the Information Commissioner issued a six-month extension for data controllers to register with the agency in order to prove compliance. Data controllers can utilize the grace period to select a data protection officer, according to the OIC, and are advised to "take advantage of the grace period by using the time to ensure their readiness for registration."
Israel's PPA to ensure database securityDate: 11 December 2023
Under the Privacy Protection Law, Israel's Privacy Protection Authority declared that information management and data storage service providers will be required to disclose information on data security procedures. To limit the danger of a data breach, the PPA said that data security procedures must ensure compliance. Furthermore, the agency mandated "immediate actions that companies must take" to rectify any security gaps.
Under the Privacy Protection Law, Israel's Privacy Protection Authority declared that information management and data storage service providers will be required to disclose information on data security procedures. To limit the danger of a data breach, the PPA said that data security procedures must ensure compliance. Furthermore, the agency mandated "immediate actions that companies must take" to rectify any security gaps.
UK Information Commissioner has warned that faith in AI may be lost by 2024Date: 11 December 2023
Speaking at techUK's Digital Ethics Summit, UK Information Commissioner John Edwards cautioned that the global population might lose faith in AI and urged developers to incorporate privacy into their models. "Privacy and AI go hand in hand — there is no either/or here," he remarked. You can't expect to use AI in your goods or services until you think about privacy, data protection, and how you'll preserve people's rights."
Speaking at techUK's Digital Ethics Summit, UK Information Commissioner John Edwards cautioned that the global population might lose faith in AI and urged developers to incorporate privacy into their models. "Privacy and AI go hand in hand — there is no either/or here," he remarked. You can't expect to use AI in your goods or services until you think about privacy, data protection, and how you'll preserve people's rights."
OPC reveals principles for trustworthy generative AI development and applications.Date: 11 December 2023
The Office of the Privacy Commissioner of Canada published principles for building trustworthy and privacy-protecting generative artificial intelligence. The OPC reminded developers that any generative AI models intended for use in diverse businesses must adhere to all applicable privacy regulations. Obtaining and recording legal authorization and agreement to use personal information for training a generative AI model is one of the principles, and personal data acquisition must be for a legitimate reason.
The Office of the Privacy Commissioner of Canada published principles for building trustworthy and privacy-protecting generative artificial intelligence. The OPC reminded developers that any generative AI models intended for use in diverse businesses must adhere to all applicable privacy regulations. Obtaining and recording legal authorization and agreement to use personal information for training a generative AI model is one of the principles, and personal data acquisition must be for a legitimate reason.
Meta face a 550 million euro lawsuit alleging'systematic' GDPR infringementDate: 11 December 2023
According to TechCrunch, Meta is being sued in Spain by a group of more than 80 newspapers for "systematic and massive non-compliance" with the EU General Data Protection Regulation. AMI claims 550 million euros in damages from Meta for allegedly failing to create a legal basis for processing customers' data for numerous years, resulting in a violation of competition regulations.
According to TechCrunch, Meta is being sued in Spain by a group of more than 80 newspapers for "systematic and massive non-compliance" with the EU General Data Protection Regulation. AMI claims 550 million euros in damages from Meta for allegedly failing to create a legal basis for processing customers' data for numerous years, resulting in a violation of competition regulations.
CPPA proposes new CCPA regulationsDate: 11 December 2023
The California Privacy Protection Agency has suggested amendments to existing California Consumer Privacy Act requirements, which will be reviewed at the agency's board meeting on December 8th. The suggested changes might raise the application criteria and potential fines while also amending regulations on dark patterns and data subject rights. Under the Delete Act, the board also released draft guidelines for its data broker register. A full meeting agenda contains proposed California Privacy Rights Act restrictions on automated decision-making technologies, risk assessments, and cybersecurity audits, in addition to the suggestions.
The California Privacy Protection Agency has suggested amendments to existing California Consumer Privacy Act requirements, which will be reviewed at the agency's board meeting on December 8th. The suggested changes might raise the application criteria and potential fines while also amending regulations on dark patterns and data subject rights. Under the Delete Act, the board also released draft guidelines for its data broker register. A full meeting agenda contains proposed California Privacy Rights Act restrictions on automated decision-making technologies, risk assessments, and cybersecurity audits, in addition to the suggestions.
Former Twitter security executive claims unjust firing and privacy issuesDate: 11 December 2023
Forbes reports Alan Rosa, the former worldwide head of information security at X, formerly known as Twitter, filed a complaint against the company, saying he was sacked for refusing to violate the US Federal Trade Commission's consent decree on privacy. Rosa said he was requested to downsize his department by half, in violation of an FTC regulation that the corporation maintain "a comprehensive privacy and information security program."
Forbes reports Alan Rosa, the former worldwide head of information security at X, formerly known as Twitter, filed a complaint against the company, saying he was sacked for refusing to violate the US Federal Trade Commission's consent decree on privacy. Rosa said he was requested to downsize his department by half, in violation of an FTC regulation that the corporation maintain "a comprehensive privacy and information security program."
Op-ed: Create a unified digital ad interface to simplify privacy law enforcementDate: 11 December 2023
AWO Senior Associate Nick Botton advises that a "single interface" for people to select their digital ad preferences be built to address challenges encountered by advertisers and publishers owing to their dependency on personal data. Botton claims that by "simplifying the enforcement of existing privacy laws," the digital advertising industry would rely less on personal data, and consumers will be able to pick the sorts of advertisements they get across all websites and applications.
AWO Senior Associate Nick Botton advises that a "single interface" for people to select their digital ad preferences be built to address challenges encountered by advertisers and publishers owing to their dependency on personal data. Botton claims that by "simplifying the enforcement of existing privacy laws," the digital advertising industry would rely less on personal data, and consumers will be able to pick the sorts of advertisements they get across all websites and applications.
OCR is at the first phishing settlementDate: 11 December 2023
The Office for Civil Rights of the United States Department of Health and Human Services announced its first phishing settlement, a USD480,000 punishment against Lafourche Medical Group. According to OCR, Lafourche Medical Group failed to undertake a risk assessment to detect possible vulnerabilities to its health information systems, resulting in a data breach affecting 34,862 individuals.
The Office for Civil Rights of the United States Department of Health and Human Services announced its first phishing settlement, a USD480,000 punishment against Lafourche Medical Group. According to OCR, Lafourche Medical Group failed to undertake a risk assessment to detect possible vulnerabilities to its health information systems, resulting in a data breach affecting 34,862 individuals.
Belgium announced its agenda for assuming the leadership of the European Union CouncilDate: 11 December 2023
The Belgian government issued a handbook outlining its strategy for the next Council of the European Union presidency. The statement adds that among data privacy, security, and technological problems, the EU must strive to lead in artificial intelligence research and pursue "more competitive data markets."
The Belgian government issued a handbook outlining its strategy for the next Council of the European Union presidency. The statement adds that among data privacy, security, and technological problems, the EU must strive to lead in artificial intelligence research and pursue "more competitive data markets."
Airline contemplates selling consumer data for targeted advertisingDate: 04 December 2023
As per The Wall Street Journal, United Airlines might leverage customer information to display customized advertisements on its mobile application or on the in-flight entertainment systems. Customers will have the choice to refuse data tracking, although passenger data—such as travel history or United MileagePlus points—may be utilized to target advertisements.
As per The Wall Street Journal, United Airlines might leverage customer information to display customized advertisements on its mobile application or on the in-flight entertainment systems. Customers will have the choice to refuse data tracking, although passenger data—such as travel history or United MileagePlus points—may be utilized to target advertisements.
Uruguay makes adequate judgmentsDate: 04 December 2023
Uruguay's Regulatory and Control Unit of Personal Data adopted a resolution recognizing data protection sufficiency in order to promote data transfers with South Korea and businesses participating in the EU-US Data Privacy Framework. The authority recognized the European Commission's acknowledgment of South Korea's sufficient data protection standards and, under the DPF, set the way for its own adequacy acknowledgements.
Uruguay's Regulatory and Control Unit of Personal Data adopted a resolution recognizing data protection sufficiency in order to promote data transfers with South Korea and businesses participating in the EU-US Data Privacy Framework. The authority recognized the European Commission's acknowledgment of South Korea's sufficient data protection standards and, under the DPF, set the way for its own adequacy acknowledgements.
US states' unveiled privacy claims against MetaDate: 04 December 2023
"According to The New York Times, an unsealed complaint filed by 33 U.S. state attorneys general reveals the breadth of claimed children's privacy abuses by Meta. The complaint, part of an October lawsuit filed by the attorneys general, said that Instagram accounts belonging to children under the age of 13 were not properly shut down and that the company ""routinely continued to collect"" their location data and email addresses without parental authorization."
"According to The New York Times, an unsealed complaint filed by 33 U.S. state attorneys general reveals the breadth of claimed children's privacy abuses by Meta. The complaint, part of an October lawsuit filed by the attorneys general, said that Instagram accounts belonging to children under the age of 13 were not properly shut down and that the company ""routinely continued to collect"" their location data and email addresses without parental authorization."
CNIL has issued API data-sharing guidelinesDate: 04 December 2023
The Commission nationale de l'informatique and des libertés, France's data protection body, has issued suggestions for application programming interface data sharing. According to the guidance, data holders must maintain the security of any data supplied via API while minimizing the risks associated with sharing sensitive data.
The Commission nationale de l'informatique and des libertés, France's data protection body, has issued suggestions for application programming interface data sharing. According to the guidance, data holders must maintain the security of any data supplied via API while minimizing the risks associated with sharing sensitive data.
Meta has received a NOYB privacy complaint over its ad-free planDate: 04 December 2023
According to Reuters, privacy rights group NYOB filed a complaint against Meta with Austria's Data Protection Authority, arguing that its ad-free membership model requires individuals to pay a charge for privacy. Meta supported the strategy for EU Facebook and Instagram customers, citing its conformity with EU standards and similar pricing to other network subscriptions.
According to Reuters, privacy rights group NYOB filed a complaint against Meta with Austria's Data Protection Authority, arguing that its ad-free membership model requires individuals to pay a charge for privacy. Meta supported the strategy for EU Facebook and Instagram customers, citing its conformity with EU standards and similar pricing to other network subscriptions.
Data breaches have impacted US IT service firmsDate: 04 December 2023
Okta, an IT service management provider, claimed that hackers took the data of all customer support users, according to Reuters. According to Okta, hackers received a report comprising the names and email addresses of all clients. According to Infosecurity Magazine, Zeroed-In Technologies suffered a huge data breach that compromised the data of about 2 million people, including Dollar Tree and Family Dollar employees. The compromise resulted in the theft of personally identifiable information, according to the Maine Attorney General's office.
Okta, an IT service management provider, claimed that hackers took the data of all customer support users, according to Reuters. According to Okta, hackers received a report comprising the names and email addresses of all clients. According to Infosecurity Magazine, Zeroed-In Technologies suffered a huge data breach that compromised the data of about 2 million people, including Dollar Tree and Family Dollar employees. The compromise resulted in the theft of personally identifiable information, according to the Maine Attorney General's office.
Queensland passes data privacy legislationDate: 04 December 2023
The Queensland Parliament in Australia enacted the Information Privacy and Other Legislation Amendment Act 2023 on November 29. A data breach must be reported to victims and the Office of the Information Commissioner under the privacy reform. The requirement to be notified "will prompt agencies to consider data security issues and will make them more proactive in preventing and managing data breaches." The privacy reform is scheduled to start in July 2025.
The Queensland Parliament in Australia enacted the Information Privacy and Other Legislation Amendment Act 2023 on November 29. A data breach must be reported to victims and the Office of the Information Commissioner under the privacy reform. The requirement to be notified "will prompt agencies to consider data security issues and will make them more proactive in preventing and managing data breaches." The privacy reform is scheduled to start in July 2025.
Businesses fear that India's DPDPA is overly stringentDate: 20 November 2023
The Digital Personal Data Protection Act of India has prompted several financial, healthcare, and telecoms corporations to think about filing a lawsuit, according to The Economic Times. The businesses claimed that the DPDPA's stringent guidelines about the use of personal data and the need to remove it upon request will negatively impact their business operations.
The Digital Personal Data Protection Act of India has prompted several financial, healthcare, and telecoms corporations to think about filing a lawsuit, according to The Economic Times. The businesses claimed that the DPDPA's stringent guidelines about the use of personal data and the need to remove it upon request will negatively impact their business operations.
Google is fined by a Russian court for allegedly improperly storing customer dataDate: 20 November 2023
Apparently refusing to retain Russian consumers' data on Russian servers, Google was fined RUB15 million by a Moscow court, according to The Associated Press. August 2021 and June 2022 saw Google penalized by the courts for the identical offenses.
Apparently refusing to retain Russian consumers' data on Russian servers, Google was fined RUB15 million by a Moscow court, according to The Associated Press. August 2021 and June 2022 saw Google penalized by the courts for the identical offenses.
PDPC in Singapore fines two corporations for alleged privacy and security infractionsDate: 20 November 2023
"The Personal Data Protection Commission of Singapore penalized two companies for allegedly failing to implement adequate personal data protections for users. Tokyo Century Leasing received an SGD82,000 fine, while Ascentis received an SGD10,000 fine. In addition, the PDPC approved Starbucks' plan to address a data breach."
"The Personal Data Protection Commission of Singapore penalized two companies for allegedly failing to implement adequate personal data protections for users. Tokyo Century Leasing received an SGD82,000 fine, while Ascentis received an SGD10,000 fine. In addition, the PDPC approved Starbucks' plan to address a data breach."
Privacy group complains to the EU about targeted advertisementsDate: 20 November 2023
According to TechCrunch, the privacy group NOYB has filed a complaint against the European Union Commission Directorate-General for Migration and Home Affairs for targeted marketing connected to an EU proposal to combat child sexual abuse. The EU, according to NOYB, employed targeted ads on X, formerly known as Twitter, in violation of the Digital Services Act, which prohibits "the use of sensitive personal data for ad targeting purposes."
According to TechCrunch, the privacy group NOYB has filed a complaint against the European Union Commission Directorate-General for Migration and Home Affairs for targeted marketing connected to an EU proposal to combat child sexual abuse. The EU, according to NOYB, employed targeted ads on X, formerly known as Twitter, in violation of the Digital Services Act, which prohibits "the use of sensitive personal data for ad targeting purposes."
Business advocacy group has urged China to clarify data termsDate: 20 November 2023
"China must provide definitions of ""important data"" and ""personal information"" in order to comply with data rules, according to the European Union Chamber of Commerce in China, as reported by Reuters. Additionally, the organization asked China to complete its planned regulations allowing certain operations to forego data export security evaluations."
"China must provide definitions of ""important data"" and ""personal information"" in order to comply with data rules, according to the European Union Chamber of Commerce in China, as reported by Reuters. Additionally, the organization asked China to complete its planned regulations allowing certain operations to forego data export security evaluations."
Senator from the United States reintroduces legislation to strengthen consumer data privacy and securityDate: 20 November 2023
"Senator Catherine Cortez Masto, D-Nev., reintroduced three bills to increase consumer data privacy rights. The proposed DATA Privacy Act will give customers the ability to request that corporations remove their data and opt out of data collecting. The Promoting Digital Privacy Technologies Act will encourage research into privacy-enhancing technologies by providing financial incentives. The Internet App ID Act would force app developers to reveal if their program was built in or stored data in China."
"Senator Catherine Cortez Masto, D-Nev., reintroduced three bills to increase consumer data privacy rights. The proposed DATA Privacy Act will give customers the ability to request that corporations remove their data and opt out of data collecting. The Promoting Digital Privacy Technologies Act will encourage research into privacy-enhancing technologies by providing financial incentives. The Internet App ID Act would force app developers to reveal if their program was built in or stored data in China."
Researcher finds that data may be exposed on a children's tabletDate: 20 November 2023
"According to TechCrunch, a researcher discovered malware on a children's tablet, putting children's data at risk. Alexis Hancock, a researcher, discovered that the Dragon Touch KidzPad contains malware software that may ""download and install new malware from the internet."" According to KIDOZ founder Eldad Ben Tora, the company adheres to proper data protection regulations. ""Our services fully comply with (U.S. Children's Online Privacy Protection Act) requirements, prioritizing the protection of children's privacy,"" he told reporters."
"According to TechCrunch, a researcher discovered malware on a children's tablet, putting children's data at risk. Alexis Hancock, a researcher, discovered that the Dragon Touch KidzPad contains malware software that may ""download and install new malware from the internet."" According to KIDOZ founder Eldad Ben Tora, the company adheres to proper data protection regulations. ""Our services fully comply with (U.S. Children's Online Privacy Protection Act) requirements, prioritizing the protection of children's privacy,"" he told reporters."
Clearview AI verdict is being appealed by the ICODate: 20 November 2023
The UK Information Commissioner's Office is requesting permission from the First-tier Tribunal to challenge its decision that Clearview AI's data processing activities violate UK data protection regulations since it provides services to international law enforcement organizations. The ICO objected to the decision.
The UK Information Commissioner's Office is requesting permission from the First-tier Tribunal to challenge its decision that Clearview AI's data processing activities violate UK data protection regulations since it provides services to international law enforcement organizations. The ICO objected to the decision.
Analyzing the EU GDPR after five yearsDate: 20 November 2023
Policymakers at the IAPP Europe Data Protection Congress 2023 in Brussels were thoughtful about how the EU General Data Protection Regulation has impacted that conversation five years after it went into effect, given that data privacy is receiving more attention than ever before.
Policymakers at the IAPP Europe Data Protection Congress 2023 in Brussels were thoughtful about how the EU General Data Protection Regulation has impacted that conversation five years after it went into effect, given that data privacy is receiving more attention than ever before.
Norway DPA is sued by Grindr for GDPR interpretationsDate: 06 November 2023
The dating app Grindr filed a lawsuit against Datatilsynet, the Norwegian data protection regulator, following a NOK65 million punishment for sharing advertiser and user location data with marketing partners, according to NRK. The EU General Data Protection Regulation was allegedly misconstrued by the authorities, which would have hindered the app's ability to function within the nation.
The dating app Grindr filed a lawsuit against Datatilsynet, the Norwegian data protection regulator, following a NOK65 million punishment for sharing advertiser and user location data with marketing partners, according to NRK. The EU General Data Protection Regulation was allegedly misconstrued by the authorities, which would have hindered the app's ability to function within the nation.
Berlin court rules LinkedIn must honor tracking opt-out requestsDate: 06 November 2023
The Federation of German Consumer Organizations declared that LinkedIn's purported policy of disobeying user monitoring opt-outs has been prohibited by the Berlin Regional Court, Landgericht Berlin. The platform could no longer configure a member's profile as default to be available on other websites, the court further ruled.
The Federation of German Consumer Organizations declared that LinkedIn's purported policy of disobeying user monitoring opt-outs has been prohibited by the Berlin Regional Court, Landgericht Berlin. The platform could no longer configure a member's profile as default to be available on other websites, the court further ruled.
Ad group opposes the CFPB's data broker crackdownDate: 06 November 2023
The proposed Personal Financial Data Rights by the US Consumer Financial Protection Bureau has been met with resistance by the advertising alliance Privacy for America, according to MediaPost. The plan would limit the capacity of data brokers to sell certain financial information about customers for ad targeting, such as payment history, income, or criminal history. The limits, according to Privacy for America, will "severely hinder small and start-up businesses' ability to find new customers."
The proposed Personal Financial Data Rights by the US Consumer Financial Protection Bureau has been met with resistance by the advertising alliance Privacy for America, according to MediaPost. The plan would limit the capacity of data brokers to sell certain financial information about customers for ad targeting, such as payment history, income, or criminal history. The limits, according to Privacy for America, will "severely hinder small and start-up businesses' ability to find new customers."
IAB Europe's recommendations for GDPR cross-border enforcementDate: 06 November 2023
IAB Europe published a document presenting its proposals for enforcing the EU General Data Protection Regulation in cross-border cases. The directive encourages early resolutions, including settlements to resolve disputes, as well as improved transparency in the actions of supervisory bodies. The IAB's recommendations are aimed at "fostering a digital ecosystem that not only respects privacy and fundamental rights but also ensures efficient enforcement of GDPR regulations across borders."
IAB Europe published a document presenting its proposals for enforcing the EU General Data Protection Regulation in cross-border cases. The directive encourages early resolutions, including settlements to resolve disputes, as well as improved transparency in the actions of supervisory bodies. The IAB's recommendations are aimed at "fostering a digital ecosystem that not only respects privacy and fundamental rights but also ensures efficient enforcement of GDPR regulations across borders."
Quebec DPA has released the final Law 25 rules for gaining valid consentDate: 06 November 2023
The Commission d'accès à l'information du Québec, Quebec's data protection body, has accepted the final version of its recommendations for organizations to get legal consent to process personal data under Law 25. The recommendations are the first set of instructions published by the CAI explaining specific Law 25 requirements, with future guidelines covering other parts of the law to follow.
The Commission d'accès à l'information du Québec, Quebec's data protection body, has accepted the final version of its recommendations for organizations to get legal consent to process personal data under Law 25. The recommendations are the first set of instructions published by the CAI explaining specific Law 25 requirements, with future guidelines covering other parts of the law to follow.
ICO sanctions three companies for illicit direct marketingDate: 06 November 2023
The Information Commissioner's Office in the United Kingdom imposed fines of 170,000 GBP against three organizations for alleged improper direct marketing. Argentum Data Solutions was fined the most, 65,000 GBP, for allegedly facilitating 2.3 million marketing text messages without authorization while not allowing recipients to opt out.
The Information Commissioner's Office in the United Kingdom imposed fines of 170,000 GBP against three organizations for alleged improper direct marketing. Argentum Data Solutions was fined the most, 65,000 GBP, for allegedly facilitating 2.3 million marketing text messages without authorization while not allowing recipients to opt out.
Why should FISA Section 702 reauthorization include safeguards for EU-US DPF foreign citizens?Date: 06 November 2023
One important aspect of the discussion around the renewal of Section 702 of the Foreign Intelligence Surveillance Act is the necessity of safeguarding non-citizens' personal information. The Brookings Institute Prestigious Scholar in Residence for Governance Studies Lawfare is written by Cameron Kerry. Kerry requested that any prospective Section 702 reauthorization include clauses that would provide enhanced legal safeguards to foreign nationals under President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework.
One important aspect of the discussion around the renewal of Section 702 of the Foreign Intelligence Surveillance Act is the necessity of safeguarding non-citizens' personal information. The Brookings Institute Prestigious Scholar in Residence for Governance Studies Lawfare is written by Cameron Kerry. Kerry requested that any prospective Section 702 reauthorization include clauses that would provide enhanced legal safeguards to foreign nationals under President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework.
OAIC filed for civil penalties for a sensitive data breach in 2022Date: 06 November 2023
The Australian Information Commissioner announced civil penalty proceedings against Australian Clinical Labs Limited for alleged Privacy Act violations originating from a data breach in 2022. An OAIC review uncovered claimed data security flaws and ineffective data breach notification methods. According to Commissioner Angelene Falk, the selling of personal information on the dark web exposed individuals to "potential emotional distress as well as the material risk of identity theft, extortion, and financial crime.
The Australian Information Commissioner announced civil penalty proceedings against Australian Clinical Labs Limited for alleged Privacy Act violations originating from a data breach in 2022. An OAIC review uncovered claimed data security flaws and ineffective data breach notification methods. According to Commissioner Angelene Falk, the selling of personal information on the dark web exposed individuals to "potential emotional distress as well as the material risk of identity theft, extortion, and financial crime.
Liechtenstein DPA provides AI chatbot guidanceDate: 06 November 2023
Datenschutzstelle, Liechtenstein's data protection office, has produced recommendations on data protection procedures including artificial intelligence-powered chatbots. The recommendations describe chatbots and their applications, as well as the legal foundation for data processing, transparency requirements, and existing legal issues for chatbots under the EU General Data Protection Regulation.
Datenschutzstelle, Liechtenstein's data protection office, has produced recommendations on data protection procedures including artificial intelligence-powered chatbots. The recommendations describe chatbots and their applications, as well as the legal foundation for data processing, transparency requirements, and existing legal issues for chatbots under the EU General Data Protection Regulation.
That was the year of state data privacyDate: 30 October 2023
With the end of California's legislative session in October, there may be no better moment to review state privacy legislation changes in 2023.
In summary, state legislative action was at times chaotic, with multiple states debating a wide range of consumer privacy laws. In the end, seven new states passed comprehensive consumer privacy legislation, three states passed consumer health privacy legislation, at least 14 states passed children's online laws, two states passed data broker bills (with California significantly amending its existing data broker law), and legislators began to address artificial intelligence regulation. Furthermore, under their existing privacy rules, California and Colorado engaged in considerable legislative and enforcement operations.
With the end of California's legislative session in October, there may be no better moment to review state privacy legislation changes in 2023.
In summary, state legislative action was at times chaotic, with multiple states debating a wide range of consumer privacy laws. In the end, seven new states passed comprehensive consumer privacy legislation, three states passed consumer health privacy legislation, at least 14 states passed children's online laws, two states passed data broker bills (with California significantly amending its existing data broker law), and legislators began to address artificial intelligence regulation. Furthermore, under their existing privacy rules, California and Colorado engaged in considerable legislative and enforcement operations.
As a privacy precaution, many businesses are looking to do away with passwordsDate: 30 October 2023
According to MediaPost, large technology businesses are increasingly seeking innovative user login methods that do not rely on passwords to safeguard consumers. Passkeys, such as facial scans, fingerprints, or numerical codes, are becoming more popular among corporations such as Apple, eBay, and Uber.
According to MediaPost, large technology businesses are increasingly seeking innovative user login methods that do not rely on passwords to safeguard consumers. Passkeys, such as facial scans, fingerprints, or numerical codes, are becoming more popular among corporations such as Apple, eBay, and Uber.
Pew Research, most Americans are distrustful about data privacyDate: 30 October 2023
A Pew Research Center poll found that most Americans are puzzled and worried about how their data is utilized. According to the report, the majority of participants believe that neither the government nor businesses utilize their data properly, but they are also unsure of their own influence over the matter.
A Pew Research Center poll found that most Americans are puzzled and worried about how their data is utilized. According to the report, the majority of participants believe that neither the government nor businesses utilize their data properly, but they are also unsure of their own influence over the matter.
Garante imposes a ten-million-euro penalties on an energy firm for improperly processing personal dataDate: 30 October 2023
"The Garante, Italy's data protection regulator, penalized an energy business after receiving customer complaints that it processed ""out-of-date personal information,"" which the firm used to activate ""unsolicited contracts."" Axpo Italia was fined 10 million euros for improperly processing the personal data of over 5,000 clients.
"The Garante, Italy's data protection regulator, penalized an energy business after receiving customer complaints that it processed ""out-of-date personal information,"" which the firm used to activate ""unsolicited contracts."" Axpo Italia was fined 10 million euros for improperly processing the personal data of over 5,000 clients.
EU data regulations are being met by Amazon's cloud serviceDate: 30 October 2023
In order to adhere to EU data protection and sovereignty regulations, Amazon Web Services has launched a stand-alone cloud service for its European clientele, according to Yahoo Finance. Though it will retain all information within the EU and offer more options for data residency, the service will function similarly to Amazon's cloud services in other areas.
In order to adhere to EU data protection and sovereignty regulations, Amazon Web Services has launched a stand-alone cloud service for its European clientele, according to Yahoo Finance. Though it will retain all information within the EU and offer more options for data residency, the service will function similarly to Amazon's cloud services in other areas.
Canadian Privacy Commissioner suggests updating privacy legislation to safeguard minorsDate: 30 October 2023
Philippe Dufresne, Canada's Privacy Commissioner, suggested updating privacy legislation during a meeting with Parliament so kids may access the internet securely without having their rights violated. The Standing Committee on Access to Information, Privacy, and Ethics of the House of Commons, which is drafting a report on the "Use of Social Media Platforms for Data Harvesting and Unethical or Illegal Sharing of Personal Information with Foreign Entities," requested Dufresne to speak.
Philippe Dufresne, Canada's Privacy Commissioner, suggested updating privacy legislation during a meeting with Parliament so kids may access the internet securely without having their rights violated. The Standing Committee on Access to Information, Privacy, and Ethics of the House of Commons, which is drafting a report on the "Use of Social Media Platforms for Data Harvesting and Unethical or Illegal Sharing of Personal Information with Foreign Entities," requested Dufresne to speak.
COPPA may play an important part in Meta children's casesDate: 30 October 2023
"The complaints filed against Meta by 41 states and the District of Columbia are expected to be heavily influenced by the U.S. Children's Online Privacy Protection Act, according to The Washington Post. Under COPPA, the lawsuit tries to argue, among other things, that digital businesses like Meta must ""obtain informed consent from parents prior to collecting the personal information of children online."
"The complaints filed against Meta by 41 states and the District of Columbia are expected to be heavily influenced by the U.S. Children's Online Privacy Protection Act, according to The Washington Post. Under COPPA, the lawsuit tries to argue, among other things, that digital businesses like Meta must ""obtain informed consent from parents prior to collecting the personal information of children online."
Australian e-safety commissioner fined X for failing to disclose CSAM safeguardsDate: 25 October 2023
As per Reuters, X, the old name of Twitter, was fined AUD610,500 by Australia's e-Safety Commissioner for allegedly failing to comply with a directive to reveal information about its measures to prevent child sexual abuse. Concerning X's reaction time for CSAM accusations and the manner in which the platform finds the material, the regulator issued specific inquiries.
As per Reuters, X, the old name of Twitter, was fined AUD610,500 by Australia's e-Safety Commissioner for allegedly failing to comply with a directive to reveal information about its measures to prevent child sexual abuse. Concerning X's reaction time for CSAM accusations and the manner in which the platform finds the material, the regulator issued specific inquiries.
EDPB has chosen a coordinated enforcement focus for 2024Date: 25 October 2023
"The European Data Protection Board declared that its 2024 coordinated enforcement action would focus on controllers' implementation of the EU General Data Protection Regulation's right of access. More information will be revealed in subsequent plenary sessions, but enforcement will be ""bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level.""
"The European Data Protection Board declared that its 2024 coordinated enforcement action would focus on controllers' implementation of the EU General Data Protection Regulation's right of access. More information will be revealed in subsequent plenary sessions, but enforcement will be ""bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level.""
Google wants the case against AI training data scraping dismissedDate: 25 October 2023
Reuters reports Google filed with the U.S. District Court for the Northern District of California to dismiss privacy claims regarding data scraping for artificial intelligence model training. Google told the court public data collection is required to power its generative AI offerings and the lawsuit threats to "take a sledgehammer" to "the very idea of generative AI".
Reuters reports Google filed with the U.S. District Court for the Northern District of California to dismiss privacy claims regarding data scraping for artificial intelligence model training. Google told the court public data collection is required to power its generative AI offerings and the lawsuit threats to "take a sledgehammer" to "the very idea of generative AI".
OPC issues additional advice on children's privacyDate: 25 October 2023
The Office of the Privacy Commissioner of Canada issued two advisory notes to accompany its recent joint resolution with provincial privacy authorities to strengthen children's privacy standards. The first guide focuses on considering the ""best interests of young people"" in data processing operations, while the second guide gives advice to organizations on best practices for protecting children.
The Office of the Privacy Commissioner of Canada issued two advisory notes to accompany its recent joint resolution with provincial privacy authorities to strengthen children's privacy standards. The first guide focuses on considering the ""best interests of young people"" in data processing operations, while the second guide gives advice to organizations on best practices for protecting children.
Google will launch tools for reviewing cookies; the phaseout is scheduled for Q1 2024Date: 25 October 2023
According to MediaPost, Google aims to develop a tool for evaluating third-party cookie use in November, ahead of its predicted cookie deprecation in Q1 2024. Rowan Merewood, a Google Staff Developer Relations Engineer, introduced the new tools in a blog post, saying they will "facilitate analysis of cookie usage during browsing sessions." He also talked about the "cookie countdown" and the aim to deactivate cookies for Chrome users gradually from Q1 2024 to Q3 2024.
According to MediaPost, Google aims to develop a tool for evaluating third-party cookie use in November, ahead of its predicted cookie deprecation in Q1 2024. Rowan Merewood, a Google Staff Developer Relations Engineer, introduced the new tools in a blog post, saying they will "facilitate analysis of cookie usage during browsing sessions." He also talked about the "cookie countdown" and the aim to deactivate cookies for Chrome users gradually from Q1 2024 to Q3 2024.
Clearview AI wins ICO fine appeal in 2021Date: 25 October 2023
Clearview AI won its appeal against a 7.5 million GBP fine imposed by the UK Information Commissioner's Office in 2021, according to BBC News. The First-tier Tribunal members who heard the appeal ruled that while the company did engage in ""data processing related to monitoring the behavior of people in the UK,"" the ICO ""did not have jurisdiction"" to impose the penalty on Clearview AI because its users were primarily law enforcement agencies outside the U.K.
Clearview AI won its appeal against a 7.5 million GBP fine imposed by the UK Information Commissioner's Office in 2021, according to BBC News. The First-tier Tribunal members who heard the appeal ruled that while the company did engage in ""data processing related to monitoring the behavior of people in the UK,"" the ICO ""did not have jurisdiction"" to impose the penalty on Clearview AI because its users were primarily law enforcement agencies outside the U.K.
CNIL has published a FAQ for French entities implementing the EU-US DPFDate: 25 October 2023
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced a FAQ page on the European Commission's adequacy judgment on the EU-US Data Privacy Framework. The FAQ highlights major DPF regulations and explains how French firms can send data to US organizations if the latter has not signed the DPF agreement.
The Commission nationale de l'informatique et des libertés, France's data protection body, has produced a FAQ page on the European Commission's adequacy judgment on the EU-US Data Privacy Framework. The FAQ highlights major DPF regulations and explains how French firms can send data to US organizations if the latter has not signed the DPF agreement.
Argentina's AAIP ensures SCCs up to date for international data transfersDate: 25 October 2023
Argentina's Agency for Access to Public Information revised standard contractual agreements for foreign data transfers. According to the AAIP, the provisions ""enable compliance with the principles of personal data protection, and provide companies or organizations with an economically viable alternative."" The Ibero-American Data Protection Network drafted the SCCs.
Argentina's Agency for Access to Public Information revised standard contractual agreements for foreign data transfers. According to the AAIP, the provisions ""enable compliance with the principles of personal data protection, and provide companies or organizations with an economically viable alternative."" The Ibero-American Data Protection Network drafted the SCCs.
Bermuda's privacy commissioner predicts expansion in the privacy and data governance industriesDate: 25 October 2023
Bermuda Privacy Commissioner Alexander White, stated that the privacy and information governance industry is growing on the island ahead of the Personal Information Protection Act's implementation in 2025, according to The Royal Gazette. He was speaking from the 45th Global Privacy Assembly, which was held in Bermuda this year and featured delegates from data protection agencies from around the world.
Bermuda Privacy Commissioner Alexander White, stated that the privacy and information governance industry is growing on the island ahead of the Personal Information Protection Act's implementation in 2025, according to The Royal Gazette. He was speaking from the 45th Global Privacy Assembly, which was held in Bermuda this year and featured delegates from data protection agencies from around the world.
Understanding Saudi Arabia's PDPL's fundamental provisionsDate: 25 October 2023
The Kingdom of Saudi Arabia Personal Data Protection law is the country's first privacy legislation, linking it with other international data protection standards. Osama El-Masry highlights what privacy experts must consider with the law before the 14 September 2024 compliance date.
The Kingdom of Saudi Arabia Personal Data Protection law is the country's first privacy legislation, linking it with other international data protection standards. Osama El-Masry highlights what privacy experts must consider with the law before the 14 September 2024 compliance date.
OAIC published their annual report for 2022-2023Date: 25 October 2023
The Office of the Australian Information Commissioner published its annual report on privacy and access to information for 2022-2023. The report's data breach numbers, according to Information Commissioner Angelene Falk, are a ""wake-up call for Australian organizations,"" demonstrating ""how collaboration by regulators and government can assist in identifying and reducing harms."" Falk also discussed OAIC financing and a restructured organization that would include a dedicated privacy commissioner.
The Office of the Australian Information Commissioner published its annual report on privacy and access to information for 2022-2023. The report's data breach numbers, according to Information Commissioner Angelene Falk, are a ""wake-up call for Australian organizations,"" demonstrating ""how collaboration by regulators and government can assist in identifying and reducing harms."" Falk also discussed OAIC financing and a restructured organization that would include a dedicated privacy commissioner.
Consumers favor worldwide privacy regulations, according to survey dataDate: 25 October 2023
Focusing on the company's 2023 Consumer Privacy Survey, Robert Waitman observes that younger generations are "more convinced that they can appropriately secure their personal data" by exercising current data subject access rights. An examination of 2,600 anonymous adult respondents from 12 countries found that 40% of consumers aged 18-34 exercised their right to data subject access, whereas just 15% of those aged 55-64 did so.
Focusing on the company's 2023 Consumer Privacy Survey, Robert Waitman observes that younger generations are "more convinced that they can appropriately secure their personal data" by exercising current data subject access rights. An examination of 2,600 anonymous adult respondents from 12 countries found that 40% of consumers aged 18-34 exercised their right to data subject access, whereas just 15% of those aged 55-64 did so.
Analyzing state-level privacy activities in the US in 2023Date: 25 October 2023
The rush of 2023 state legislative activity on privacy was chaotic at times due to all of the broad and targeted bills. Husch Blackwell Partner David Stauss and Future of Privacy Forum Senior Counsel Keir Lamont examined each form of privacy legislation that has been enacted and anticipated that, in the absence of a federal comprehensive privacy law, more state-level action will occur in the future years.
The rush of 2023 state legislative activity on privacy was chaotic at times due to all of the broad and targeted bills. Husch Blackwell Partner David Stauss and Future of Privacy Forum Senior Counsel Keir Lamont examined each form of privacy legislation that has been enacted and anticipated that, in the absence of a federal comprehensive privacy law, more state-level action will occur in the future years.
Canadian privacy regulators advocate for stronger child and employee privacy rulesDate: 16 October 2023
The Privacy Commissioner of Canada released joint resolutions with provincial data protection authorities "calling on governments to do more to protect the privacy rights of young people and workers." The resolution on youth privacy advocates for regulations that emphasize "the responsibility of organizations across all sectors to actively safeguard young people's data through responsible measures." According to the employee privacy resolution, "laws protecting workplace privacy are either out-of-date or non-existent."
The Privacy Commissioner of Canada released joint resolutions with provincial data protection authorities "calling on governments to do more to protect the privacy rights of young people and workers." The resolution on youth privacy advocates for regulations that emphasize "the responsibility of organizations across all sectors to actively safeguard young people's data through responsible measures." According to the employee privacy resolution, "laws protecting workplace privacy are either out-of-date or non-existent."
Croatia's DPA sanctions a debt collecting business for GDPR infringementDate: 16 October 2023
Croatia's Personal Data Protection Agency penalized debt collecting firm EOS Matrix 5.47 million euros for alleged violations of the EU General Data Protection Regulation. According to a March complaint filed with the AZOP, the agency processed the data of a large number of individuals without consent, including 294 children. Among its conclusions, the AZOP ruled that the agency processed nondebtors' personal data, processed data in a nontransparent manner, and recorded phone calls without a legal basis.
Croatia's Personal Data Protection Agency penalized debt collecting firm EOS Matrix 5.47 million euros for alleged violations of the EU General Data Protection Regulation. According to a March complaint filed with the AZOP, the agency processed the data of a large number of individuals without consent, including 294 children. Among its conclusions, the AZOP ruled that the agency processed nondebtors' personal data, processed data in a nontransparent manner, and recorded phone calls without a legal basis.
SEC is looking into the 2018 Twitter data hackDate: 16 October 2023
"According to Bloomberg, the US Securities and Exchange Commission is investigating X, previously Twitter, for inadequate disclosures on its 2018 data breach. The SEC's probe is centered on the platform's claimed privacy flaws, which resulted in the breach, and why the issues were not previously revealed to shareholders. In Europe, the Data Protection Commission of Ireland penalized X 450,000 euros for the infringement in December 2020.
"According to Bloomberg, the US Securities and Exchange Commission is investigating X, previously Twitter, for inadequate disclosures on its 2018 data breach. The SEC's probe is centered on the platform's claimed privacy flaws, which resulted in the breach, and why the issues were not previously revealed to shareholders. In Europe, the Data Protection Commission of Ireland penalized X 450,000 euros for the infringement in December 2020.
South Korea's PIPC will begin AI oversightDate: 16 October 2023
Personal Information Protection Commission of South Korea will launch its artificial intelligence regulatory program on October 13. The pilot for the PIPC's "Prior Appropriateness Review System" would encourage "safe use of data" and "trust in personal information by preemptively and preventatively checking" the data collection methods of technologies for compliance with the Personal Information Protection Act.
Personal Information Protection Commission of South Korea will launch its artificial intelligence regulatory program on October 13. The pilot for the PIPC's "Prior Appropriateness Review System" would encourage "safe use of data" and "trust in personal information by preemptively and preventatively checking" the data collection methods of technologies for compliance with the Personal Information Protection Act.
Australia updates its consumer data rights policiesDate: 16 October 2023
The Australian Competition and Consumer Commission and the Australian Information Commissioner issued a joint policy outlining how the agencies will enforce the Consumer Data Right framework. The law allows users to choose what data they share with service providers and how that information is shared.
The Australian Competition and Consumer Commission and the Australian Information Commissioner issued a joint policy outlining how the agencies will enforce the Consumer Data Right framework. The law allows users to choose what data they share with service providers and how that information is shared.
FTC and CFPB have reached a $23 million settlement for FCRA violationsDate: 16 October 2023
The Federal Trade Commission and Consumer Financial Protection Bureau of the United States announced a USD23 million settlement with credit reporting provider Trans Union over alleged Fair Credit Reporting Act violations linked to incorrect data and report filings. The claims settled include erroneous or incomplete eviction data from consumer reports, which resulted in housing denials. In addition to a USD 15 million settlement, the CFPB imposed an extra USD 8 million penalty for unlawful credit report holding.
The Federal Trade Commission and Consumer Financial Protection Bureau of the United States announced a USD23 million settlement with credit reporting provider Trans Union over alleged Fair Credit Reporting Act violations linked to incorrect data and report filings. The claims settled include erroneous or incomplete eviction data from consumer reports, which resulted in housing denials. In addition to a USD 15 million settlement, the CFPB imposed an extra USD 8 million penalty for unlawful credit report holding.
EU General Court has denied an interim stay to the EU-US Data Privacy FrameworkDate: 16 October 2023
The European Union General Court rejected interim measures to halt the implementation of the EU-US Data Privacy Framework. The ruling came in response to a complaint filed by French Member of the European Parliament Philippe Latombe against the transfer agreement and subsequent adequacy finding. According to the court, Latombe cannot demonstrate the agreement's individual or group harm.
The European Union General Court rejected interim measures to halt the implementation of the EU-US Data Privacy Framework. The ruling came in response to a complaint filed by French Member of the European Parliament Philippe Latombe against the transfer agreement and subsequent adequacy finding. According to the court, Latombe cannot demonstrate the agreement's individual or group harm.
Governor of California signs the Delete Act into lawDate: 16 October 2023
"Gov. Gavin Newsom, D-Calif., signed Senate Bill 362, commonly known as the Delete Act, into law on Tuesday, adding another legal arrow to the state's quiver of privacy rules. The move comes just days before Newsom's deadline to sign the bill on October 14th. The California Consumer Privacy Act and modifications to the groundbreaking legislation established by the California Privacy Rights Act preceded the Delete Act. According to the new law, data brokers must register with the California Privacy Protection Agency, which will enforce the rule.
"Gov. Gavin Newsom, D-Calif., signed Senate Bill 362, commonly known as the Delete Act, into law on Tuesday, adding another legal arrow to the state's quiver of privacy rules. The move comes just days before Newsom's deadline to sign the bill on October 14th. The California Consumer Privacy Act and modifications to the groundbreaking legislation established by the California Privacy Rights Act preceded the Delete Act. According to the new law, data brokers must register with the California Privacy Protection Agency, which will enforce the rule.
Data breach in 2017, the UK Financial Conduct Authority fined EquifaxDate: 16 October 2023
According to Reuters, the United Kingdom's Financial Conduct Authority fined consumer credit rating service Equifax 11 million GBP for its role in a large-scale data breach in 2017. Hackers gained access to the personal information of 13.8 million UK individuals, which was housed on US computers, for six weeks in 2017, in addition to the approximately 148 million US citizens who were affected by the breach.
According to Reuters, the United Kingdom's Financial Conduct Authority fined consumer credit rating service Equifax 11 million GBP for its role in a large-scale data breach in 2017. Hackers gained access to the personal information of 13.8 million UK individuals, which was housed on US computers, for six weeks in 2017, in addition to the approximately 148 million US citizens who were affected by the breach.
India makes attempts to reconcile AI and data privacyDate: 16 October 2023
AI-based technologies are set to change sectors, boost operational efficiencies, and improve general quality of life. Rishi Wadhwa, CIPP/E, EY Senior Cyber Security Consultant, looks at attempts in India to reconcile the benefits of AI with the security of personal data and privacy.
AI-based technologies are set to change sectors, boost operational efficiencies, and improve general quality of life. Rishi Wadhwa, CIPP/E, EY Senior Cyber Security Consultant, looks at attempts in India to reconcile the benefits of AI with the security of personal data and privacy.
Meta formally offers ad-free services to EU regulatorsDate: 10 October 2023
According to the Wall Street Journal, Meta recommended charging EU customers for ad-free services in order to solve alleged EU General Data Protection Regulation violations with tailored advertising. Meta made the argument to EU privacy and competition regulators, proposing individual and bundle prices for ad-free versions of Facebook and Instagram. Before the presentation, Meta contemplated offering EU users an opt-in consent method for getting tailored adverts.
According to the Wall Street Journal, Meta recommended charging EU customers for ad-free services in order to solve alleged EU General Data Protection Regulation violations with tailored advertising. Meta made the argument to EU privacy and competition regulators, proposing individual and bundle prices for ad-free versions of Facebook and Instagram. Before the presentation, Meta contemplated offering EU users an opt-in consent method for getting tailored adverts.
Consumer Reports app allows users to manage their personal dataDate: 10 October 2023
Consumer Reports has created a free app, "Permission Slip by CR," to assist customers in managing personal information and requesting that corporations delete or stop selling their data. The app presently includes restaurant companies, entertainment businesses, and merchants such as McDonald's, Amazon, and Netflix. Following the implementation of various state privacy laws, the Consumer Reports Innovation Lab created the app.
Consumer Reports has created a free app, "Permission Slip by CR," to assist customers in managing personal information and requesting that corporations delete or stop selling their data. The app presently includes restaurant companies, entertainment businesses, and merchants such as McDonald's, Amazon, and Netflix. Following the implementation of various state privacy laws, the Consumer Reports Innovation Lab created the app.
AEPD has issued PET adviceDate: 10 October 2023
The Agencia Espaola de Protección de Datos, Spain's data protection body, provided recommendations on the use of privacy-enhancing technologies in data systems, stating that they can be used to enforce governance policies, boost trust, and data sovereignty. "PETs can be, and should be, 'dual-use' technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy," it stated.
The Agencia Espaola de Protección de Datos, Spain's data protection body, provided recommendations on the use of privacy-enhancing technologies in data systems, stating that they can be used to enforce governance policies, boost trust, and data sovereignty. "PETs can be, and should be, 'dual-use' technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy," it stated.
ANPD announced a consultation on AI and a data protection sandboxDate: 10 October 2023
The Autoridade Nacional de Proteço de Dados, Brazil's data protection organization, has issued a public consultation on their sandbox program to investigate the relationship between artificial intelligence and data protection. The sandbox's goal is to test artificial intelligence technology and develop best practices "to ensure compliance with personal data protection standards."
The Autoridade Nacional de Proteço de Dados, Brazil's data protection organization, has issued a public consultation on their sandbox program to investigate the relationship between artificial intelligence and data protection. The sandbox's goal is to test artificial intelligence technology and develop best practices "to ensure compliance with personal data protection standards."
ICO is seeking feedback on fining guidelinesDate: 10 October 2023
The UK Information Commissioner's Office has launched a public consultation on its amended General Data Protection Regulation and Data Protection Act fining recommendations. The rules define the ICO's fining powers, the reasons for filing penalty notices, and the methodology used to determine fines. The consultation is open until November 27th.
The UK Information Commissioner's Office has launched a public consultation on its amended General Data Protection Regulation and Data Protection Act fining recommendations. The rules define the ICO's fining powers, the reasons for filing penalty notices, and the methodology used to determine fines. The consultation is open until November 27th.
GDPR harmonization may provide a solution for the usage of health dataDate: 10 October 2023
According to Euractiv, harmonization of the EU General Data Protection Regulation could resolve issues surrounding secondary usage of health data under the proposed European Health Data Space. Markus Kalliola, the coordinator of the Joint Action Towards the European Health Data Space, stated that the EHDS provides an opportunity to "harmonise" procedures under the GDPR and will "help the member states going forward nationally and then in the whole union."
According to Euractiv, harmonization of the EU General Data Protection Regulation could resolve issues surrounding secondary usage of health data under the proposed European Health Data Space. Markus Kalliola, the coordinator of the Joint Action Towards the European Health Data Space, stated that the EHDS provides an opportunity to "harmonise" procedures under the GDPR and will "help the member states going forward nationally and then in the whole union."
Impact of the MOVEit breach on US universities continuesDate: 02 October 2023
According to the National Student Clearinghouse, data from 890 U.S. higher education institutions was stolen as part of the MOVEit ransomware hack. The hack compromised troves of personally identifiable information, affecting schools in nearly every state throughout the United States. The US Department of Education requires all universities in the country to use MOVEit to communicate information with the NSC.
According to the National Student Clearinghouse, data from 890 U.S. higher education institutions was stolen as part of the MOVEit ransomware hack. The hack compromised troves of personally identifiable information, affecting schools in nearly every state throughout the United States. The US Department of Education requires all universities in the country to use MOVEit to communicate information with the NSC.
PCPD of Hong Kong has issued data security guidelinesDate: 02 October 2023
Following a series of hacks and related personal data leaks, Hong Kong's Office of the Privacy Commissioner for Personal Data provided data security advice. The PCPD provided seven suggested steps that might be taken to meet security goals while reminding firms to "regularly conduct data security risk assessments, and put in place adequate and effective security measures."
Following a series of hacks and related personal data leaks, Hong Kong's Office of the Privacy Commissioner for Personal Data provided data security advice. The PCPD provided seven suggested steps that might be taken to meet security goals while reminding firms to "regularly conduct data security risk assessments, and put in place adequate and effective security measures."
Kenya's ODPC imposes fines of KES9.375M for data protectionDate: 02 October 2023
Kenya's Office of the Data Privacy Commissioner announced three penalties totaling KES9,375,000 for alleged violations of the Data Protection Act. Each penalty is for charges of nonconsensual use of personal data. Roma School received the highest penalties of KES4,550,000 for uploading photos of kids without parental approval.
Kenya's Office of the Data Privacy Commissioner announced three penalties totaling KES9,375,000 for alleged violations of the Data Protection Act. Each penalty is for charges of nonconsensual use of personal data. Roma School received the highest penalties of KES4,550,000 for uploading photos of kids without parental approval.
App used by ICE prompts concerns about data practicesDate: 02 October 2023
Reported by CyberScoop "An app used by U.S. Immigration and Customs Enforcement to track migrants captures a lot of sensitive data, including personally identifiable information and geolocation data, according to public records obtained by the Just Futures Law legal initiative. The documents reveal that BI's SmartLINK app also gathers health and biometric information, though nothing is known about how the information is put to use or kept. They suggest that data collection may continue for longer than ICE has revealed in the public."
Reported by CyberScoop "An app used by U.S. Immigration and Customs Enforcement to track migrants captures a lot of sensitive data, including personally identifiable information and geolocation data, according to public records obtained by the Just Futures Law legal initiative. The documents reveal that BI's SmartLINK app also gathers health and biometric information, though nothing is known about how the information is put to use or kept. They suggest that data collection may continue for longer than ICE has revealed in the public."
Las Vegas casinos are being sued collectively for data breachesDate: 02 October 2023
According to 8NewsNow, MGM Resorts International and Caesars Entertainment are being sued in five class-action lawsuits for data breaches. The complaints contend that the casinos did not adequately disclose security breaches and failed to secure consumers' personally identifying information. According to one lawsuit, Caesars had to take "reasonable care in safeguarding and protecting the PII in Caesars's possession, custody, or control."
According to 8NewsNow, MGM Resorts International and Caesars Entertainment are being sued in five class-action lawsuits for data breaches. The complaints contend that the casinos did not adequately disclose security breaches and failed to secure consumers' personally identifying information. According to one lawsuit, Caesars had to take "reasonable care in safeguarding and protecting the PII in Caesars's possession, custody, or control."
Finland's DPA has lifted the ban on data transfers to RussiaDate: 02 October 2023
According to Reuters The Office of the Data Protection Ombudsman of Finland has lifted a temporary ban on data transfers to and from Russia using the ride-hailing app Yango. An ongoing ombudsman investigation revealed that Russian legislation purportedly granting government access to data did not apply to taxi businesses.
According to Reuters The Office of the Data Protection Ombudsman of Finland has lifted a temporary ban on data transfers to and from Russia using the ride-hailing app Yango. An ongoing ombudsman investigation revealed that Russian legislation purportedly granting government access to data did not apply to taxi businesses.
ICO advocates for improved data protection for victims of abuseDate: 02 October 2023
The Information Commissioner's Office in the UK has issued a warning to organizations about the importance of increasing data privacy and security for sensitive information belonging to victims of domestic abuse. The warning comes after the ICO issued seven reprimands in 14 months for data breaches affecting domestic abuse victims. "This is a pattern that must be broken." Organizations should do all possible to safeguard the personal information under their control." According to John Edwards, the Information Commissioner.
The Information Commissioner's Office in the UK has issued a warning to organizations about the importance of increasing data privacy and security for sensitive information belonging to victims of domestic abuse. The warning comes after the ICO issued seven reprimands in 14 months for data breaches affecting domestic abuse victims. "This is a pattern that must be broken." Organizations should do all possible to safeguard the personal information under their control." According to John Edwards, the Information Commissioner.
EDPB has adopted rules on law enforcement data transfer safeguardsDate: 02 October 2023
The European Data Protection Board issued guidance on how to apply Article 37 of the Law Enforcement Directive. The guidelines, in addition to "practical guidance," "provide clarity on the legal standard for appropriate safeguards" when transferring personal data from EU countries to third-country authorities or law enforcement groups. They additionally "reiterate that any transfer of personal data requires an essentially equivalent level of protection in the recipient third country or international organisation," according to the EDPB.
The European Data Protection Board issued guidance on how to apply Article 37 of the Law Enforcement Directive. The guidelines, in addition to "practical guidance," "provide clarity on the legal standard for appropriate safeguards" when transferring personal data from EU countries to third-country authorities or law enforcement groups. They additionally "reiterate that any transfer of personal data requires an essentially equivalent level of protection in the recipient third country or international organisation," according to the EDPB.
High Court of Denmark imposes fines on hotel chain for data storingDate: 02 October 2023
Datatilsynet, Denmark's data protection body, reported that the Eastern High Court ruled in a case against hotel operator Arp-Hansen, resulting in a DKK1 million punishment. Director Cristina Angela Gulisano stated that the court "broadly" agreed with Datatilsynet's 2020 assessment of the company's alleged failure to meet data deletion dates concerning around 500,000 user profiles.
Datatilsynet, Denmark's data protection body, reported that the Eastern High Court ruled in a case against hotel operator Arp-Hansen, resulting in a DKK1 million punishment. Director Cristina Angela Gulisano stated that the court "broadly" agreed with Datatilsynet's 2020 assessment of the company's alleged failure to meet data deletion dates concerning around 500,000 user profiles.
EDPS: Cybersecurity and data protection are inseparableDate: 02 October 2023
Cybersecurity and data protection, according to European Data Protection Supervisor Wojciech Wiewiórowski, are "inseparable." Wiewiórowski stated that the EDPS supports "a legal, strategic, and operational approach to cybersecurity that integrates by design fundamental rights, including the right to privacy and the protection of personal data, which are key to protecting the EU's citizens and the EU's data from cyberattacks."
Cybersecurity and data protection, according to European Data Protection Supervisor Wojciech Wiewiórowski, are "inseparable." Wiewiórowski stated that the EDPS supports "a legal, strategic, and operational approach to cybersecurity that integrates by design fundamental rights, including the right to privacy and the protection of personal data, which are key to protecting the EU's citizens and the EU's data from cyberattacks."
FTC issues a warning to tax preparation firms over possible misuse of customer dataDate: 25 September 2023
The Federal Trade Commission of the United States has cautioned five tax preparation organizations that they face civil penalties if they use consumers' sensitive data for reasons unrelated to tax preparation without their agreement. According to the FTC's "Notice of Penalty Offenses," businesses might incur civil penalties of up to USD50,120 per infringement. "Companies that violate Americans' privacy by attempting to monetize personal data without their consent face significant financial penalties," warned FTC Bureau of Consumer Protection Director Samuel Levine.
The Federal Trade Commission of the United States has cautioned five tax preparation organizations that they face civil penalties if they use consumers' sensitive data for reasons unrelated to tax preparation without their agreement. According to the FTC's "Notice of Penalty Offenses," businesses might incur civil penalties of up to USD50,120 per infringement. "Companies that violate Americans' privacy by attempting to monetize personal data without their consent face significant financial penalties," warned FTC Bureau of Consumer Protection Director Samuel Levine.
EU-US DPF Data Protection Review Court process, the DOJ has created a websiteDate: 25 September 2023
The United Kingdom has been added as a qualifying jurisdiction by the United States Department of Justice Office of Privacy and Civil Liberties, and its people can seek legal remedy through the EU-US Data Privacy Framework's Data Protection Review Court. Once the planned UK-US data transfer agreement goes into effect, UK people will be able to petition the redress procedures.
The United Kingdom has been added as a qualifying jurisdiction by the United States Department of Justice Office of Privacy and Civil Liberties, and its people can seek legal remedy through the EU-US Data Privacy Framework's Data Protection Review Court. Once the planned UK-US data transfer agreement goes into effect, UK people will be able to petition the redress procedures.
California's Delete Act's potential effectsDate: 25 September 2023
The California Delete Act will establish a mechanism for customers to make a once-off deletion request of all of their information aggregated by registered data brokers operating in the state, should Gov. Gavin Newsom, a Democrat from California, sign it into law. Join IAPP for a LinkedIn Live conversation on privacy consequences, obligations for data brokers, and general enforcement on September 21. Author's note The Delete Act was approved by the California Legislature, according to Alex LaCasse.
The California Delete Act will establish a mechanism for customers to make a once-off deletion request of all of their information aggregated by registered data brokers operating in the state, should Gov. Gavin Newsom, a Democrat from California, sign it into law. Join IAPP for a LinkedIn Live conversation on privacy consequences, obligations for data brokers, and general enforcement on September 21. Author's note The Delete Act was approved by the California Legislature, according to Alex LaCasse.
Customers of Pizza Hut Australia affected by data breachDate: 25 September 2023
A cyberattack may have exposed the personal information of about 193,000 Pizza Hut Australia customers, according to the Guardian. Email addresses, phone numbers, names, addresses, and directions for home delivery were among the data that might have been accessed. The incident has been reported to the Office of the Australian Information Commissioner, according to Phil Reed, CEO of Pizza Hut Australia.
A cyberattack may have exposed the personal information of about 193,000 Pizza Hut Australia customers, according to the Guardian. Email addresses, phone numbers, names, addresses, and directions for home delivery were among the data that might have been accessed. The incident has been reported to the Office of the Australian Information Commissioner, according to Phil Reed, CEO of Pizza Hut Australia.
Denmark's DPA issues recommendations on employee access to personal dataDate: 25 September 2023
Datatilsynet, Denmark's data protection body, has issued recommendations on avoiding illegal access to personal data by workers. The guidance recommends that companies conduct a risk assessment to ensure appropriate frameworks are in place, that employees only access information when there is a work-related need, that employees' use of personal data be logged, and that control measures such as continuous monitoring of employees' use of systems using personal data be implemented.
Datatilsynet, Denmark's data protection body, has issued recommendations on avoiding illegal access to personal data by workers. The guidance recommends that companies conduct a risk assessment to ensure appropriate frameworks are in place, that employees only access information when there is a work-related need, that employees' use of personal data be logged, and that control measures such as continuous monitoring of employees' use of systems using personal data be implemented.
India DPDPA regulations, impending appointments to the Data Protection BoardDate: 25 September 2023
India Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, has stated that the government will finalize Data Protection Board nominations and Digital Personal Data Protection Act rules within 30 days, according to MoneyControl. Now in effect, the measure will most likely have a one-year grace period. However, Chandrasekhar stated that breaches that occur during the interim period will "accumulate" and will be dealt by the DPB once its members are in place.
India Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, has stated that the government will finalize Data Protection Board nominations and Digital Personal Data Protection Act rules within 30 days, according to MoneyControl. Now in effect, the measure will most likely have a one-year grace period. However, Chandrasekhar stated that breaches that occur during the interim period will "accumulate" and will be dealt by the DPB once its members are in place.
OPC claims that Canada Post broke the Privacy ActDate: 25 September 2023
According to CTV News, the Office of the Privacy Commissioner of Canada asserted that Canada Post is improperly compiling a marketing database using data about letter recipients. The postal service was accused of violating Section 5 of the Privacy Act by collecting personal information without consent, according to an OPC investigation and proceeding report.
According to CTV News, the Office of the Privacy Commissioner of Canada asserted that Canada Post is improperly compiling a marketing database using data about letter recipients. The postal service was accused of violating Section 5 of the Privacy Act by collecting personal information without consent, according to an OPC investigation and proceeding report.
The EDPB and the EDPS have issued a joint opinion on rules for expediting cross-border GDPR remediesDate: 25 September 2023
The European Data Protection Board and European Data Protection Supervisor issued a joint opinion on a European Commission proposal for procedural procedures to speed EU General Data Protection Regulation enforcement. The initiative seeks to streamline cross-border collaboration in resolving individual privacy issues. The EDPB and EDPS also adopted combined responses to the commission's public consultation for the description template of consumer profiling techniques under the Digital Markets Act.
The European Data Protection Board and European Data Protection Supervisor issued a joint opinion on a European Commission proposal for procedural procedures to speed EU General Data Protection Regulation enforcement. The initiative seeks to streamline cross-border collaboration in resolving individual privacy issues. The EDPB and EDPS also adopted combined responses to the commission's public consultation for the description template of consumer profiling techniques under the Digital Markets Act.
CBP will no longer purchase bulk location dataDate: 18 September 2023
According to 404 Media, US Customs and Border Protection informed US Senator Ron Wyden, D-Ore., that it will cease purchasing mobile device location data at the end of September. While no justification was provided for the suspension, Wyden stated that CBP's action is "good news," but he wants to know why CBP was given "authority to engage in such warrantless surveillance in the first place."
According to 404 Media, US Customs and Border Protection informed US Senator Ron Wyden, D-Ore., that it will cease purchasing mobile device location data at the end of September. While no justification was provided for the suspension, Wyden stated that CBP's action is "good news," but he wants to know why CBP was given "authority to engage in such warrantless surveillance in the first place."
ECHR decides against the UK's monitoring policyDate: 18 September 2023
The European Court of Human Rights decided that a U.K. overseas monitoring operation violated the privacy of two people, according to The Financial Times. The ECHR backed the complainants' claims that the U.K. Government Communications Headquarters had infringed their privacy by collecting vast amounts of communications data. The court cited a larger 2021 decision condemning UK spying activities.
The European Court of Human Rights decided that a U.K. overseas monitoring operation violated the privacy of two people, according to The Financial Times. The ECHR backed the complainants' claims that the U.K. Government Communications Headquarters had infringed their privacy by collecting vast amounts of communications data. The court cited a larger 2021 decision condemning UK spying activities.
Fundamental rights and freedoms' sections of the data protection legislation will be changed in the UKDate: 18 September 2023
The Department for Science, Innovation, and Technology of the United Kingdom produced a legislative instrument amending terminology for "fundamental rights and freedoms" under data protection regulations in the United Kingdom. The document replaces references kept under the EU General Data Protection Regulation with recognitions incorporated in UK law. The amendment will go into effect in January 2024.
The Department for Science, Innovation, and Technology of the United Kingdom produced a legislative instrument amending terminology for "fundamental rights and freedoms" under data protection regulations in the United Kingdom. The document replaces references kept under the EU General Data Protection Regulation with recognitions incorporated in UK law. The amendment will go into effect in January 2024.
The Delaware governor has signed the Personal Data Privacy ActDate: 18 September 2023
The Delaware Personal Data Privacy Act was signed by Gov. John Carney, D-Del., and will take effect on January 1, 2025, according to Delaware Public Media. A consumer and corporate outreach phase will begin no later than July 1, 2024. The measure, according to Owen Lefkon, Director of the Department of Justice's Fraud and Consumer Protection Division, "gives consumers choice" and "puts control back in the hands of the consumer."
The Delaware Personal Data Privacy Act was signed by Gov. John Carney, D-Del., and will take effect on January 1, 2025, according to Delaware Public Media. A consumer and corporate outreach phase will begin no later than July 1, 2024. The measure, according to Owen Lefkon, Director of the Department of Justice's Fraud and Consumer Protection Division, "gives consumers choice" and "puts control back in the hands of the consumer."
Consumer advocates from the Netherlands accuse Google of violating their privacyDate: 18 September 2023
According to Reuters, two consumer protection organizations have launched a class action lawsuit against Google's real-time bidding and data privacy policies. The Privacy Protection Foundation and the Consumentenbond consumer associations from the Netherlands asserted that Google engages in "constant surveillance and sharing of personal data through online advertising auctions." According to the organisations, 82,000 people have so far joined the lawsuit.
According to Reuters, two consumer protection organizations have launched a class action lawsuit against Google's real-time bidding and data privacy policies. The Privacy Protection Foundation and the Consumentenbond consumer associations from the Netherlands asserted that Google engages in "constant surveillance and sharing of personal data through online advertising auctions." According to the organisations, 82,000 people have so far joined the lawsuit.
NZ OPC launches a privacy consultation for kidsDate: 18 September 2023
As part of a study on children's privacy, the New Zealand Office of the Privacy Commissioner launched a consultation seeking input from children, their families, and the wider community. According to Privacy Commissioner Michael Webster, New Zealand's Privacy Act stipulates rules for collecting personal information from children and young people. "We want to know if these requirements are effective, or if we need to do more to guide organizations that collect and use children's personal information," he added.
As part of a study on children's privacy, the New Zealand Office of the Privacy Commissioner launched a consultation seeking input from children, their families, and the wider community. According to Privacy Commissioner Michael Webster, New Zealand's Privacy Act stipulates rules for collecting personal information from children and young people. "We want to know if these requirements are effective, or if we need to do more to guide organizations that collect and use children's personal information," he added.
Privacy is "what the internet eats to live."Date: 18 September 2023
Charlie Warzel of The Atlantic writes about digital privacy in an age of massive data collecting and harvesting. "Once we collect our data, it ricochets around a labyrinthine ad-tech ecosystem made up of thousands of companies that offer to make sense of it and serve hyper-targeted ads based on it," he explained. "Our privacy is what the internet eats in order to live."
Charlie Warzel of The Atlantic writes about digital privacy in an age of massive data collecting and harvesting. "Once we collect our data, it ricochets around a labyrinthine ad-tech ecosystem made up of thousands of companies that offer to make sense of it and serve hyper-targeted ads based on it," he explained. "Our privacy is what the internet eats in order to live."
ICO promotes data sharing, To ensure the safety of minorsDate: 18 September 2023
John Edwards, the United Kingdom's Information Commissioner, urged all companies to exchange data in the sake of protecting children online. According to Edwards, businesses and frontline workers in child-facing sectors should not be concerned about legal ramifications for sharing data that saves children from abuse or neglect.
John Edwards, the United Kingdom's Information Commissioner, urged all companies to exchange data in the sake of protecting children online. According to Edwards, businesses and frontline workers in child-facing sectors should not be concerned about legal ramifications for sharing data that saves children from abuse or neglect.
NOYB files complaints over data sharing in French applicationsDate: 18 September 2023
According to complaints made in France by the privacy advocacy group NOYB, the wellness app MyFitnessPal, the real estate app SeLoger, and the electronics retailer Fnac all improperly accessed and exchanged user data. Once the applications were opened on Android devices, according to NOYB, the corporations began collecting and sharing user data with other parties for analytics. NOYB asked the Commission nationale de l'informatique et des libertés, France's data protection regulator, to punish the corporations and order them to destroy the processed data.
According to complaints made in France by the privacy advocacy group NOYB, the wellness app MyFitnessPal, the real estate app SeLoger, and the electronics retailer Fnac all improperly accessed and exchanged user data. Once the applications were opened on Android devices, according to NOYB, the corporations began collecting and sharing user data with other parties for analytics. NOYB asked the Commission nationale de l'informatique et des libertés, France's data protection regulator, to punish the corporations and order them to destroy the processed data.
CNIL handles data protection in the context of the environmentDate: 18 September 2023
The Commission nationale de l'informatique et des libertés, France's data protection body, presented a study on data reduction as a measure of environmental conservation. The "Data, Footprints, and Freedoms" paper investigates whether data protection as a whole may contribute to environmental preservation. The report's goal is to give "answers and recommendations for bringing the two objectives closer together."
The Commission nationale de l'informatique et des libertés, France's data protection body, presented a study on data reduction as a measure of environmental conservation. The "Data, Footprints, and Freedoms" paper investigates whether data protection as a whole may contribute to environmental preservation. The report's goal is to give "answers and recommendations for bringing the two objectives closer together."
ANPD extends public consultation deadline for draft international data transfers regulationDate: 18 September 2023
Brazil's data protection regulator, the Autoridade Nacional de Proteço de Dados, has extended the deadline for public comment on the proposed Regulation on International Transfers of Personal Data. The time for submitting public comments has been extended until October 14th.
Brazil's data protection regulator, the Autoridade Nacional de Proteço de Dados, has extended the deadline for public comment on the proposed Regulation on International Transfers of Personal Data. The time for submitting public comments has been extended until October 14th.
G20 leaders issue privacy and AI announcementsDate: 18 September 2023
During their recent summit in New Delhi, India, G20 leaders reaffirmed their commitment to work on artificial intelligence and privacy issues in their leaders' declaration. The subjects were highlighted as part of the leaders' promises to "technological transformation and digital public infrastructure." The declaration included a section on "harnessing AI responsibly for the good and for all," as well as "the importance of data free flow with trust and cross-border data flows while respecting applicable legal frameworks."
During their recent summit in New Delhi, India, G20 leaders reaffirmed their commitment to work on artificial intelligence and privacy issues in their leaders' declaration. The subjects were highlighted as part of the leaders' promises to "technological transformation and digital public infrastructure." The declaration included a section on "harnessing AI responsibly for the good and for all," as well as "the importance of data free flow with trust and cross-border data flows while respecting applicable legal frameworks."
X Corp and MoPub are facing a Dutch class action lawsuit over data abusesDate: 18 September 2023
According to TechCrunch, X Corp, formerly known as Twitter, and its former mobile advertising platform MoPub are facing a class-action lawsuit in the Netherlands claiming illegal user tracking, data harvesting, and sharing. According to the case, from October 2013 to December 2021, X Corp and MoPub, which is now owned by AppLovin, "unlawfully collected and exchanged user data from over 30,000 free mobile applications in the Netherlands" in breach of the EU General Data Protection Regulation.
According to TechCrunch, X Corp, formerly known as Twitter, and its former mobile advertising platform MoPub are facing a class-action lawsuit in the Netherlands claiming illegal user tracking, data harvesting, and sharing. According to the case, from October 2013 to December 2021, X Corp and MoPub, which is now owned by AppLovin, "unlawfully collected and exchanged user data from over 30,000 free mobile applications in the Netherlands" in breach of the EU General Data Protection Regulation.
A 'tipping point' for Kenyan data privacyDate: 18 September 2023
Thousands of Kenyans waited in line in front of the Kenyatta International Conference Centre on August 1 to exchange their iris scans for around USD50 from cryptocurrency exchange Worldcoin. Following objections from the Kenyan government and the Office of the Data Protection Commissioner of Kenya, the offer was withdrawn less than 48 hours later. Amitkumar Gadhia, CIPP/E, explains the case and why he considers it a "watershed moment for Kenya data protection."
Thousands of Kenyans waited in line in front of the Kenyatta International Conference Centre on August 1 to exchange their iris scans for around USD50 from cryptocurrency exchange Worldcoin. Following objections from the Kenyan government and the Office of the Data Protection Commissioner of Kenya, the offer was withdrawn less than 48 hours later. Amitkumar Gadhia, CIPP/E, explains the case and why he considers it a "watershed moment for Kenya data protection."
Google and the California Attorney General have reached a $93 million settlementDate: 18 September 2023
California Attorney General Rob Bonta announced a USD93 million settlement in connection with accusations over Google's location privacy violations. Google tricked consumers, according to the California Department of Justice, by "collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent." Google also agreed to take further steps, such as giving users with more information when activating location-related settings, boosting openness around location monitoring and data collection, and informing users that their location information may be used for ad customization.
California Attorney General Rob Bonta announced a USD93 million settlement in connection with accusations over Google's location privacy violations. Google tricked consumers, according to the California Department of Justice, by "collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent." Google also agreed to take further steps, such as giving users with more information when activating location-related settings, boosting openness around location monitoring and data collection, and informing users that their location information may be used for ad customization.
California Legislature has approved a data broker lawDate: 18 September 2023
The California State Legislature enacted SB 362, the California erase Act, which would authorize the California Privacy Protection Agency to develop a mechanism that would allow California residents to use a single request to erase personal information stored by licensed data brokers in the state. The law now awaits the signature of California Gov. Gavin Newsom, a Democrat. Alex LaCasse, an IAPP Staff Writer, reported on the bill's passing and spoke with stakeholders about its anticipated impact.
The California State Legislature enacted SB 362, the California erase Act, which would authorize the California Privacy Protection Agency to develop a mechanism that would allow California residents to use a single request to erase personal information stored by licensed data brokers in the state. The law now awaits the signature of California Gov. Gavin Newsom, a Democrat. Alex LaCasse, an IAPP Staff Writer, reported on the bill's passing and spoke with stakeholders about its anticipated impact.
Ireland's DPC imposes a 345 million euro TikTok penaltyDate: 18 September 2023
Ireland's Data Protection Commission imposed a 345 million euro punishment and remedial measures on TikTok for suspected EU General Data Protection Regulation infringement involving children's data protection. The enforcement action encompasses 2020 accusations against platform settings impacting adolescents aged 13 to 17. The DPC's judgment follows a binding decision by the European Data Protection Board. Joe Duball, IAPP News Editor, has the scoop.
Ireland's Data Protection Commission imposed a 345 million euro punishment and remedial measures on TikTok for suspected EU General Data Protection Regulation infringement involving children's data protection. The enforcement action encompasses 2020 accusations against platform settings impacting adolescents aged 13 to 17. The DPC's judgment follows a binding decision by the European Data Protection Board. Joe Duball, IAPP News Editor, has the scoop.
The OAIC has released the most recent Notifiable Data Breaches ReportDate: 11 September 2023
The Australian Information Commissioner's Office published its Notifiable Data Breaches Report for the first half of 2023. The biennial research identified the industries most vulnerable to breaches, the causes of breaches, and opportunities for improvement in practice. businesses, according to Commissioner Angelene Falk, "must have the security measures required to minimize the risk of a data breach," and "the longer organizations delay (breach) notification, the greater the chance of harm increases."
The Australian Information Commissioner's Office published its Notifiable Data Breaches Report for the first half of 2023. The biennial research identified the industries most vulnerable to breaches, the causes of breaches, and opportunities for improvement in practice. businesses, according to Commissioner Angelene Falk, "must have the security measures required to minimize the risk of a data breach," and "the longer organizations delay (breach) notification, the greater the chance of harm increases."
PIPC punishes a cellphone provider KRW8 billion for a data breachDate: 11 September 2023
South Korea's Personal Information Protection Commission fined telecoms operator LG Uplus KRW8 billion for a data breach involving approximately 300,000 records including personal information. Furthermore, LG Uplus was fined KRW27 million administratively after its Customer Authentication System was penetrated by a hacker in June 2018, which was not detected until the 23rd of January.
South Korea's Personal Information Protection Commission fined telecoms operator LG Uplus KRW8 billion for a data breach involving approximately 300,000 records including personal information. Furthermore, LG Uplus was fined KRW27 million administratively after its Customer Authentication System was penetrated by a hacker in June 2018, which was not detected until the 23rd of January.
In India, DPDPA compliance deadlines are set at six monthsDate: 11 September 2023
According to The Economic Times of India, India's Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, the government may allow the IT industry six months to comply with the Digital Personal Data Protection Act. The exact transition duration would be established through stakeholder participation, according to Chandrasekhar, who added that he "will not give them (two) years" while guaranteeing time "so the transition is orderly."
According to The Economic Times of India, India's Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, the government may allow the IT industry six months to comply with the Digital Personal Data Protection Act. The exact transition duration would be established through stakeholder participation, according to Chandrasekhar, who added that he "will not give them (two) years" while guaranteeing time "so the transition is orderly."
Despite potential for data collection, car manufacturers lack sales dataDate: 11 September 2023
The Mozilla Foundation investigation shined light on possible problems with automakers' data methods, according to The Associated Press. 25 significant manufacturers were polled, and the results revealed that most of them may be selling customer data and would comply with warrantless demands for data from law enforcement.
The Mozilla Foundation investigation shined light on possible problems with automakers' data methods, according to The Associated Press. 25 significant manufacturers were polled, and the results revealed that most of them may be selling customer data and would comply with warrantless demands for data from law enforcement.
US states will give children's internet safety laws top priority in 2024Date: 11 September 2023
Bloomberg Law reports When the 2024 legislative sessions begin, state legislatures in the United States plan to initiate or reintroduce laws addressing children's internet safety. Maryland and Minnesota are among the states preparing to reintroduce measures focusing on children's privacy, while other states may attempt to emulate the California Age-Appropriate Design Code Act. Meanwhile, The Washington Post examines the impact of student advocacy organizations on debates around children's internet safety in the United States Congress.
Bloomberg Law reports When the 2024 legislative sessions begin, state legislatures in the United States plan to initiate or reintroduce laws addressing children's internet safety. Maryland and Minnesota are among the states preparing to reintroduce measures focusing on children's privacy, while other states may attempt to emulate the California Age-Appropriate Design Code Act. Meanwhile, The Washington Post examines the impact of student advocacy organizations on debates around children's internet safety in the United States Congress.
Academic database provider fined by CAC under PIPLDate: 11 September 2023
According to Reuters, China's Cyberspace Administration fined the China National Knowledge Infrastructure CNY50 million for allegedly illegally gathering and processing personal information. The probe of the CNKI is said to have begun in mid-2022. According to a CNKI spokesperson, the academic database "humbly accepts" the decision.
According to Reuters, China's Cyberspace Administration fined the China National Knowledge Infrastructure CNY50 million for allegedly illegally gathering and processing personal information. The probe of the CNKI is said to have begun in mid-2022. According to a CNKI spokesperson, the academic database "humbly accepts" the decision.
South Korea has approved improvements to PIPA enforcementDate: 11 September 2023
On September 5, the Republic of Korea's State Council adopted an update to the Personal Information Protection Act through an Enforcement Decree. Personal Information Protection Committee Chairman Ko Hak-soo revealed that the new enforcement ordinances would go into effect on September 15. The updated PIPA contains "unifying the standards for processing personal information" across several industries.
On September 5, the Republic of Korea's State Council adopted an update to the Personal Information Protection Act through an Enforcement Decree. Personal Information Protection Committee Chairman Ko Hak-soo revealed that the new enforcement ordinances would go into effect on September 15. The updated PIPA contains "unifying the standards for processing personal information" across several industries.
A lawsuit accuses AI tech companies of criminal data scrapingDate: 11 September 2023
In a class-action complaint filed in the United States District Court for the Northern District of California, OpenAI and Microsoft are accused of training their artificial intelligence system with unlawfully obtained personal data belonging to millions of internet users. The action is identical to one filed by Clarkson Law Firm in June.
In a class-action complaint filed in the United States District Court for the Northern District of California, OpenAI and Microsoft are accused of training their artificial intelligence system with unlawfully obtained personal data belonging to millions of internet users. The action is identical to one filed by Clarkson Law Firm in June.
The consultation time for LGPD's 'legitimate interest' provision has been extended by ANPDDate: 11 September 2023
The Autoridade Nacional de Proteço de Dados, Brazil's data protection body, has extended the public comment time for the General Data Protection Law's "legitimate interest" provision. The consultation session is currently open through September 30th.
The Autoridade Nacional de Proteço de Dados, Brazil's data protection body, has extended the public comment time for the General Data Protection Law's "legitimate interest" provision. The consultation session is currently open through September 30th.
MEP challenges the EU-US Data Privacy Framework in courtDate: 11 September 2023
According to Politico Philippe Latombe, a French Member of the European Parliament, has challenged the EU-US Data Privacy Framework at the European Union General Court. The first challenge aims to immediately stop the trans-Atlantic data transfer agreement, while the second questions the legitimacy of the DPF's text. In April, Parliament formally voted against the DPF.
According to Politico Philippe Latombe, a French Member of the European Parliament, has challenged the EU-US Data Privacy Framework at the European Union General Court. The first challenge aims to immediately stop the trans-Atlantic data transfer agreement, while the second questions the legitimacy of the DPF's text. In April, Parliament formally voted against the DPF.
CJEU rules against the use of certain law enforcement dataDate: 11 September 2023
The European Union's Court of Justice ruled against some law enforcement uses of personal data. In a Lithuanian case, the court held that the EU Law Enforcement Directive could not be used "in connection with investigations into corruption in the public service." According to the order, authorities can only utilize personal data from electronic communications for criminal prosecutions.
The European Union's Court of Justice ruled against some law enforcement uses of personal data. In a Lithuanian case, the court held that the EU Law Enforcement Directive could not be used "in connection with investigations into corruption in the public service." According to the order, authorities can only utilize personal data from electronic communications for criminal prosecutions.
The Privacy Act Amendment Bill has been tabled in New Zealand ParliamentDate: 11 September 2023
The New Zealand Office of the Privacy Commissioner announced the introduction of the Privacy Act Amendment Bill to Parliament. The proposed regulation requires covered companies to explain the reasons for data collection as well as the first and third parties that will have access to the data. Michael Webster, the Privacy Commissioner, stated that he supports a "broader transparency requirement" and that the idea is aimed at "keeping up with international best practice."
The New Zealand Office of the Privacy Commissioner announced the introduction of the Privacy Act Amendment Bill to Parliament. The proposed regulation requires covered companies to explain the reasons for data collection as well as the first and third parties that will have access to the data. Michael Webster, the Privacy Commissioner, stated that he supports a "broader transparency requirement" and that the idea is aimed at "keeping up with international best practice."
Legal challenges to the EU-US Data Privacy Framework are being pursuedDate: 11 September 2023
The EU-US Data Privacy Framework has been the subject of the first of several legal challenges in the EU court system. Joe Jones, Director of IAPP Research and Insights, unpacks two potential legal pathways for these concerns, including the one explored by French Member of the European Parliament Philippe Latombe in his submission to the EU General Court.
The EU-US Data Privacy Framework has been the subject of the first of several legal challenges in the EU court system. Joe Jones, Director of IAPP Research and Insights, unpacks two potential legal pathways for these concerns, including the one explored by French Member of the European Parliament Philippe Latombe in his submission to the EU General Court.
1.2 million Americans affected by US food delivery service breachDate: 04 September 2023
According to The Record A data breach that may have compromised more than 1.2 million customers' personal, financial, and medical information was discovered by the American meal delivery service PurFoods. The Financial Times reports that Japan's National Center of Incident Readiness and Strategy for Cybersecurity revealed the identification of a system flaw that might have led to the disclosure of private information between October 2022 and June. A South American spyware campaign that recently infected more than 76,000 Android phones was stopped by pro-consumer hackers, according to TechCrunch.
According to The Record A data breach that may have compromised more than 1.2 million customers' personal, financial, and medical information was discovered by the American meal delivery service PurFoods. The Financial Times reports that Japan's National Center of Incident Readiness and Strategy for Cybersecurity revealed the identification of a system flaw that might have led to the disclosure of private information between October 2022 and June. A South American spyware campaign that recently infected more than 76,000 Android phones was stopped by pro-consumer hackers, according to TechCrunch.
Ireland's DPC takes on the security of back-to-school photosDate: 04 September 2023
The Data Protection Commission of Ireland welcomed the start of the new school year with a blog aimed at parents who share back-to-school images on the internet. The DPC raised the possibility of unintentional oversharing of children's personal data, advising that school details and the actual location of images be shared with children while notifying them of privacy hazards.
The Data Protection Commission of Ireland welcomed the start of the new school year with a blog aimed at parents who share back-to-school images on the internet. The DPC raised the possibility of unintentional oversharing of children's personal data, advising that school details and the actual location of images be shared with children while notifying them of privacy hazards.
Judge rules that the auto insurance will be sued for information regarding driver's licensesDate: 04 September 2023
According to Reuters, a New York-based judge in the U.S. District Court approved the filing of a nationwide class-action lawsuit accusing GEICO of selling driver's license information to identity thieves. According to the lawsuit, when consumers entered "basic" information to get insurance estimates, GEICO allegedly auto-populated driver's license numbers into its database. After a data breach, the information was utilized to file for phony unemployment benefits using the victims' names.
According to Reuters, a New York-based judge in the U.S. District Court approved the filing of a nationwide class-action lawsuit accusing GEICO of selling driver's license information to identity thieves. According to the lawsuit, when consumers entered "basic" information to get insurance estimates, GEICO allegedly auto-populated driver's license numbers into its database. After a data breach, the information was utilized to file for phony unemployment benefits using the victims' names.
Backdoor' for government surveillance in India, is created through intercept monitoring systemsDate: 04 September 2023
The Financial Times claims that India's interception monitoring equipment deployed at subsea cable landing sites may serve as a "backdoor" for government spying. The program looks for, copies, and gives private information to Indian security services. The Home Secretary of India, according to the government, approves all requests for surveillance. According to critics, India's newly approved Digital Personal Data Protection Act enables governmental agents to circumvent privacy safeguards for monitoring.
The Financial Times claims that India's interception monitoring equipment deployed at subsea cable landing sites may serve as a "backdoor" for government spying. The program looks for, copies, and gives private information to Indian security services. The Home Secretary of India, according to the government, approves all requests for surveillance. According to critics, India's newly approved Digital Personal Data Protection Act enables governmental agents to circumvent privacy safeguards for monitoring.
The ICO has issued proposals on email communicationsDate: 04 September 2023
The Information Commissioner's Office in the United Kingdom has cautioned companies not to use the blind carbon copy feature when sending emails containing sensitive personal information. The ICO also issued recommendations to businesses on how to secure personal information while sending mass emails. "Organisations that use and share large amounts of data, including sensitive personal information, should consider using other secure means of sending communications, such as bulk email services, to ensure that information is not shared with people by mistake," the ICO added.
The Information Commissioner's Office in the United Kingdom has cautioned companies not to use the blind carbon copy feature when sending emails containing sensitive personal information. The ICO also issued recommendations to businesses on how to secure personal information while sending mass emails. "Organisations that use and share large amounts of data, including sensitive personal information, should consider using other secure means of sending communications, such as bulk email services, to ensure that information is not shared with people by mistake," the ICO added.
The EU-US Data Privacy Framework underlines the importance of reciprocityDate: 04 September 2023
The US implementing the idea of reciprocity through the Data Protection Review Court is critical to the EU-US Data Privacy Framework, argues Atlantic Council Senior Fellow Kenneth Propp in Lawfare. To justify a court complaint, foreign authorities must protect the data of US persons within their borders and facilitate transfers of the data to the US. Such reciprocal adequacy, according to Propp, "shows growing convergence" and "coherent articulation" in balancing international data flows and foreign surveillance regulations.
The US implementing the idea of reciprocity through the Data Protection Review Court is critical to the EU-US Data Privacy Framework, argues Atlantic Council Senior Fellow Kenneth Propp in Lawfare. To justify a court complaint, foreign authorities must protect the data of US persons within their borders and facilitate transfers of the data to the US. Such reciprocal adequacy, according to Propp, "shows growing convergence" and "coherent articulation" in balancing international data flows and foreign surveillance regulations.
Jordan's House has approved a draft personal data protection billDate: 04 September 2023
Jordan's Parliament stated that the House of Representatives has passed an improved draft Personal Data Protection Law. The House-approved amendments "allow entities subject to the Central Bank's control and supervision to process personal data, including transferring and exchanging data within or outside the Kingdom, without informing the natural person whose data is being processed."
Jordan's Parliament stated that the House of Representatives has passed an improved draft Personal Data Protection Law. The House-approved amendments "allow entities subject to the Central Bank's control and supervision to process personal data, including transferring and exchanging data within or outside the Kingdom, without informing the natural person whose data is being processed."
Tech with zero-knowledge proof offers promise and challengesDate: 04 September 2023
Albus Protocol co-founder and CEO Alexander Ray explored the role of zero-knowledge proof technologies in data privacy and security compliance in an op-ed for Forbes. With its one-party knowledge validation, Ray claims the technology offers a "promising solution to the perennial problem" of data protection. He also mentioned that restrictions on sensitive data releases and random number generator assaults are obstacles to widespread adoption.
Albus Protocol co-founder and CEO Alexander Ray explored the role of zero-knowledge proof technologies in data privacy and security compliance in an op-ed for Forbes. With its one-party knowledge validation, Ray claims the technology offers a "promising solution to the perennial problem" of data protection. He also mentioned that restrictions on sensitive data releases and random number generator assaults are obstacles to widespread adoption.
NOYB charges to fitness tracker for GDPR infringementDate: 04 September 2023
According to Reuters, the privacy advocacy organization NOYB has accused Google-owned Fitbit of breaking the EU General Data Protection Regulation in Austria, Italy, and the Netherlands. In complaints filed against Fitbit, NOYB claimed that users are compelled to consent to data transfers beyond the EU and are not given the option to withdraw consent.
According to Reuters, the privacy advocacy organization NOYB has accused Google-owned Fitbit of breaking the EU General Data Protection Regulation in Austria, Italy, and the Netherlands. In complaints filed against Fitbit, NOYB claimed that users are compelled to consent to data transfers beyond the EU and are not given the option to withdraw consent.
Data Protection Impact Assessment Guide published by Switzerland DPADate: 04 September 2023
The Federal Data Protection and Information Commissioner of Switzerland has issued an information sheet on performing data protection impact assessments. Following the passing of the amended Data Protection Act, the document directs federal agencies and citizens to "prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or fundamental rights of the persons concerned."
The Federal Data Protection and Information Commissioner of Switzerland has issued an information sheet on performing data protection impact assessments. Following the passing of the amended Data Protection Act, the document directs federal agencies and citizens to "prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or fundamental rights of the persons concerned."
A privacy researcher complains to OpenAI for allegedly violating the GDPRDate: 04 September 2023
A Polish privacy and security researcher filed a complaint against OpenAI with Poland's data protection body, the Urzd Ochrony Danych Osobowych, stating the business breached multiple sections of the EU General Data Protection Regulation, according to TechCrunch. According to the lawsuit, the company's generative artificial intelligence system, ChatGPT, violates the GDPR in areas of "lawful basis, transparency, fairness, data access rights, and privacy by design."
A Polish privacy and security researcher filed a complaint against OpenAI with Poland's data protection body, the Urzd Ochrony Danych Osobowych, stating the business breached multiple sections of the EU General Data Protection Regulation, according to TechCrunch. According to the lawsuit, the company's generative artificial intelligence system, ChatGPT, violates the GDPR in areas of "lawful basis, transparency, fairness, data access rights, and privacy by design."
Online privacy and safety for children and teenagers: eight compliance issuesDate: 04 September 2023
Regulators have increased the enforcement of privacy regulations that safeguard kids online during the last several years. Recently, video game businesses, education platforms, social media networks, smart speaker makers, and other suppliers of digital services have been subject to penalties and injunctions for illegal acts involving the personal data of young people. Some countries, including the UK and California, have age-appropriate design guidelines. These set guiding principles that are applicable to almost any company providing online services that are likely to be used by children.
Regulators have increased the enforcement of privacy regulations that safeguard kids online during the last several years. Recently, video game businesses, education platforms, social media networks, smart speaker makers, and other suppliers of digital services have been subject to penalties and injunctions for illegal acts involving the personal data of young people. Some countries, including the UK and California, have age-appropriate design guidelines. These set guiding principles that are applicable to almost any company providing online services that are likely to be used by children.
CPPA Board announces first draft of the most recent CPRA regulationsDate: 04 September 2023
The California Privacy Protection Agency Board has set an open hearing for September 8 to discuss proposed California Privacy Rights Act regulations for cybersecurity audits and risk assessments. Among the areas addressed by the CPPA's second rulemaking package are the draft rules, which were released for preliminary comment prior to official rulemaking operations. The CPPA's second rulemaking is also considering regulations for automated decision-making, although no draft has been issued for the meeting.
The California Privacy Protection Agency Board has set an open hearing for September 8 to discuss proposed California Privacy Rights Act regulations for cybersecurity audits and risk assessments. Among the areas addressed by the CPPA's second rulemaking package are the draft rules, which were released for preliminary comment prior to official rulemaking operations. The CPPA's second rulemaking is also considering regulations for automated decision-making, although no draft has been issued for the meeting.
The Netherlands' DPA issues its first Algorithm Risk ReportDate: 04 September 2023
The Netherlands' data protection regulator, Autoriteit Persoonsgegevens, published its first Algorithm Risk Report. The paper outlined how "both (the) government and business sectors must make significant strides" to "gain better control over algorithms and artificial intelligence." The analysis also discovered that, due to the forthcoming EU AI Act, public and commercial organizations will soon need to begin "comprehending their usage of high-risk algorithms," and urged the government and business to begin such preparedness.
The Netherlands' data protection regulator, Autoriteit Persoonsgegevens, published its first Algorithm Risk Report. The paper outlined how "both (the) government and business sectors must make significant strides" to "gain better control over algorithms and artificial intelligence." The analysis also discovered that, due to the forthcoming EU AI Act, public and commercial organizations will soon need to begin "comprehending their usage of high-risk algorithms," and urged the government and business to begin such preparedness.
An ICO investigation aims to stop 'text pests' from misusing customer dataDate: 28 August 2023
The U.K. Information Commissioner's Office encourages young people to speak up and describe their encounters with "text pests." The act takes place when a person gives personal information to a company and they are then approached by a staff member who is making a romantic advance toward the consumer, for example. According to research conducted on behalf of the ICO, 29% of adults between the ages of 18 and 34 had been harassed via text message.
The U.K. Information Commissioner's Office encourages young people to speak up and describe their encounters with "text pests." The act takes place when a person gives personal information to a company and they are then approached by a staff member who is making a romantic advance toward the consumer, for example. According to research conducted on behalf of the ICO, 29% of adults between the ages of 18 and 34 had been harassed via text message.
Systems for biometric payments present privacy issuesDate: 28 August 2023
According to Bloomberg, privacy groups are worried that biometric payment systems might lead to the loss or misuse of biometric data. "I probably won't be able to distinguish who's who if I look at a photograph of a palm. But that doesn't mean it's not recognizable, since they wouldn't be using it if it weren't, said Jen King, a privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence.
According to Bloomberg, privacy groups are worried that biometric payment systems might lead to the loss or misuse of biometric data. "I probably won't be able to distinguish who's who if I look at a photograph of a palm. But that doesn't mean it's not recognizable, since they wouldn't be using it if it weren't, said Jen King, a privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence.
India is establishing a framework for parental permissionDate: 28 August 2023
The Economic Times says that Indian officials intend to use Digilocker, a government-supported data governance repository, to create a parental permission mechanism. Platforms might use the database of parent and kid identities created by the system to verify children's ages and obtain their consent.Children under 18 are required to verify their age and privacy as part of India's Digital Personal Data Protection Act.
The Economic Times says that Indian officials intend to use Digilocker, a government-supported data governance repository, to create a parental permission mechanism. Platforms might use the database of parent and kid identities created by the system to verify children's ages and obtain their consent.Children under 18 are required to verify their age and privacy as part of India's Digital Personal Data Protection Act.
Concerning YouTube children's privacy, advocacy organizations ask the FTC to look into the claimsDate: 28 August 2023
Nonprofit advocacy organizations requested an inquiry into YouTube's possible violation of a consent order relating to children's privacy in a letter to the U.S. Federal Trade Commission, according to Ars Technica. The worries are based on previous research that claims YouTube and parent firm Google were using advertising methods to follow minors. The request follows a similar request from U.S. lawmakers.
Nonprofit advocacy organizations requested an inquiry into YouTube's possible violation of a consent order relating to children's privacy in a letter to the U.S. Federal Trade Commission, according to Ars Technica. The worries are based on previous research that claims YouTube and parent firm Google were using advertising methods to follow minors. The request follows a similar request from U.S. lawmakers.
An escort service in Brazil had its 18million records stolen after a language learning app was hackedDate: 28 August 2023
"According to Bleeping Computer, 2.6 million users of the language-learning program DuoLingo had their personal information scraped and posted on a hacker site. A hacker could input any user's profile name and access that user's public information using the data, which was scraped using an exposed application programming interface.
A prominent Brazilian escort service, Fatal Model, had its data compromised, according to a cybersecurity expert, HackRead says. Two databases without password protection had 18 million records exposed."
"According to Bleeping Computer, 2.6 million users of the language-learning program DuoLingo had their personal information scraped and posted on a hacker site. A hacker could input any user's profile name and access that user's public information using the data, which was scraped using an exposed application programming interface.
A prominent Brazilian escort service, Fatal Model, had its data compromised, according to a cybersecurity expert, HackRead says. Two databases without password protection had 18 million records exposed."
The EDPS issues comments on the financial data access framework and the EU payment services directiveDate: 28 August 2023
The European Data Protection Supervisor released two opinions on banking and payment services rules. In its initial opinion, the EDPS approved the proposal for a Regulation on a Financial Data Access Framework and advocated strengthening the definition of "customer data." In the second opinion, the EDPS largely endorsed the Regulation and Directive on payment services throughout the EU, and advised explicitly specifying boundaries on what personal data is required for fraud protection.
The European Data Protection Supervisor released two opinions on banking and payment services rules. In its initial opinion, the EDPS approved the proposal for a Regulation on a Financial Data Access Framework and advocated strengthening the definition of "customer data." In the second opinion, the EDPS largely endorsed the Regulation and Directive on payment services throughout the EU, and advised explicitly specifying boundaries on what personal data is required for fraud protection.
The Indian data protection law takes shape in specificsDate: 28 August 2023
According to Inc42, Indian officials have begun creating secondary rules for the Digital Personal Data Protection Act, as well as forming the Data Protection Board. Clarifying laws on data breach reporting and company duties are being developed at the same time as the government considers DPB nominations and hiring standards. Meanwhile, according to Business Insider India, new companies are unlikely to be spared from the DPDPA and may request a two-year implementation delay.
According to Inc42, Indian officials have begun creating secondary rules for the Digital Personal Data Protection Act, as well as forming the Data Protection Board. Clarifying laws on data breach reporting and company duties are being developed at the same time as the government considers DPB nominations and hiring standards. Meanwhile, according to Business Insider India, new companies are unlikely to be spared from the DPDPA and may request a two-year implementation delay.
A global alert has been issued regarding the scraping of social media dataDate: 28 August 2023
Global data protection agencies published a united statement addressing the privacy threats posed by data scraping on social media and other public platforms. Personal information on the internet that is "publicly available," "publicly accessible," or "of a public nature" is nevertheless subject to worldwide data protection and privacy legislation, according to the DPAs, including the Office of the Privacy Commissioner of Canada. In addition, the joint declaration noted privacy dangers such as targeted cyberattacks, identity fraud, and profiling.
Global data protection agencies published a united statement addressing the privacy threats posed by data scraping on social media and other public platforms. Personal information on the internet that is "publicly available," "publicly accessible," or "of a public nature" is nevertheless subject to worldwide data protection and privacy legislation, according to the DPAs, including the Office of the Privacy Commissioner of Canada. In addition, the joint declaration noted privacy dangers such as targeted cyberattacks, identity fraud, and profiling.
The Senate committee is reviewing Jordan's data protection legislationDate: 28 August 2023
According to The Jordan Times, the Jordan Senate forwarded a draft personal data privacy law to the Public Services Committee for additional assessment and consideration. The initiative, which would create a special council to manage and protect personal data, has been debated in the lower House for the past two years. The administration, according to Prime Minister Bisher Khasawneh, has no objection to returning the law back to committee with the purpose of reconciling public interest with personal data protection.
According to The Jordan Times, the Jordan Senate forwarded a draft personal data privacy law to the Public Services Committee for additional assessment and consideration. The initiative, which would create a special council to manage and protect personal data, has been debated in the lower House for the past two years. The administration, according to Prime Minister Bisher Khasawneh, has no objection to returning the law back to committee with the purpose of reconciling public interest with personal data protection.
Norway's DPA forces guidelines for employee monitoringDate: 28 August 2023
Guidelines for monitoring employees using technology provided by the employer were provided by Datatilsynet, Norway's data protection authority. According to the DPA, "digital work tools can record large amounts of information about employees." Ylva Marrable, section manager, stated that the guidelines "will help employers assess what may be legal to introduce in the workplace, and (at) least give employees guidance on their rights."
Guidelines for monitoring employees using technology provided by the employer were provided by Datatilsynet, Norway's data protection authority. According to the DPA, "digital work tools can record large amounts of information about employees." Ylva Marrable, section manager, stated that the guidelines "will help employers assess what may be legal to introduce in the workplace, and (at) least give employees guidance on their rights."
From DC: Data scrapers are the focus of enforcementDate: 28 August 2023
Cobun Zweifel-Keegan, CIPP/US, CIPM, IAPP Managing Director in Washington, D.C., offers his perspective on the latest privacy developments in the nation's capital and across the country, including a look at the international warning from various data protection authorities to social media platforms about data scraping and ways to prevent it.
Cobun Zweifel-Keegan, CIPP/US, CIPM, IAPP Managing Director in Washington, D.C., offers his perspective on the latest privacy developments in the nation's capital and across the country, including a look at the international warning from various data protection authorities to social media platforms about data scraping and ways to prevent it.
Preparing to comply with Switzerland's new data protection lawDate: 21 August 2023
The updated Swiss Federal Act on Data Protection, which is more in line with the EU General Data Protection Regulation, goes into effect on September 1. Charlotte Mason and Andreas Mätzler, both of Prighter, offer their opinions on the amendments, including the addition of more onerous requirements for non-Swiss corporations and the reporting of data breaches.
The updated Swiss Federal Act on Data Protection, which is more in line with the EU General Data Protection Regulation, goes into effect on September 1. Charlotte Mason and Andreas Mätzler, both of Prighter, offer their opinions on the amendments, including the addition of more onerous requirements for non-Swiss corporations and the reporting of data breaches.
Making proactive compliance roadmaps for India's DPDPADate: 21 August 2023
Nandita Rao Narla, Head of Technical Privacy and Governance at DoorDash and CIPP/US, CIPM, CIPT, FIP, argues that as parts of India's Digital Personal Data Protection Act come into effect, "Organizations should start evaluating their exposure to get a head start on compliance strategy development." Determine applicability, create data inventories and maps, construct consent methods, enable data principle rights, and put technological controls into place are the essential steps Narla highlighted for privacy experts to follow in order to create proactive compliance roadmaps.
Nandita Rao Narla, Head of Technical Privacy and Governance at DoorDash and CIPP/US, CIPM, CIPT, FIP, argues that as parts of India's Digital Personal Data Protection Act come into effect, "Organizations should start evaluating their exposure to get a head start on compliance strategy development." Determine applicability, create data inventories and maps, construct consent methods, enable data principle rights, and put technological controls into place are the essential steps Narla highlighted for privacy experts to follow in order to create proactive compliance roadmaps.
Jordan gets closer to passing a data protection lawDate: 21 August 2023
The Jordan News says that the proposed Data Protection Law has been adopted by Jordan's lower house of parliament. The measure creates the Personal Data Protection Council as the ministry of digital economy and entrepreneurship's regulatory body and retrospectively applies it to covered companies. After being published in the Hashemite Kingdom of Jordan's Official Gazette for six months, the measure would go into force.
The Jordan News says that the proposed Data Protection Law has been adopted by Jordan's lower house of parliament. The measure creates the Personal Data Protection Council as the ministry of digital economy and entrepreneurship's regulatory body and retrospectively applies it to covered companies. After being published in the Hashemite Kingdom of Jordan's Official Gazette for six months, the measure would go into force.
A summon is issued by the US House to Citibank for allegedly sharing data with the FBIDate: 21 August 2023
According to Reuters, Jim Jordan, the Republican chairman of the House Judiciary Committee in the United States, served a subpoena on Citibank for a congressional probe into the alleged exchange of confidential financial information between banks and the FBI. According to Jordan, lawmakers are raising concerns about banks exchanging possibly unlawful data for transactions done in the Washington, D.C. region on or around January 6, 2021.
According to Reuters, Jim Jordan, the Republican chairman of the House Judiciary Committee in the United States, served a subpoena on Citibank for a congressional probe into the alleged exchange of confidential financial information between banks and the FBI. According to Jordan, lawmakers are raising concerns about banks exchanging possibly unlawful data for transactions done in the Washington, D.C. region on or around January 6, 2021.
Israel PPA issues guidelines for transferring data to the EEADate: 21 August 2023
The Privacy Protection Authority of Israel published guidelines for legal data transfers from the European Economic Area for the years 2023–2025. The guidelines have four basic criteria, including the need to be accurate, restrict the retention of unneeded information, and remove personal information.
The Privacy Protection Authority of Israel published guidelines for legal data transfers from the European Economic Area for the years 2023–2025. The guidelines have four basic criteria, including the need to be accurate, restrict the retention of unneeded information, and remove personal information.
FTC fines consumer credit provider $650k for failing to provide email opt-outDate: 21 August 2023
Consumer credit reporting business Experian Consumer Services will pay USD650,000 and guarantee that customers be given a method to opt-out of marketing messages under a proposed settlement with the U.S. Federal Trade Commission. Experian is accused of bombarding customers with unsolicited emails after they signed up for accounts to manage their credit information, according to a complaint made by the U.S. Department of Justice on behalf of the Federal Trade Commission. The proposed order needs to be approved by a federal court.
Consumer credit reporting business Experian Consumer Services will pay USD650,000 and guarantee that customers be given a method to opt-out of marketing messages under a proposed settlement with the U.S. Federal Trade Commission. Experian is accused of bombarding customers with unsolicited emails after they signed up for accounts to manage their credit information, according to a complaint made by the U.S. Department of Justice on behalf of the Federal Trade Commission. The proposed order needs to be approved by a federal court.
Various DPAs from across the world have praised India's data protection lawDate: 21 August 2023
Various nations expressed their appreciation for the passing of India's Digital Personal Data Protection Act. A representative from Norway's data protection agency Datatilsynet, said that it may "mirror" some of the DPDPA's rules while praising the DPDPA's protection of minors from behavioral advertising. Success of the law will "be tied to how the Data Protection Board functions," a representative of South Africa's Information Regulator stated.
Various nations expressed their appreciation for the passing of India's Digital Personal Data Protection Act. A representative from Norway's data protection agency Datatilsynet, said that it may "mirror" some of the DPDPA's rules while praising the DPDPA's protection of minors from behavioral advertising. Success of the law will "be tied to how the Data Protection Board functions," a representative of South Africa's Information Regulator stated.
According to new research, youngsters may have been monitored via YouTube advertsDate: 21 August 2023
According to The New York Times, research from the advertising performance platform Adalytics raises concerns about YouTube's advertising on kid-friendly material and whether such methods allowed for the surveillance of kids online. Adalytics discovered adult product advertisements from over 300 firms labeled "made for kids," and New York Times research revealed that some viewers were directed to brand websites that installed trackers on users' browsers. YouTube is owned by Google, and spokesman Michael Aciman called the research "deeply flawed and misleading."
According to The New York Times, research from the advertising performance platform Adalytics raises concerns about YouTube's advertising on kid-friendly material and whether such methods allowed for the surveillance of kids online. Adalytics discovered adult product advertisements from over 300 firms labeled "made for kids," and New York Times research revealed that some viewers were directed to brand websites that installed trackers on users' browsers. YouTube is owned by Google, and spokesman Michael Aciman called the research "deeply flawed and misleading."
South Korea implements a data portability planDate: 21 August 2023
The Personal Information Protection Commission of South Korea, together with other South Korean ministries, proclaimed a "paradigm shift" toward data portability throughout the digital economy. The initiative's "National My Data Innovation Promotion Strategy" would enable data subjects to "realize the right to self-determination of (their) personal information" through the updated Personal Information Protection Act.
The Personal Information Protection Commission of South Korea, together with other South Korean ministries, proclaimed a "paradigm shift" toward data portability throughout the digital economy. The initiative's "National My Data Innovation Promotion Strategy" would enable data subjects to "realize the right to self-determination of (their) personal information" through the updated Personal Information Protection Act.
Recognizing the legal basis for collecting and processing personal data under China's PIPLDate: 21 August 2023
Article 13 of China's Personal Information Protection Law, which outlines the legal justification for the collection and processing of personal data, is one uncharted area of the law, according to a paper by Bird & Bird Associate Hunter Dorwart, Partner James Gong, and Associate Harry Qu. The authors claimed that Chinese regulators, including the Cyberspace Administration, will issue regulations and guidelines to better define the PIPL's requirements, which take the form of "regulations, administrative measures, guidelines, and technical standards."
Article 13 of China's Personal Information Protection Law, which outlines the legal justification for the collection and processing of personal data, is one uncharted area of the law, according to a paper by Bird & Bird Associate Hunter Dorwart, Partner James Gong, and Associate Harry Qu. The authors claimed that Chinese regulators, including the Cyberspace Administration, will issue regulations and guidelines to better define the PIPL's requirements, which take the form of "regulations, administrative measures, guidelines, and technical standards."
Employers adopting generative AI should be aware of data protection concernsDate: 14 August 2023
"A analogous recent increase in privacy regulations, both in the United States and internationally, occurs with generative artificial intelligence systems. In less than three years, 13 states in the US approved comprehensive data protection laws. Over the past ten years, the majority of wealthy nations have approved new or stronger privacy regulations. Many of these regulations specifically prohibit the use of AI. Therefore, managing personal data in generative AI tools' outputs and feeding them personal data requires negotiating a maze of data protection regulations. With regard to the data from human resources, these problems are particularly complicated. Every organization maintains vast amounts of sensitive personal information about its employees, ranging from performance reviews to health records. The most sensitive data handled by the majority of businesses is HR data."
"A analogous recent increase in privacy regulations, both in the United States and internationally, occurs with generative artificial intelligence systems. In less than three years, 13 states in the US approved comprehensive data protection laws. Over the past ten years, the majority of wealthy nations have approved new or stronger privacy regulations. Many of these regulations specifically prohibit the use of AI. Therefore, managing personal data in generative AI tools' outputs and feeding them personal data requires negotiating a maze of data protection regulations. With regard to the data from human resources, these problems are particularly complicated. Every organization maintains vast amounts of sensitive personal information about its employees, ranging from performance reviews to health records. The most sensitive data handled by the majority of businesses is HR data."
Iraq ceases to utilize Telegram due to purported privacy concernsDate: 14 August 2023
"Since August 6, 2023, Iraqis have been unable to use Telegram without a VPN due to the government's blocking of the app due to worries about national security.
This action was taken in response to a directive from the Ministry of Communications to protect the integrity of user personal data against alleged abuses."
"Since August 6, 2023, Iraqis have been unable to use Telegram without a VPN due to the government's blocking of the app due to worries about national security.
This action was taken in response to a directive from the Ministry of Communications to protect the integrity of user personal data against alleged abuses."
Clearview AI was used by DHS to avoid child exploitationDate: 14 August 2023
According to Forbes, the U.S. Department of Homeland Security's Investigations Unit used facial recognition software from Clearview AI and other suppliers to find online child abuse. In collaboration with U.K. authorities, DHS analyzed 4.3 million images, videos, and other documents relating to child exploitation from its investigations division and Interpol's Child Sexual Exploitation database. Thanks to the scans, several children and the abusers from long-ago occurrences might be located.
According to Forbes, the U.S. Department of Homeland Security's Investigations Unit used facial recognition software from Clearview AI and other suppliers to find online child abuse. In collaboration with U.K. authorities, DHS analyzed 4.3 million images, videos, and other documents relating to child exploitation from its investigations division and Interpol's Child Sexual Exploitation database. Thanks to the scans, several children and the abusers from long-ago occurrences might be located.
Transmitting taxi client data to Russia is prohibited in Finland and NorwayDate: 14 August 2023
In reaction to a new Russian law that would let security agencies to collect passenger data, Finland's Office of the Data Protection Ombudsman ordered the parent firms of the Yango cab service to temporarily cease transfers of client data to Russia. The firms' capacity to send taxi client data to Russia has also been blocked by Norway's data protection agency, Datatilsynet.
In reaction to a new Russian law that would let security agencies to collect passenger data, Finland's Office of the Data Protection Ombudsman ordered the parent firms of the Yango cab service to temporarily cease transfers of client data to Russia. The firms' capacity to send taxi client data to Russia has also been blocked by Norway's data protection agency, Datatilsynet.
Applying the EU-US Data Privacy Framework into practice across countriesDate: 14 August 2023
Cobun Zweifel-Keegan, CIPP/US, CIPM, and Director of Research and Insights, IAPP Managing Director, Washington, D.C. Under the new EU-U.S. Data Privacy Framework, Joe Jones created an infographic illustrating the stages for data transfers from European countries to the U.S. The resource applies to organizations that have previously signed up for the EU-US Privacy Shield, those that are signing up for the DPF for the first time, and U.S. entities that have not yet self-certified.
Cobun Zweifel-Keegan, CIPP/US, CIPM, and Director of Research and Insights, IAPP Managing Director, Washington, D.C. Under the new EU-U.S. Data Privacy Framework, Joe Jones created an infographic illustrating the stages for data transfers from European countries to the U.S. The resource applies to organizations that have previously signed up for the EU-US Privacy Shield, those that are signing up for the DPF for the first time, and U.S. entities that have not yet self-certified.
ICO and CMA warn against creating websites that compel users to share their dataDate: 14 August 2023
Businesses should "stop using harmful website designs" that "trick consumers into giving up more of their personal data" than they would otherwise, according to a joint recommendation from the U.K. Information Commissioner's Office and Competition and Markets Authority. In a combined position paper, the agencies highlighted the potential legal violations of design techniques. The authorities also provided advice on how to give people more influence over their personal data.
Businesses should "stop using harmful website designs" that "trick consumers into giving up more of their personal data" than they would otherwise, according to a joint recommendation from the U.K. Information Commissioner's Office and Competition and Markets Authority. In a combined position paper, the agencies highlighted the potential legal violations of design techniques. The authorities also provided advice on how to give people more influence over their personal data.
California received clearance from the Dubai International Financial Center as adequateDate: 14 August 2023
The California Consumer Privacy Act and Dubai's Data Protection Law 2020 are fundamentally equivalent, according to a ruling made by the Dubai International Financial Centre. According to Jacques Visser, the commissioner of data protection for the DIFC, "it became clear in evaluating California's privacy law and regulations, together with implementation, enforcement, and other holistic factors, that California importers will treat personal data from DIFC in large part ethically and fairly."
The California Consumer Privacy Act and Dubai's Data Protection Law 2020 are fundamentally equivalent, according to a ruling made by the Dubai International Financial Centre. According to Jacques Visser, the commissioner of data protection for the DIFC, "it became clear in evaluating California's privacy law and regulations, together with implementation, enforcement, and other holistic factors, that California importers will treat personal data from DIFC in large part ethically and fairly."
Vendor of privacy management receives $25 million fundingDate: 14 August 2023
"A USD25 million Series B fundraising round headed by Baird Capital was announced by privacy management firm Osano on August 10.
Arlo Gilbert, the CEO and co-founder of Osano, stated that the business will use the financial injection to grow many divisions and, in part, engage in research and development.
Gilbert stated in a statement: ""This increase is a tribute to that approach. When Osano was founded, we had a simple purpose: reinventing data privacy and compliance while expanding responsibly. With this increase, we are ""doubling down in the space and ensuring that our vision and mission revolve around helping enterprises keep up with the constantly changing laws and regulations,"
"A USD25 million Series B fundraising round headed by Baird Capital was announced by privacy management firm Osano on August 10.
Arlo Gilbert, the CEO and co-founder of Osano, stated that the business will use the financial injection to grow many divisions and, in part, engage in research and development.
Gilbert stated in a statement: ""This increase is a tribute to that approach. When Osano was founded, we had a simple purpose: reinventing data privacy and compliance while expanding responsibly. With this increase, we are ""doubling down in the space and ensuring that our vision and mission revolve around helping enterprises keep up with the constantly changing laws and regulations,"
Minister pledges to disregard the data protection law in India's enforcementDate: 14 August 2023
Rajeev Chandrasekhar, India's Minister of State for Electronics and Information Technology, told Moneycontrol that companies that acquire user agreement to process their personal data would be held accountable for violations under the country's Digital Personal Data Protection Bill. In the words of Chandrasekhar, businesses "won't be allowed to pass the buck to third-party cloud service providers." The DPDPB's benefits and drawbacks, such as maintaining the government's exemption provision, were discussed in an op-ed that appeared in India Legal.
Rajeev Chandrasekhar, India's Minister of State for Electronics and Information Technology, told Moneycontrol that companies that acquire user agreement to process their personal data would be held accountable for violations under the country's Digital Personal Data Protection Bill. In the words of Chandrasekhar, businesses "won't be allowed to pass the buck to third-party cloud service providers." The DPDPB's benefits and drawbacks, such as maintaining the government's exemption provision, were discussed in an op-ed that appeared in India Legal.
REFILE-Austrian data privacy activist files case against Apple, Amazon, and othersDate: 07 August 2023
Reuters, January 18, Vienna - Eight major companies, including Apple and Amazon, were identified in a lawsuit made in Austria by the non-profit group noyb, which claimed they had violated the General Data Protection Regulation (GDPR) of the European Union.
In addition to Netflix, Spotify, and Youtube, the noyb action, led by data privacy campaigner Max Schrems, tested the firms by seeking whatever private information they may have on customers.
Reuters, January 18, Vienna - Eight major companies, including Apple and Amazon, were identified in a lawsuit made in Austria by the non-profit group noyb, which claimed they had violated the General Data Protection Regulation (GDPR) of the European Union.
In addition to Netflix, Spotify, and Youtube, the noyb action, led by data privacy campaigner Max Schrems, tested the firms by seeking whatever private information they may have on customers.
The FTC has filed a complaint against Chegg for lax security, which exposed the personal information of millions of customersDate: 07 August 2023
The Federal Trade Commission is pursuing action against Chegg Inc., a supplier of educational technology, for its deficient data security procedures that exposed personal information, including Social Security numbers, email addresses, and passwords, regarding millions of its customers and workers. Despite having had four security breaches since 2017, Chegg apparently did not address the issues with their data security. According to the FTC's proposed order, the business must improve its data security, set limits on the data it may gather and keep, provide customers with multifactor authentication to protect their accounts, and enable them access and erase their data.
The Federal Trade Commission is pursuing action against Chegg Inc., a supplier of educational technology, for its deficient data security procedures that exposed personal information, including Social Security numbers, email addresses, and passwords, regarding millions of its customers and workers. Despite having had four security breaches since 2017, Chegg apparently did not address the issues with their data security. According to the FTC's proposed order, the business must improve its data security, set limits on the data it may gather and keep, provide customers with multifactor authentication to protect their accounts, and enable them access and erase their data.
The FCC has proposed a $20 million data security penalties on linked carriersDate: 07 August 2023
The Federal Communications Commission of the United States requested a USD20 million penalties against Q Link Wireless and Hello Mobile Telecom, two linked telecommunications carriers, for suspected unlawful access and disclosure of consumer data. The FCC Privacy and Data Protection Task Force inquiry discovered that purported data security flaws allowed unauthenticated customer identities to get access to customer private network information.
The Federal Communications Commission of the United States requested a USD20 million penalties against Q Link Wireless and Hello Mobile Telecom, two linked telecommunications carriers, for suspected unlawful access and disclosure of consumer data. The FCC Privacy and Data Protection Task Force inquiry discovered that purported data security flaws allowed unauthenticated customer identities to get access to customer private network information.
Biometric class complaints brought against Pepsi and ByteDanceDate: 07 August 2023
According to Top Class Actions, an ex-employee of an Illinois Pepsi distribution warehouse filed a federal class-action complaint in New York, alleging that the corporation unlawfully gathered voice prints of its employees without their knowledge and in violation of the Illinois Biometric Information Privacy Act. According to Engadget, ByteDance was sued in an Illinois BIPA class-action complaint for allegedly collecting user location data, voice prints, and facial scans without permission through its CapCut video editing software.
According to Top Class Actions, an ex-employee of an Illinois Pepsi distribution warehouse filed a federal class-action complaint in New York, alleging that the corporation unlawfully gathered voice prints of its employees without their knowledge and in violation of the Illinois Biometric Information Privacy Act. According to Engadget, ByteDance was sued in an Illinois BIPA class-action complaint for allegedly collecting user location data, voice prints, and facial scans without permission through its CapCut video editing software.
Israel PPA publishes a draft of its employee biometric data gathering guidelinesDate: 07 August 2023
The capacity of businesses to gather the biometric information of their employees is governed by draft rules published by Israel's Privacy Protection Authority, according to FindBiometrics. The "Policy Paper: Collection and Use of Biometric Data at the Workplace" paper advises against employers collecting biometric information but permits limited cases of employee biometric monitoring during working hours. Up until August 18th, the PPA is accepting public comments on the document.
The capacity of businesses to gather the biometric information of their employees is governed by draft rules published by Israel's Privacy Protection Authority, according to FindBiometrics. The "Policy Paper: Collection and Use of Biometric Data at the Workplace" paper advises against employers collecting biometric information but permits limited cases of employee biometric monitoring during working hours. Up until August 18th, the PPA is accepting public comments on the document.
Parliament is presented with India's draft data protection lawDate: 07 August 2023
"The proposed Digital Personal Data Protection Bill can now be considered by the Indian Parliament after years of discussion and delays. Following agreement by the Union Cabinet of Ministers on July 5, the draft bill's 2023 version was tabled in the lower house of Parliament, the Lok Sabha, on August 3. The Lok Sabha is anticipated to begin debating the DPDPB on August 7, according ANI News. Data breaches and DPDPB violations will be subject to action by the proposed Data Protection Board. The Data Protection Board and the federal government are granted legal immunity under the proposed DPDPB for ""anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder."
"The proposed Digital Personal Data Protection Bill can now be considered by the Indian Parliament after years of discussion and delays. Following agreement by the Union Cabinet of Ministers on July 5, the draft bill's 2023 version was tabled in the lower house of Parliament, the Lok Sabha, on August 3. The Lok Sabha is anticipated to begin debating the DPDPB on August 7, according ANI News. Data breaches and DPDPB violations will be subject to action by the proposed Data Protection Board. The Data Protection Board and the federal government are granted legal immunity under the proposed DPDPB for ""anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder."
Children's privacy legislation is advanced by the US SenateDate: 07 August 2023
"Two bipartisan proposals to improve kid internet safety regulations were passed by the U.S. Senate Committee on Commerce, a step that senators termed ""critical"" in the face of a ""sobering"" situation. Both the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act were approved by the committee and are now up for consideration by the full Senate. The approvals come days after US President Joe Biden explicitly approved the laws and reaffirmed his two-year request for stronger protections for children's privacy.
""Kids data, their personal information is the raw material that Big Tech uses to power algorithms that push toxic content that harms children, that harms teenagers,"" said Sen. Edward Markey, a Democrat from Massachusetts. We're telling Big Tech loud and clear that enough is enough. Enough with putting the value of money before mental wellness. Enough of putting the bottom line before people."
"Two bipartisan proposals to improve kid internet safety regulations were passed by the U.S. Senate Committee on Commerce, a step that senators termed ""critical"" in the face of a ""sobering"" situation. Both the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act were approved by the committee and are now up for consideration by the full Senate. The approvals come days after US President Joe Biden explicitly approved the laws and reaffirmed his two-year request for stronger protections for children's privacy.
""Kids data, their personal information is the raw material that Big Tech uses to power algorithms that push toxic content that harms children, that harms teenagers,"" said Sen. Edward Markey, a Democrat from Massachusetts. We're telling Big Tech loud and clear that enough is enough. Enough with putting the value of money before mental wellness. Enough of putting the bottom line before people."
The DSAR Conundrum: To Charge or Not to Charge?Date: 31 July 2023
The chairmen of Australia's IAPP Knowledge Network didn't utilize anything like scientific to reach that decision. Our July Knowledge Network virtual meeting, on the other hand, drew a large crowd. Approximately 90 privacy professionals took part in our "to charge or not to charge" debate. Surprisingly, the majority of interviewees said their organizations or those they dealt with were thinking about charging fees. Some had even established fee schedules, but almost none of the attendees had put such processes into action.There are compelling reasons to impose DSAR processing fees. The most evident is that private sector businesses and Australian government agencies devote large resources, including personnel, information technology money, security control efforts, and a variety of other costs, to ensuring compliance with the Australian Privacy Principles.
The chairmen of Australia's IAPP Knowledge Network didn't utilize anything like scientific to reach that decision. Our July Knowledge Network virtual meeting, on the other hand, drew a large crowd. Approximately 90 privacy professionals took part in our "to charge or not to charge" debate. Surprisingly, the majority of interviewees said their organizations or those they dealt with were thinking about charging fees. Some had even established fee schedules, but almost none of the attendees had put such processes into action.There are compelling reasons to impose DSAR processing fees. The most evident is that private sector businesses and Australian government agencies devote large resources, including personnel, information technology money, security control efforts, and a variety of other costs, to ensuring compliance with the Australian Privacy Principles.
Datatilsynet, Norway's data privacy regulator, punished Meta for data privacy violationsDate: 31 July 2023
"Meta Platforms, which owns Facebook and Instagram, will be fined one million crowns ($100,000) per day for privacy violations until it takes corrective action, Norway's data protection authorities announced on Monday, in a move that might have broader European ramifications.
The fee will be charged every day from August 4 to November 3 unless Meta takes action, according to Datatilsynet."
"Meta Platforms, which owns Facebook and Instagram, will be fined one million crowns ($100,000) per day for privacy violations until it takes corrective action, Norway's data protection authorities announced on Monday, in a move that might have broader European ramifications.
The fee will be charged every day from August 4 to November 3 unless Meta takes action, according to Datatilsynet."
The ICO issues a warning to banks on data sharing practicesDate: 31 July 2023
The Information Commissioner's Office in the United Kingdom has issued a warning to members of the banking and financial services organisation U.K. Finance for illegal financial data sharing. The warning was issued in response to reports that NatWest Bank shared account information from a former lawmaker with the media. According to the United Kingdom's Information Commissioner, John Edwards, banks "should not use information in an unexpected way" and "should not hold any more information than is necessary."
The Information Commissioner's Office in the United Kingdom has issued a warning to members of the banking and financial services organisation U.K. Finance for illegal financial data sharing. The warning was issued in response to reports that NatWest Bank shared account information from a former lawmaker with the media. According to the United Kingdom's Information Commissioner, John Edwards, banks "should not use information in an unexpected way" and "should not hold any more information than is necessary."
Australia has fined Meta $20 million for using false dataDate: 31 July 2023
The Federal Court of Australia ordered Meta's Facebook Israel and the now-defunct Onavo to pay a total of AUD20 million for failing to fully disclose data gathering activities. According to the Australian Competition and Consumer Commission, which initiated the lawsuit, Meta exploited anonymised and aggregated data for market research purposes, including users' internet and app usage. Consumers, according to ACCC Chair Gina Cass-Gottlieb, "should be able to make an informed choice about what happens to their data based on clear information that is not misleading."
The Federal Court of Australia ordered Meta's Facebook Israel and the now-defunct Onavo to pay a total of AUD20 million for failing to fully disclose data gathering activities. According to the Australian Competition and Consumer Commission, which initiated the lawsuit, Meta exploited anonymised and aggregated data for market research purposes, including users' internet and app usage. Consumers, according to ACCC Chair Gina Cass-Gottlieb, "should be able to make an informed choice about what happens to their data based on clear information that is not misleading."
Ireland airline's face recognition system is the subject of a NOYB complaintDate: 31 July 2023
According to Reuters, the privacy rights organization NOYB complained to Spain's data protection agency, the Agencia Espaola for Protección de Datos, arguing that the use of face recognition by the Irish airline Ryanair violates the EU General Data Protection Regulation. The airline's biometric verification procedure for flight bookings, according to NOYB, lacks a valid legal justification.
According to Reuters, the privacy rights organization NOYB complained to Spain's data protection agency, the Agencia Espaola for Protección de Datos, arguing that the use of face recognition by the Irish airline Ryanair violates the EU General Data Protection Regulation. The airline's biometric verification procedure for flight bookings, according to NOYB, lacks a valid legal justification.
Bills protecting children's privacy move forward in a US Senate committeeDate: 31 July 2023
"The United States Senate Committee on Commerce passed two bipartisan legislation to strengthen internet safeguards for minors, a step senators termed ""critical"" in tackling a ""sobering"" situation.
The committee agreed to advance the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act, making both bills eligible for consideration by the full Senate. The legislation were approved just days after US President Joe Biden personally backed them and stated that he has been advocating for improved children's privacy rights for two years."
"The United States Senate Committee on Commerce passed two bipartisan legislation to strengthen internet safeguards for minors, a step senators termed ""critical"" in tackling a ""sobering"" situation.
The committee agreed to advance the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act, making both bills eligible for consideration by the full Senate. The legislation were approved just days after US President Joe Biden personally backed them and stated that he has been advocating for improved children's privacy rights for two years."
The PIPC of South Korea starts a public consultation on proposed data transfer lawsDate: 31 July 2023
A public consultation has been opened by South Korea's Personal Information Protection Commission on the proposed "Regulations on the Operation of Overseas Transfer of Personal Information." Till August 14th, opinions on the proposed regulations are welcome.
A public consultation has been opened by South Korea's Personal Information Protection Commission on the proposed "Regulations on the Operation of Overseas Transfer of Personal Information." Till August 14th, opinions on the proposed regulations are welcome.
An overview of the EU's'reciprocal' privacy laws, according to the attorney generalDate: 24 July 2023
The two remaining elements came together to implement the EU-U.S. Data Privacy Framework, which was announced last October, and provide a new legal foundation for the transfer of personal data from the EU to the U.S. Under President Joe Biden's Executive Order 14086, U.S. Attorney General Merrick Garland classified the European Union and the European Economic Area as "qualifying states".
The two remaining elements came together to implement the EU-U.S. Data Privacy Framework, which was announced last October, and provide a new legal foundation for the transfer of personal data from the EU to the U.S. Under President Joe Biden's Executive Order 14086, U.S. Attorney General Merrick Garland classified the European Union and the European Economic Area as "qualifying states".
The FTC has issued a $7.8 million order against BetterHelp for sensitive data sharingDate: 24 July 2023
A USD7.8 million judgment against BetterHelp for allegedly unlawful data sharing for advertising reasons was concluded by the US Federal Trade Commission. The order forbids the online counseling service from exchanging personal information for retargeting and health data about customers for advertising. Additionally, it mandates that BetterHelp "obtain affirmative express consent" before exposing personal information to specific third parties for any purpose, create a data retention schedule, and employ a "comprehensive privacy program that includes strong safeguards to protect consumer data."
A USD7.8 million judgment against BetterHelp for allegedly unlawful data sharing for advertising reasons was concluded by the US Federal Trade Commission. The order forbids the online counseling service from exchanging personal information for retargeting and health data about customers for advertising. Additionally, it mandates that BetterHelp "obtain affirmative express consent" before exposing personal information to specific third parties for any purpose, create a data retention schedule, and employ a "comprehensive privacy program that includes strong safeguards to protect consumer data."
The California Attorney General sends major businesses formal CCPA compliance requestsDate: 24 July 2023
The California Attorney General Rob Bonta recently inquired about the compliance of large-sized employers throughout the state with the California Consumer Privacy Act. Specifically, Bonta's letters ask businesses to comply with personal information protection laws governing employees and job applicants. A letter asking employers to comply with their legal obligations is on its way, Bonta said.
The California Attorney General Rob Bonta recently inquired about the compliance of large-sized employers throughout the state with the California Consumer Privacy Act. Specifically, Bonta's letters ask businesses to comply with personal information protection laws governing employees and job applicants. A letter asking employers to comply with their legal obligations is on its way, Bonta said.
WhatsApp changes the EU's legal basis for collecting personal dataDate: 24 July 2023
The Data Protection Commission of Ireland fined WhatsApp 5.5 million euros in January for processing personal data without the required legal basis, according to Euractiv. The DPC found WhatsApp's previous "contract" legal basis to be insufficient and ordered the app to come up with a new one. The "legitimate interest" legal foundation will now be used by WhatsApp, which, according to a spokesman, "does not change our commitment to user privacy" or "the way we treat user data."
The Data Protection Commission of Ireland fined WhatsApp 5.5 million euros in January for processing personal data without the required legal basis, according to Euractiv. The DPC found WhatsApp's previous "contract" legal basis to be insufficient and ordered the app to come up with a new one. The "legitimate interest" legal foundation will now be used by WhatsApp, which, according to a spokesman, "does not change our commitment to user privacy" or "the way we treat user data."
US ITA builds webpage for data privacy frameworkDate: 24 July 2023
The European Union-U.S. Data Privacy Framework has been launched by the U.S. International Trade Administration. As well as information on self-certification, the website also offers information for American and European companies, individuals, and government agencies.
The European Union-U.S. Data Privacy Framework has been launched by the U.S. International Trade Administration. As well as information on self-certification, the website also offers information for American and European companies, individuals, and government agencies.
EU and US officials applaud the framework's completionDate: 24 July 2023
At a meeting at the U.S. Department of Justice, U.S. Attorney General Merrick Garland, Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynders welcomed the finalized EU-U.S. Framework on Data Privacy. Reynders said the framework "guarantees the fundamental right of Europeans to protect their privacy while promoting economic opportunity," while Raimondo said it "guarantees the right to the protection of their personal data as well as legal certainty for companies on both sides of the Atlantic."
At a meeting at the U.S. Department of Justice, U.S. Attorney General Merrick Garland, Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynders welcomed the finalized EU-U.S. Framework on Data Privacy. Reynders said the framework "guarantees the fundamental right of Europeans to protect their privacy while promoting economic opportunity," while Raimondo said it "guarantees the right to the protection of their personal data as well as legal certainty for companies on both sides of the Atlantic."
Children's privacy violated by Amazon settles for $25MDate: 24 July 2023
Amazon has agreed to a permanent injunction and a USD25 million civil penalty after the Department of Justice and the Federal Trade Commission announced alleged privacy violations related to its Alexa voice assistant. A complaint filed in the U.S. Western District of Washington alleges Amazon retains children's voice recordings indefinitely and engages in unfair privacy practices. The order requires Amazon to identify and delete inactive child profiles.
Amazon has agreed to a permanent injunction and a USD25 million civil penalty after the Department of Justice and the Federal Trade Commission announced alleged privacy violations related to its Alexa voice assistant. A complaint filed in the U.S. Western District of Washington alleges Amazon retains children's voice recordings indefinitely and engages in unfair privacy practices. The order requires Amazon to identify and delete inactive child profiles.
Hong Kong PCPD publishes data breach guidanceDate: 13 July 2023
Hong Kong's Office of the Privacy Commissioner for Personal Data published guidelines on data breach notification and reporting. Comparing the first half of 2023 with the second half of 2022, the PCPD observed a 20% increase in breaches. Data breach incident response plans should be developed by organizations so they can respond promptly and manage them effectively, said Commissioner Ada Chung.
Hong Kong's Office of the Privacy Commissioner for Personal Data published guidelines on data breach notification and reporting. Comparing the first half of 2023 with the second half of 2022, the PCPD observed a 20% increase in breaches. Data breach incident response plans should be developed by organizations so they can respond promptly and manage them effectively, said Commissioner Ada Chung.
Brazil's ANPD issues first sanction for LGPD violationDate: 13 July 2023
Telekall Infoservice was fined BRL14,400 by Brazil's data protection authority under the General Personal Data Protection Law. ANPD found the company violated Articles 5, 7 and 41. An appeal may be filed by Telecall Infoservice.
Telekall Infoservice was fined BRL14,400 by Brazil's data protection authority under the General Personal Data Protection Law. ANPD found the company violated Articles 5, 7 and 41. An appeal may be filed by Telecall Infoservice.
Data protection law initiative advances in GuatemalaDate: 13 July 2023
Initiative 6,105, which seeks approval of the "Data Protection Law," was recommended favorably by the Guatemala Transparency and Probity Commission. The bill now returns to Congress for three debates. It could be approved in a single debate if declared a national emergency, which requires two-thirds support. First debate has not yet been held on the project.
Initiative 6,105, which seeks approval of the "Data Protection Law," was recommended favorably by the Guatemala Transparency and Probity Commission. The bill now returns to Congress for three debates. It could be approved in a single debate if declared a national emergency, which requires two-thirds support. First debate has not yet been held on the project.
South Africa IR fines Department of Justice for PPIA violationsDate: 13 July 2023
An enforcement notice issued by South Africa's Information Regulator against the Department of Justice and Constitutional Development was allegedly circumvented after the agency issued the fine after the agency issued an enforcement notice. In order to renew the licenses for Trend Anti-Virus, SIEM, and Intrusion Detection System, the DoJ&CD had until 9 June to provide documentation.
An enforcement notice issued by South Africa's Information Regulator against the Department of Justice and Constitutional Development was allegedly circumvented after the agency issued the fine after the agency issued an enforcement notice. In order to renew the licenses for Trend Anti-Virus, SIEM, and Intrusion Detection System, the DoJ&CD had until 9 June to provide documentation.
India's Digital Personal Data Protection Bill gets Cabinet approvalDate: 13 July 2023
A proposed bill to protect personal data was approved by India's Union Cabinet of Ministers, CNBC reports. The bill has been cleared by the Union Council of Ministers for tabling during the monsoon session of the Indian Parliament, which begins 20 July.
A proposed bill to protect personal data was approved by India's Union Cabinet of Ministers, CNBC reports. The bill has been cleared by the Union Council of Ministers for tabling during the monsoon session of the Indian Parliament, which begins 20 July.
Additional fines under India's proposed DPDPB possibleDate: 13 July 2023
A recently published Hindustan Times report suggests that in the proposed Digital Personal Data Protection Bill, "penal provisions" may be added for violating agreements with the Data Protection Board. An official stated that voluntary undertakings can include undertakings to perform certain actions (such as reporting a data breach) within specified timeframes, refraining from taking specific actions, and publicizing them. Previously, there would have been no penalties for breaking a voluntary pledge under the bill.
A recently published Hindustan Times report suggests that in the proposed Digital Personal Data Protection Bill, "penal provisions" may be added for violating agreements with the Data Protection Board. An official stated that voluntary undertakings can include undertakings to perform certain actions (such as reporting a data breach) within specified timeframes, refraining from taking specific actions, and publicizing them. Previously, there would have been no penalties for breaking a voluntary pledge under the bill.
South Korea's PIPC fines 3 businesses for mishandling personal informationDate: 13 July 2023
According to the South Korean Personal Information Protection Commission, three businesses have been fined more than 1.23 billion won in violation of the Personal Information Protection Act. Each of the three businesses was fined for failing to enact safety measures that would have protected the personal information of its users.
According to the South Korean Personal Information Protection Commission, three businesses have been fined more than 1.23 billion won in violation of the Personal Information Protection Act. Each of the three businesses was fined for failing to enact safety measures that would have protected the personal information of its users.
Senators question Amazon Clinic's data collection practicesDate: 21 June 2023
The US senators Elizabeth Warren, D-Mass., and Peter Welch, D-Vt., wrote to Amazon CEO Andy Jassy about patient data protection. A portion of the letter stated that "Amazon Clinic does not provide any information on its website about why it collects medical data about customers or how that data is used.
The US senators Elizabeth Warren, D-Mass., and Peter Welch, D-Vt., wrote to Amazon CEO Andy Jassy about patient data protection. A portion of the letter stated that "Amazon Clinic does not provide any information on its website about why it collects medical data about customers or how that data is used.
Texans' comprehensive privacy bill is signed into lawDate: 21 June 2023
According to The Texan, Gov. Greg Abbott signed HB 4, the Texas Data and Privacy Security Act, into law on 18 June. A majority of the law goes into effect on 1 July 2024, while provisions recognising universal opt-out mechanisms go into effect on 1 January 2025. "Our goal from the onset was to maximize the utility of consumers' rights and minimize the compliance costs for businesses," said state Rep. Giovanni Capriglione, R-Texas.
According to The Texan, Gov. Greg Abbott signed HB 4, the Texas Data and Privacy Security Act, into law on 18 June. A majority of the law goes into effect on 1 July 2024, while provisions recognising universal opt-out mechanisms go into effect on 1 January 2025. "Our goal from the onset was to maximize the utility of consumers' rights and minimize the compliance costs for businesses," said state Rep. Giovanni Capriglione, R-Texas.
Irish DPC faces complaint from NOYB over Meta enforcementDate: 21 June 2023
NOYB, a group dedicated to privacy rights, sued the Irish High Court for failing to enforce alleged EU General Data Protection Regulation violations by Meta after consulting with members of the European Data Protection Board. According to the NOYB, Meta's violations were altered in the draft decision by the DPC.
NOYB, a group dedicated to privacy rights, sued the Irish High Court for failing to enforce alleged EU General Data Protection Regulation violations by Meta after consulting with members of the European Data Protection Board. According to the NOYB, Meta's violations were altered in the draft decision by the DPC.
President of Nigeria approves Data Protection BillDate: 21 June 2023
The Nigeria Data Protection Bill, 2023 was signed into law by President Bola Tinubu on 14 June. It creates the Nigeria Data Protection Commission under the direction of a national commissioner for the purpose of regulating the processing of personal information by entities.
The Nigeria Data Protection Bill, 2023 was signed into law by President Bola Tinubu on 14 June. It creates the Nigeria Data Protection Commission under the direction of a national commissioner for the purpose of regulating the processing of personal information by entities.
Spotify fined SEK58M under the GDPR by Sweden's DPADate: 21 June 2023
A fine of SEK58 million was issued against Spotify by Sweden's data protection authority, for alleged violations related to transparency under the EU General Data Protection Regulation. IMY found Spotify responds to data access requests, but fails to explain how the data is used by the company.
A fine of SEK58 million was issued against Spotify by Sweden's data protection authority, for alleged violations related to transparency under the EU General Data Protection Regulation. IMY found Spotify responds to data access requests, but fails to explain how the data is used by the company.
2M Japanese Toyota customers' vehicle data exposed to the public cloudDate: 16 May 2023
Reuters reports that Toyota blames "human error" for leaving Japanese customer data exposed for a decade. After Toyota switched its cloud service platform from a private to public mode, identification numbers and location data of vehicles belonging to more than two million customers were publicly accessible.
Reuters reports that Toyota blames "human error" for leaving Japanese customer data exposed for a decade. After Toyota switched its cloud service platform from a private to public mode, identification numbers and location data of vehicles belonging to more than two million customers were publicly accessible.
Google accused of storing potential job candidates' personal information for years, violating European privacy lawsDate: 16 May 2023
Google is being alleged of violated the EU General Data Protection Regulation by illegally maintaining job candidate data. Data protection complaints were filed by Mohamed Maslouh with the Information Commissioner's Office in the U.K. and the Data Protection Commission in Ireland. Despite Google's claim that it implemented a global automatic deletion tool last year, its rollout ended in the fall, and it was potentially noncompliant with GPDR for four years.
Google is being alleged of violated the EU General Data Protection Regulation by illegally maintaining job candidate data. Data protection complaints were filed by Mohamed Maslouh with the Information Commissioner's Office in the U.K. and the Data Protection Commission in Ireland. Despite Google's claim that it implemented a global automatic deletion tool last year, its rollout ended in the fall, and it was potentially noncompliant with GPDR for four years.
RIPD initiate a coordinated action in relation to the ChatGPT serviceDate: 16 May 2023
In a joint proposal, the 16 RIPD regional authorities proposed "to initiate supervision" over ChatGPT and coordinate its actions within the RIPD for the first time in history. RIPD said that the service may threaten users rights and freedoms regarding the processing of their personal data, citing concerns about legal grounds for data processing, the transfer of data to third parties without consent, and adequate data protection measures.
In a joint proposal, the 16 RIPD regional authorities proposed "to initiate supervision" over ChatGPT and coordinate its actions within the RIPD for the first time in history. RIPD said that the service may threaten users rights and freedoms regarding the processing of their personal data, citing concerns about legal grounds for data processing, the transfer of data to third parties without consent, and adequate data protection measures.
Clearview AI fined additional 5.2M euro by CNILDate: 16 May 2023
The CNIL fined Clearview 20 million euros in October 2022 for violating the EU General Data Protection Regulation. The CNIL said the company failed to submit proof of compliance. CNIL, France's data protection authority, announced the company must pay 5.2 million euros for delays in complying with its previous order.
The CNIL fined Clearview 20 million euros in October 2022 for violating the EU General Data Protection Regulation. The CNIL said the company failed to submit proof of compliance. CNIL, France's data protection authority, announced the company must pay 5.2 million euros for delays in complying with its previous order.
India's draft data protection bill confirms data transfer restrictionsDate: 28 March 2023
Rajeev Chandrasekhar, Indian Minister of State for Electronics and Information Technology confirmed "blacklist" for cross-border data transfers will be included in the proposed Digital Data Protection Bill. He said the proposal will allow transfers "by default" unless otherwise noted by the government, which contrasts a prior plan to designate trusted transfer partners.
Rajeev Chandrasekhar, Indian Minister of State for Electronics and Information Technology confirmed "blacklist" for cross-border data transfers will be included in the proposed Digital Data Protection Bill. He said the proposal will allow transfers "by default" unless otherwise noted by the government, which contrasts a prior plan to designate trusted transfer partners.
A Norwegian medical device company has been fined by the DPA for failing to notify of a breachDate: 28 March 2023
The Norwegian data protection agency, Datatilsynet, fined Argon Medical Devices 2.5 million kroner for not reporting a July 2021 breach within the 72-hour period required by EU GDPR.
The Norwegian data protection agency, Datatilsynet, fined Argon Medical Devices 2.5 million kroner for not reporting a July 2021 breach within the 72-hour period required by EU GDPR.
Bangladesh's draft data protection law is being implementedDate: 28 March 2023
As part of the latest draft, the government-backed Data Protection Agency will maintain a register of data controllers and processors and impose fines and bans on violators. In addition, the bill currently includes a provision that allows individuals to appeal the DPA's decisions, which was not included in previous versions.
As part of the latest draft, the government-backed Data Protection Agency will maintain a register of data controllers and processors and impose fines and bans on violators. In addition, the bill currently includes a provision that allows individuals to appeal the DPA's decisions, which was not included in previous versions.
Cookie fatigue' pledge to be presented by EU consumer departmentDate: 28 March 2023
A voluntary cookie pledge will be launched 28 March by the European Commission's consumer protection office to combat "cookie fatigue," reported Euractiv. While details of the cookie pledge are unknown, the pledge may allow users to specify their cookie preference within browser settings instead of being asked every time they visit a website.
A voluntary cookie pledge will be launched 28 March by the European Commission's consumer protection office to combat "cookie fatigue," reported Euractiv. While details of the cookie pledge are unknown, the pledge may allow users to specify their cookie preference within browser settings instead of being asked every time they visit a website.
Google's data processing terms are criticized by German regulatorsDate: 19 January 2023
German Federal Cartel Office, Bundeskartellamt, issued objections against Google's data processing terms. The competition regulator said that Google's services do not provide users with "sufficient choice" about the processing of their data, and the company must adhere to new competition rules for large digital companies.
German Federal Cartel Office, Bundeskartellamt, issued objections against Google's data processing terms. The competition regulator said that Google's services do not provide users with "sufficient choice" about the processing of their data, and the company must adhere to new competition rules for large digital companies.
Voodoo is fined 3M euros by CNILDate: 19 January 2023
Voodoo was fined 3 million euros by France's data protection authority, the Commission nationale de l'informatique et des libertés, for allegedly tracking users without their consent. An investigation by the CNIL found Voodoo uses a technical identifier to track browsing habits for advertising purposes when an Apple app is downloaded.
Voodoo was fined 3 million euros by France's data protection authority, the Commission nationale de l'informatique et des libertés, for allegedly tracking users without their consent. An investigation by the CNIL found Voodoo uses a technical identifier to track browsing habits for advertising purposes when an Apple app is downloaded.
CNIL fines TikTok 5 million euros for its cookie consent policiesDate: 19 January 2023
As a result of cookie consent violations, France's data protection authority, the Commission nationale de l'informatique et des libertés, fined TikTok 5 million euro. According to the CNIL, the platform's consent mechanism did not provide users with sufficient options to opt out of cookie settings or information about how cookies work.
As a result of cookie consent violations, France's data protection authority, the Commission nationale de l'informatique et des libertés, fined TikTok 5 million euro. According to the CNIL, the platform's consent mechanism did not provide users with sufficient options to opt out of cookie settings or information about how cookies work.
NOYB publishes the Irish DPC's decisions regarding Meta's personalized adsDate: 19 January 2023
NOYB, an advocacy group based in the EU, published the final decisions of the Irish Data Protection Commission invalidating Meta's contract basis for seeking user consent to collect data for Facebook and Instagram ads. According to NOYB, the decisions - which followed complaints made by the group on the day the GDPR took effect in May 2018 - show a "clear disagreement" between the DPC and the EDPB.
NOYB, an advocacy group based in the EU, published the final decisions of the Irish Data Protection Commission invalidating Meta's contract basis for seeking user consent to collect data for Facebook and Instagram ads. According to NOYB, the decisions - which followed complaints made by the group on the day the GDPR took effect in May 2018 - show a "clear disagreement" between the DPC and the EDPB.
The CNIL's report recommends a fine of 6 million euros for AppleDate: 21 December 2022
As reported by Reuters, France's data protection authority, the Commission nationale de l'informatique et des libertés, recommended a 6 million euro fine against Apple for allegedly violating privacy laws.
As reported by Reuters, France's data protection authority, the Commission nationale de l'informatique et des libertés, recommended a 6 million euro fine against Apple for allegedly violating privacy laws.
National Institute of Statistics fined 4 million euros by CNPDDate: 21 December 2022
According to the National Data Protection Commission of Portugal, five violations of the EU General Data Protection Regulation in connection with the 2021 census led to a fine of 4.3 million euros for the National Institute of Statistics. In addition to unlawfully processing personal health and religious data, INE failed to inform respondents about the 2021 census questionnaire, violated data transfer provisions, failed to conduct a data protection impact assessment, and failed to select a subcontractor with due diligence.
According to the National Data Protection Commission of Portugal, five violations of the EU General Data Protection Regulation in connection with the 2021 census led to a fine of 4.3 million euros for the National Institute of Statistics. In addition to unlawfully processing personal health and religious data, INE failed to inform respondents about the 2021 census questionnaire, violated data transfer provisions, failed to conduct a data protection impact assessment, and failed to select a subcontractor with due diligence.
Cryptocurrency exchange fined by ACMA for spam emailsDate: 21 December 2022
The Australian Communications and Media Authority fined Binance Australia AU$2 million for spamming customers. Between October 2021 and May 2022, the company sent more than 5.7 million spam emails advertising trading services without obtaining consent from the recipients.
The Australian Communications and Media Authority fined Binance Australia AU$2 million for spamming customers. Between October 2021 and May 2022, the company sent more than 5.7 million spam emails advertising trading services without obtaining consent from the recipients.
Study finds 96% of US schools use apps that shares student informationDate: 21 December 2022
A study published by CyberScoop found that 96% of applications used in US schools share student information with third parties. Data is often shared with advertisers without students' or schools' consent. After examining 663 schools in total with approx 500,000 students, it was found that the schools typically had more than 150 “approved technologies for classrooms. Around 25% of the recommended or required apps had advertisements, and 13% had retargeting ads.
A study published by CyberScoop found that 96% of applications used in US schools share student information with third parties. Data is often shared with advertisers without students' or schools' consent. After examining 663 schools in total with approx 500,000 students, it was found that the schools typically had more than 150 “approved technologies for classrooms. Around 25% of the recommended or required apps had advertisements, and 13% had retargeting ads.
Privacy Legislation Amendment Bill 2022 passed by AustraliaDate: 05 December 2022
The Privacy Legislation Amendment Bill 2022 has been finally passed by the Australian Parliament. In a new three-factor penalty scheme, the bill amends the Privacy Act of 1988 to increase data breach fines to AU$50 million or 30% of adjusted quarterly turnover. Australian Information Commissioner and Privacy Commissioner mentioned that "the changes facilitate interactions with domestic regulators and our international counterparts for us to fulfill our responsibilities as regulators in an efficient and effective manner."
The Privacy Legislation Amendment Bill 2022 has been finally passed by the Australian Parliament. In a new three-factor penalty scheme, the bill amends the Privacy Act of 1988 to increase data breach fines to AU$50 million or 30% of adjusted quarterly turnover. Australian Information Commissioner and Privacy Commissioner mentioned that "the changes facilitate interactions with domestic regulators and our international counterparts for us to fulfill our responsibilities as regulators in an efficient and effective manner."
Perfume chain fined 1.4M euros by Italy's DPA GaranteDate: 05 December 2022
The perfume chain Douglas Italia processed data on more than 3 million customers without requesting consent. Other than fine, being a data controller, the company must adopt compliance measures regarding data retention times as well as how it processes data for marketing and profiling purposes, and must remove all data from the past 10 years.
The perfume chain Douglas Italia processed data on more than 3 million customers without requesting consent. Other than fine, being a data controller, the company must adopt compliance measures regarding data retention times as well as how it processes data for marketing and profiling purposes, and must remove all data from the past 10 years.
Over 5 million Twitter accounts in Europe and the U.S. potentially compromisedDate: 05 December 2022
According to cybersecurity expert Chad Loder the users who enabled the "Let others find you by your phone" feature in the discoverability settings were affected by the breach. There was an exposure of all accounts with the country code +33 for France. According to reports, the data leak included Twitter IDs, names, login names, locations and verified statuses, along with private contact information like phone and email addresses.
According to cybersecurity expert Chad Loder the users who enabled the "Let others find you by your phone" feature in the discoverability settings were affected by the breach. There was an exposure of all accounts with the country code +33 for France. According to reports, the data leak included Twitter IDs, names, login names, locations and verified statuses, along with private contact information like phone and email addresses.
Snapchat offers a Privacy feature to comply with California Privacy Rights ActDate: 05 December 2022
A new feature will allow Snapchat users in California to request that their sensitive information not be used for advertising purposes. This feature will appear in the privacy controls section of the app's settings for all users, but it will only work for California users.
A new feature will allow Snapchat users in California to request that their sensitive information not be used for advertising purposes. This feature will appear in the privacy controls section of the app's settings for all users, but it will only work for California users.
Massachusetts Attorney General Maura Healey Secures $16 Million Credit reporting company and telecom provider Over Data BreachesDate: 15 November 2022
AG Healey secures multistate settlements with Experian, totalling over $13.67 million relating to the data breaches in 2012 and 2015 which compromised the personal information of millions of consumers. AG Healey also reached a $2.5 million multistate settlement with T-Mobile relating to the 2015 Experian breach, which impacted more than 15 million individuals.
AG Healey secures multistate settlements with Experian, totalling over $13.67 million relating to the data breaches in 2012 and 2015 which compromised the personal information of millions of consumers. AG Healey also reached a $2.5 million multistate settlement with T-Mobile relating to the 2015 Experian breach, which impacted more than 15 million individuals.
U.S. Federal Trade Commission's settlement could trouble Musk's big plansDate: 15 November 2022
After a may settlement resulting from poor privacy and data security protections, Twitter will be now operating under the microscope of the US FTC for the next 20 years. Elon Musk's plan of making money from twitter can be ruined due to heavy scrutiny which the company will face because of privacy practices.
After a may settlement resulting from poor privacy and data security protections, Twitter will be now operating under the microscope of the US FTC for the next 20 years. Elon Musk's plan of making money from twitter can be ruined due to heavy scrutiny which the company will face because of privacy practices.
After a 6-year legal battle, LinkedIn prevails in its lawsuit against data scrapersDate: 15 November 2022
As Judge Edward Chen noted in his ruling, HiQ relied on LinkedIn for the majority of its data since it scraped wholly public LinkedIn profiles. In order to avoid detection, it simulated human site-access behaviors to reverse engineer LinkedIn's systems.
As Judge Edward Chen noted in his ruling, HiQ relied on LinkedIn for the majority of its data since it scraped wholly public LinkedIn profiles. In order to avoid detection, it simulated human site-access behaviors to reverse engineer LinkedIn's systems.
A tentative settlement over a data breach has been reached with SolarWinds for $26MDate: 15 November 2022
In a Wells notice issued on Thursday, the Securities and Exchange Commission accused SolarWinds of violating securities laws "in connection with its cybersecurity disclosures, public statements, internal controls, and disclosure controls and procedures.
In a Wells notice issued on Thursday, the Securities and Exchange Commission accused SolarWinds of violating securities laws "in connection with its cybersecurity disclosures, public statements, internal controls, and disclosure controls and procedures.
Executives at Apple say privacy controls and advertising can coexistDate: 04 November 2022
Mr. Federighi said that if quality advertising and product privacy coexist, innovation would occur, some from us, some from others. But that journey hadn't begun. In our minds, people should have that level of control, and we wanted that for ourselves and our friends and family.” In recent years, Apple has come under fire for its sway over digital users, especially from third-party app developers unhappy with the money the company collects from its App Store.
Mr. Federighi said that if quality advertising and product privacy coexist, innovation would occur, some from us, some from others. But that journey hadn't begun. In our minds, people should have that level of control, and we wanted that for ourselves and our friends and family.” In recent years, Apple has come under fire for its sway over digital users, especially from third-party app developers unhappy with the money the company collects from its App Store.
Hacker accesses data of 4 million Medibank customers in AustraliaDate: 04 November 2022
As Australia's biggest health insurer, Medibank Private Ltd (MPL.AX) warned on Wednesday of a first-half earnings hit of up to A$35 million ($16 million to $22.3 million) after a cyber hack compromised data of nearly 4 million customers. According to the company, its IT systems have not yet been encrypted by ransomware, and it will continue to monitor for any further suspicious activities.
As Australia's biggest health insurer, Medibank Private Ltd (MPL.AX) warned on Wednesday of a first-half earnings hit of up to A$35 million ($16 million to $22.3 million) after a cyber hack compromised data of nearly 4 million customers. According to the company, its IT systems have not yet been encrypted by ransomware, and it will continue to monitor for any further suspicious activities.
At least 3TB of sensitive data were collected and leaked by Thomson ReutersDate: 04 November 2022
One of the world's largest media conglomerates, Thomson Reuters, left an open database with sensitive customer and corporate data, including passwords to third-party servers. The details could be used in a supply-chain attack by attackers. It is believed that the open database found by the team corresponds to the company's use of ElasticSearch, a data storage platform used by enterprises dealing with large volumes of data that are constantly updated.
One of the world's largest media conglomerates, Thomson Reuters, left an open database with sensitive customer and corporate data, including passwords to third-party servers. The details could be used in a supply-chain attack by attackers. It is believed that the open database found by the team corresponds to the company's use of ElasticSearch, a data storage platform used by enterprises dealing with large volumes of data that are constantly updated.
A FCC commissioner says that TikTok should be bannedDate: 04 November 2022
The popular app has more than 200 million downloads in the U.S. alone, making its ownership by a Chinese parent company a target of growing national security concerns. TikTok could be used covertly in the United States by a state actor to influence political processes, Carr warned. As a result of concerns about data flowing back to China, Carr wrote Apple and Google in June.
The popular app has more than 200 million downloads in the U.S. alone, making its ownership by a Chinese parent company a target of growing national security concerns. TikTok could be used covertly in the United States by a state actor to influence political processes, Carr warned. As a result of concerns about data flowing back to China, Carr wrote Apple and Google in June.
The IAB Tech Lab has finalised the Global Privacy Platform, designed to manage and communicate consent signals across jurisdictions.Date: 11 October 2022
In particular, the GPP enables the exchange of consent signals between various global privacy jurisdictions within the digital ad supply chain. GPP also supports Global Privacy Control. In the GPP specifications, details are provided about how existing privacy signals are integrated into one platform.
In particular, the GPP enables the exchange of consent signals between various global privacy jurisdictions within the digital ad supply chain. GPP also supports Global Privacy Control. In the GPP specifications, details are provided about how existing privacy signals are integrated into one platform.
A lawsuit filed by Meta against two companies that scraped Facebook and Instagram data was settled.Date: 11 October 2022
A permanent injunction was issued against Israeli-based BrandTotal Ltd and Delaware based Unimania Inc. prohibiting them from obtaining Facebook or instagram data going forward or monetizing it. Meta says they also agreed to pay a significant financial sum as part of their settlement.
A permanent injunction was issued against Israeli-based BrandTotal Ltd and Delaware based Unimania Inc. prohibiting them from obtaining Facebook or instagram data going forward or monetizing it. Meta says they also agreed to pay a significant financial sum as part of their settlement.
California Governor Gavin Newsom signs two bills which will protect the health data of those obtaining abortionsDate: 11 October 2022
Governor Gavin Newsom signed two Caifornia bills to protect abortion data privacy and prohibiting corporations from sharing abortion information with out-of-state companies. As, a part of the bill, anyone performing a lawful abortion in California was prohibited from being arrested.
Governor Gavin Newsom signed two Caifornia bills to protect abortion data privacy and prohibiting corporations from sharing abortion information with out-of-state companies. As, a part of the bill, anyone performing a lawful abortion in California was prohibited from being arrested.
Information Commissioner’s Office fined Catalog retailer Easylife for 1.48 million GBP for misusing customers' personal informationDate: 11 October 2022
Information Commissioner’s Office has fined Catalog retailer Easylife 1.48 million GBP for misusing the personal innformation of approx 145,400 customers for predicting their health condition according to the data and then targeting them with the health related products according to the data. This information was used by Easylife without the consent of the customers.
Information Commissioner’s Office has fined Catalog retailer Easylife 1.48 million GBP for misusing the personal innformation of approx 145,400 customers for predicting their health condition according to the data and then targeting them with the health related products according to the data. This information was used by Easylife without the consent of the customers.
US Military bought internet monitoring tool which covers 90% of global internet trafficDate: 26 September 2022
A cybersecurity firm Team Cymru developed a tool called Augury, it collects a massive amount of data together, which is then made it available to government and corporate customers as a paid service.Private industry uses it for following hackers’ activity or attributing cyberattack. While in the Government world analysts do the same uses, but some agencies that deals with criminal investigations have also purchased this service.
A cybersecurity firm Team Cymru developed a tool called Augury, it collects a massive amount of data together, which is then made it available to government and corporate customers as a paid service.Private industry uses it for following hackers’ activity or attributing cyberattack. While in the Government world analysts do the same uses, but some agencies that deals with criminal investigations have also purchased this service.
Digital privacy firm raises $4 Million in seed funding.Date: 26 September 2022
A premium digital privacy company named Hush raises $4 Million in seed funding from Greycroft, a leading venture capital firm which focuses on investments in the Internet and mobile markets. Other insvestors include Detroit Venture Partners, ID Ventures, and Annox Capital. This raise will allow Hush to invest further in artificial intelligence technology as well as expand its commercial activities.
A premium digital privacy company named Hush raises $4 Million in seed funding from Greycroft, a leading venture capital firm which focuses on investments in the Internet and mobile markets. Other insvestors include Detroit Venture Partners, ID Ventures, and Annox Capital. This raise will allow Hush to invest further in artificial intelligence technology as well as expand its commercial activities.
Class-action lawsuit has been filed against Meta for bypassing the privacy settings of Apple iOS usersDate: 26 September 2022
"A privacy researcher and former Google engineer, Felix Krause, pointed out that Meta was recovering its losses by directing any link which a user clicks in the app to open in-browser, where Krause reported that througn that Meta was able to inject a code, alter the external websites, and tracking anything that you do on the websites, including tracking passwords, without user consent."
"A privacy researcher and former Google engineer, Felix Krause, pointed out that Meta was recovering its losses by directing any link which a user clicks in the app to open in-browser, where Krause reported that througn that Meta was able to inject a code, alter the external websites, and tracking anything that you do on the websites, including tracking passwords, without user consent."
SEC fines Morgan Stanley for $35 Million for failures to protect personal informationDate: 26 September 2022
SEC fines Morgan Stanley for its failures to protect personal indentifying information of approximately 15 Million sutomers over a five year period of time. Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services . Over several years MSSB failed to properly monitor the moving company’s work. In the investigation it was found out that the moving company sold to a third party many MSSB devices which included servers and hard drives, some of which contained personal information, and which were then resold on an internet auction site without removal of such personal information.
SEC fines Morgan Stanley for its failures to protect personal indentifying information of approximately 15 Million sutomers over a five year period of time. Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services . Over several years MSSB failed to properly monitor the moving company’s work. In the investigation it was found out that the moving company sold to a third party many MSSB devices which included servers and hard drives, some of which contained personal information, and which were then resold on an internet auction site without removal of such personal information.
Lawsuit was filed against Walmart for illegally using Biometric dataDate: 14 September 2022
Potential class action lawsuit was filed against Wallmart for violating an Illinois privacy law by using cameras and video surveillance systems. Plaintiff James Luthe, a citizen of Illinois alleges that Walmart's Illinois stores have unlawfully collected, stored, and used biometric data without any informed written consent of him and other customer.
Potential class action lawsuit was filed against Wallmart for violating an Illinois privacy law by using cameras and video surveillance systems. Plaintiff James Luthe, a citizen of Illinois alleges that Walmart's Illinois stores have unlawfully collected, stored, and used biometric data without any informed written consent of him and other customer.
RBI Deputy Governor T Rabi Shankar insisted for a data privacy law to protect consumer's privacyDate: 14 September 2022
RBI Governor said in a seminar that India is extremely data rich as digitalisation across the country is growing at a expeditious pace. Shankar said "Data means money. Data can be monetised. Therefore, data is significant value to business but at the same time, we will have to have regulations in place, primarily have laws in place, followed by regulations in place, which ensures that customer data is not only safe, that customers privacy is not only protected but the monetisation of customer data is done in a responsible manner"
RBI Governor said in a seminar that India is extremely data rich as digitalisation across the country is growing at a expeditious pace. Shankar said "Data means money. Data can be monetised. Therefore, data is significant value to business but at the same time, we will have to have regulations in place, primarily have laws in place, followed by regulations in place, which ensures that customer data is not only safe, that customers privacy is not only protected but the monetisation of customer data is done in a responsible manner"
Californians rights will be hurt if the proposed ADPPA is implementedDate: 14 September 2022
Congress seems to be close to crafting a law to protect the data privacy of the Americans. Its something the Americans want and its overdue. But the bill under consideration has many flaws in it. Its weaker than the privacy law in California. It contains a provision in it which says that the federal policy will have a preemption over the state laws, which is tortally unacceptable.
Congress seems to be close to crafting a law to protect the data privacy of the Americans. Its something the Americans want and its overdue. But the bill under consideration has many flaws in it. Its weaker than the privacy law in California. It contains a provision in it which says that the federal policy will have a preemption over the state laws, which is tortally unacceptable.
CNIL fined legal service provider Infogreffe of 250,000 euros for infringing the EU GDPRDate: 14 September 2022
Due to a complaint filed, CNIL carried out an online investigation of infogreffe.fr's website. The investigation was particularly focused on the data retention periods and the secutiy measures implemented by infogreffe. During the investigations CNIL noted many violations of GDPR by INFOGREFFE, and so fined 250,000 euros for infringing the EU GDPR.
Due to a complaint filed, CNIL carried out an online investigation of infogreffe.fr's website. The investigation was particularly focused on the data retention periods and the secutiy measures implemented by infogreffe. During the investigations CNIL noted many violations of GDPR by INFOGREFFE, and so fined 250,000 euros for infringing the EU GDPR.
California Attorney General announced first ever enforcement action under the CCPADate: 26 August 2022
"In the first enforcement action under the CCPA, California Attorney General Rob Bonta announced a $1.2 million settlement with multinational retailer Sephora over violations of the law's ""Do Not Sell"" provisions.
Sephora has also commited to operational improvements, including proper consumer opt-out mechanisms, as well as two years of required reports to the attorney general about its sale of personal information, relationships with service provider and efforts to honor Global Privacy Control."
"In the first enforcement action under the CCPA, California Attorney General Rob Bonta announced a $1.2 million settlement with multinational retailer Sephora over violations of the law's ""Do Not Sell"" provisions.
Sephora has also commited to operational improvements, including proper consumer opt-out mechanisms, as well as two years of required reports to the attorney general about its sale of personal information, relationships with service provider and efforts to honor Global Privacy Control."
OCR fined $300,640 on New England Dermatology for violating the Health Insurance Portability and Accountability Act Privacy Rule.Date: 26 August 2022
Office for Civil Rights (OCR) at the Department of Health and Human Services fined New England Dermatology and Laser Center (“NDELC”), regarding the improper disposal of protected health information, which is a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NEDLC had to pay $300,640 to OCR and agreed to implement a corrective action plan.
Office for Civil Rights (OCR) at the Department of Health and Human Services fined New England Dermatology and Laser Center (“NDELC”), regarding the improper disposal of protected health information, which is a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NEDLC had to pay $300,640 to OCR and agreed to implement a corrective action plan.
Privacy flaw is threatening US DemocracyDate: 26 August 2022
"As per some experts, the American Data Privacy and Protection Act isn't strong enough to protects the privacy of Americans. Congress needs to pass a legislation under which no existing mass surveillance mechanisms can be misused."
"As per some experts, the American Data Privacy and Protection Act isn't strong enough to protects the privacy of Americans. Congress needs to pass a legislation under which no existing mass surveillance mechanisms can be misused."
NOYB alleges Google sent unsolicited advertising emails to its European usersDate: 26 August 2022
Austrian advocacy group NOYB, filed a complaint with France's data protection authority against Google, that is has breached a European Union court ruling by sending unsolicited advertising emails directly to its European users.
Austrian advocacy group NOYB, filed a complaint with France's data protection authority against Google, that is has breached a European Union court ruling by sending unsolicited advertising emails directly to its European users.
CFBP fines US Bank for $37.5 million for exploitation of personal dataDate: 10 August 2022
Action against US bank was taken over the allegation that it illegaly accessed ts customers’ credit reports and opening checking and savings accounts, credit cards, and lines of credit without customers’ permission. U.S. Bank must make harmed customers whole and pay a $37.5 million penalty.
Action against US bank was taken over the allegation that it illegaly accessed ts customers’ credit reports and opening checking and savings accounts, credit cards, and lines of credit without customers’ permission. U.S. Bank must make harmed customers whole and pay a $37.5 million penalty.
Moldova and Poland’s data protection regulators signs data protection agreementDate: 10 August 2022
The National Center for Personal Data Protection (CNPDCP) and the Office for Data Protection of the Republic of Poland signed the Personal Data Protection Cooperation Agreement. The agreement was signed by the Director of CNPDCP, Mrs. Victoria Muntean and the President of the Office for Data Protection of the Republic of Poland, Mr. Jan Nowak. The agreement will help in the development of cooperative relations between the two institutions, which will lead to obtating constant progress in the field of personal data protection.
The National Center for Personal Data Protection (CNPDCP) and the Office for Data Protection of the Republic of Poland signed the Personal Data Protection Cooperation Agreement. The agreement was signed by the Director of CNPDCP, Mrs. Victoria Muntean and the President of the Office for Data Protection of the Republic of Poland, Mr. Jan Nowak. The agreement will help in the development of cooperative relations between the two institutions, which will lead to obtating constant progress in the field of personal data protection.
Indian Government identifies four key clauses which are likely to be withdrawn in the new Personal Data Protection BillDate: 10 August 2022
Indian Government has indentified four key clauses which are likely to be withdrawn in the new Personal Data Protection Bill to facilitate ease of doing business and achieve regulatory simplicity.
Indian Government has indentified four key clauses which are likely to be withdrawn in the new Personal Data Protection Bill to facilitate ease of doing business and achieve regulatory simplicity.
CNIL levies a fine of 60 million euro on an adtech company named CriteoDate: 10 August 2022
A preliminary notice of 60 million euro was issued to advertising technology company Criteo, over the violations of EU General Data Protection Regulation. The complaint against Criteo was regarding data processing practices related to targeted advertising and user profiling.
A preliminary notice of 60 million euro was issued to advertising technology company Criteo, over the violations of EU General Data Protection Regulation. The complaint against Criteo was regarding data processing practices related to targeted advertising and user profiling.
Privacy panic flares up in India after police pull payment dataDate: 27 July 2022
PRASANTO K. ROY a nonprofit doner is worried because the information of nonprofit doners were given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy. He sended regular donations to the Indian fact-checking organization Alt News . On July 5, the nonprofit said that the Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.
PRASANTO K. ROY a nonprofit doner is worried because the information of nonprofit doners were given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy. He sended regular donations to the Indian fact-checking organization Alt News . On July 5, the nonprofit said that the Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.
Robinhoofd Financial settles class action lawsuit for negligence related to data breachDate: 27 July 2022
Robinhood Financial has agreed to settle a class-action lawsuit against it, which accused the company of negligence with regard to a 2020 data breach due to which data of thousands of customers’ was exposed to hackers consisting of sensitive personal and financial information. This settlement could cost Robinhood approximately $20 million.
Robinhood Financial has agreed to settle a class-action lawsuit against it, which accused the company of negligence with regard to a 2020 data breach due to which data of thousands of customers’ was exposed to hackers consisting of sensitive personal and financial information. This settlement could cost Robinhood approximately $20 million.
European Parliament publishes governing data and artificial intelligence for allDate: 27 July 2022
An assessment of the EU data governance strategy is presented, as well as specific policy options for the AI act, the data governance act and the data act. In line with the principles of justice, four benchmarks for good data governance are proposed, :infrastructure preservation and public goods, inclusiveness, contestability and accountability, and global responsibility.
An assessment of the EU data governance strategy is presented, as well as specific policy options for the AI act, the data governance act and the data act. In line with the principles of justice, four benchmarks for good data governance are proposed, :infrastructure preservation and public goods, inclusiveness, contestability and accountability, and global responsibility.
Lawsuit filed against Clearview AI that they did not obtain consent to use facial imagesDate: 27 July 2022
A half-dozen Illinois residents along with a Californian and a New Yorker, filed an amended complaint against Clearview AI Inc., its leaders, an affiliated company, and retailers who allegedly used its searchable biometric database. The filing says that the facial recognition software company and its founders they developed their technology to invade the privacy of the American public for their own profit.
A half-dozen Illinois residents along with a Californian and a New Yorker, filed an amended complaint against Clearview AI Inc., its leaders, an affiliated company, and retailers who allegedly used its searchable biometric database. The filing says that the facial recognition software company and its founders they developed their technology to invade the privacy of the American public for their own profit.
Iceland's DPA fines city of Reykjavík 5 million kronor for processing of children’s dataDate: 12 July 2022
City of Reykjavík was responsible for the processing in question and the decision words were such that the processing of personal information of school children in the Seesaw student system by the City of Reykjavík was not in accordance with Act.
City of Reykjavík was responsible for the processing in question and the decision words were such that the processing of personal information of school children in the Seesaw student system by the City of Reykjavík was not in accordance with Act.
EU Parliamnet adopts Digital Markets Act and Digital Services ActDate: 12 July 2022
Companies face fines of up to 10% of annual global turnover for DMA violations and 6% for DSA breaches. The DSA bans targeted advertising aimed at children or based on sensitive data. Dark patterns, which are tactics that mislead people into giving personal data to companies online, will also be prohibited.
Companies face fines of up to 10% of annual global turnover for DMA violations and 6% for DSA breaches. The DSA bans targeted advertising aimed at children or based on sensitive data. Dark patterns, which are tactics that mislead people into giving personal data to companies online, will also be prohibited.
Google announced that it will automatically start deleting location data of sensitive placesDate: 12 July 2022
Tech Companies are now in spotlight due to the ruling on abortion by US. US supreme court’s decision has ended women’s constitutional right to abortion so some tech companies are moving to close loopholes which allows personal data brokers to monitor and sell information, which could be used by US states to police abortion restrictions.
Tech Companies are now in spotlight due to the ruling on abortion by US. US supreme court’s decision has ended women’s constitutional right to abortion so some tech companies are moving to close loopholes which allows personal data brokers to monitor and sell information, which could be used by US states to police abortion restrictions.
1B citizens will be affected due to the Breach of Chinese police filesDate: 12 July 2022
Sensitive data of 1 billion Chinese citizens was allegedly siphoned from a police database, some of which checks out to be legitimate, is being offered for sale for approximately $200,000 on an online cybercrime forum by an anonymous hacker or hacking group. If confirmed then it would mark one of history’s largest leaks of personal data.
Sensitive data of 1 billion Chinese citizens was allegedly siphoned from a police database, some of which checks out to be legitimate, is being offered for sale for approximately $200,000 on an online cybercrime forum by an anonymous hacker or hacking group. If confirmed then it would mark one of history’s largest leaks of personal data.
Roe v. Wade decision knocks privacy's durabilityDate: 01 July 2022
Due to the United States Supreme Court’s overturning of Roe v. Wade the effect of its is no longer limited to the right to abortion and bodily autonomy. Now, its consequences are not constrained to the right to contraception, the legality of same-sex sexual activity, or the right of gay couples to marry. It is totally undermining the implied right to privacy.
Due to the United States Supreme Court’s overturning of Roe v. Wade the effect of its is no longer limited to the right to abortion and bodily autonomy. Now, its consequences are not constrained to the right to contraception, the legality of same-sex sexual activity, or the right of gay couples to marry. It is totally undermining the implied right to privacy.
A data breach at MCG Health exposed the personal data of more than 1M patientsDate: 01 July 2022
Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center.
Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center.
France's Council of State upholds Amazon's ePrivacy fine of 35M euroDate: 01 July 2022
On December 7, 2020, the CNIL imposed a fine of 35 million euros against the company AMAZON EUROPE CORE for having placed advertising cookies on the computers of users of the sales site "Amazon .fr” without prior consent of the Data Subject.
On December 7, 2020, the CNIL imposed a fine of 35 million euros against the company AMAZON EUROPE CORE for having placed advertising cookies on the computers of users of the sales site "Amazon .fr” without prior consent of the Data Subject.
Several Republican senators have written a letter to Treasury secretary over TikTok's data practicesDate: 01 July 2022
Warning of ongoing security risks, six Republican Senators are pressing the Biden Administration to address data practices of the Chinese-owned social network TikTok.
Warning of ongoing security risks, six Republican Senators are pressing the Biden Administration to address data practices of the Chinese-owned social network TikTok.
A revised Europol Regulation weakens data protection rights, accroding to EDPSDate: 01 July 2022
In specific cases Europol is now allowed, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Due to that, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
In specific cases Europol is now allowed, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Due to that, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
Class-action lawsuit alleges Amazon's Alexa uses voice commands to send targeted adsDate: 20 June 2022
Amazon’s Alexa is the target of a new lawsuit alleging that the company is using information gathered from users of its smart speaker devices to serve them targeted advertising without their consent. The plaintiffs are pursuing the case as a class action suit, which if approved could include millions of Amazon customers.
Amazon’s Alexa is the target of a new lawsuit alleging that the company is using information gathered from users of its smart speaker devices to serve them targeted advertising without their consent. The plaintiffs are pursuing the case as a class action suit, which if approved could include millions of Amazon customers.
Judge approves $6M settlement against plasma clinic for BIPA violationDate: 20 June 2022
A Cook County judge has cleared the way for thousands of BioLife plasma donors to get their share of a $6 million settlement resolving their litigation over fingerprint scans and alleged violations of a state biometrics privacy law. David Fish and Mara Baltabos, of the Naperville firm of Fish Potter Bolaños, representing the class, alleged BioLife violated the Illinois Biometric Information Privacy Act when it collected fingerprint scans from “tens of thousands” of plasma donors without providing required disclosures or collecting informed, written consent.
A Cook County judge has cleared the way for thousands of BioLife plasma donors to get their share of a $6 million settlement resolving their litigation over fingerprint scans and alleged violations of a state biometrics privacy law. David Fish and Mara Baltabos, of the Naperville firm of Fish Potter Bolaños, representing the class, alleged BioLife violated the Illinois Biometric Information Privacy Act when it collected fingerprint scans from “tens of thousands” of plasma donors without providing required disclosures or collecting informed, written consent.
Luxembourg’s CNPD launches EU GDPR certification programDate: 20 June 2022
The CNPD adopted the GDPR-CARPA certification criteria on May 13, 2022. GDPR-CARPA is the first certification scheme under the GDPR (General Data Protection Regulation) at national and international level. Companies, administrations, associations and other bodies established in Luxembourg now have the possibility of demonstrating that their personal data processing operations comply with the GDPR. GDPR-CARPA thus offers data controllers and subcontractors a high level of GDPR compliance for their processing operations subject to certification.
The CNPD adopted the GDPR-CARPA certification criteria on May 13, 2022. GDPR-CARPA is the first certification scheme under the GDPR (General Data Protection Regulation) at national and international level. Companies, administrations, associations and other bodies established in Luxembourg now have the possibility of demonstrating that their personal data processing operations comply with the GDPR. GDPR-CARPA thus offers data controllers and subcontractors a high level of GDPR compliance for their processing operations subject to certification.
Minnesota passes student privacy billDate: 20 June 2022
Minnesota passed a student privacy bill governing educational data. The bill, effective for the 2022-23 school year and beyond, states technology providers do not own any educational data created, obtained or shared through a contract with an educational institution; cannot use the data for any commercial purpose, including marketing or advertising; and cannot access or monitor a device’s location-tracking feature, audio or visual recordings and web-browsing activity. The bill also states parents must be notified of any curriculum, testing or assessment affecting a student’s educational data.
Minnesota passed a student privacy bill governing educational data. The bill, effective for the 2022-23 school year and beyond, states technology providers do not own any educational data created, obtained or shared through a contract with an educational institution; cannot use the data for any commercial purpose, including marketing or advertising; and cannot access or monitor a device’s location-tracking feature, audio or visual recordings and web-browsing activity. The bill also states parents must be notified of any curriculum, testing or assessment affecting a student’s educational data.
FTC fines Twitter $150M for deceptive data collectionDate: 07 June 2022
The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.
The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.
Meta faces large fine from DPC over children’s privacy violations on InstagramDate: 07 June 2022
Facebook owner Meta Platforms is facing a potentially large fine for violating children’s privacy on its Instagram service. The Instagram inquiry is one of a several investigations by Ms Dixon’s office into Facebook and other sites it controls so it is not possible from such accounts to determine the company’s provision for that case.
Facebook owner Meta Platforms is facing a potentially large fine for violating children’s privacy on its Instagram service. The Instagram inquiry is one of a several investigations by Ms Dixon’s office into Facebook and other sites it controls so it is not possible from such accounts to determine the company’s provision for that case.
Groups cite GDPR ‘enforcement gap,’ regulators say law is working wellDate: 07 June 2022
Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. Data regulators say enforcement is working well and improving.
Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. Data regulators say enforcement is working well and improving.
ICO lowers Clearview AI fine to 7.55M GBPDate: 07 June 2022
The U.K. Information Commissioner's Office announced a 7.55 million GBP fine against Clearview AI over the use of U.K. citizens' facial images in its global database. The fine was lowered from the initial 17 million GBP penalty notice served in November 2021. Further, the ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.
The U.K. Information Commissioner's Office announced a 7.55 million GBP fine against Clearview AI over the use of U.K. citizens' facial images in its global database. The fine was lowered from the initial 17 million GBP penalty notice served in November 2021. Further, the ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.
Uber fined 4.2M euros for data processing violations by Italy's DPADate: 24 May 2022
Italy's DPA, the Granate, fined Uber with 4.2 million euros for alleged data processing violations. It was found that one of the Uber's subsidiary processed the user's personal data without consent. Approximately 57 million users worldwide were affected. the personal data includes contact information, Uber account data, location and relations with other users.
Italy's DPA, the Granate, fined Uber with 4.2 million euros for alleged data processing violations. It was found that one of the Uber's subsidiary processed the user's personal data without consent. Approximately 57 million users worldwide were affected. the personal data includes contact information, Uber account data, location and relations with other users.
Solara Medical Supplies’ reaches $9.76M settlement over 2019 data breachDate: 24 May 2022
Solara Medical Supplies’ proposed $9.76 million settlement to resolve a class action lawsuit related to a 2019 data breach which has affected nearly 114,000 individuals. Between April and June 2019, it became a victim of phishing attack which resulted in unauthorized individuals accessing employee email accounts containing sensitive employee and patient information belonging to the diabetes medical product and supply company.
Solara Medical Supplies’ proposed $9.76 million settlement to resolve a class action lawsuit related to a 2019 data breach which has affected nearly 114,000 individuals. Between April and June 2019, it became a victim of phishing attack which resulted in unauthorized individuals accessing employee email accounts containing sensitive employee and patient information belonging to the diabetes medical product and supply company.
Google fined 10 million euros by Spain AEPDDate: 24 May 2022
Spain's DPA, the Agencia Española de Protección de Datos, fined Google 10 million euros for violating EU GDPR. The AEPD found third-party data sharing by Google with legal database Lumen Project lacked an opt-out mechanism for data subjects. The shared data included personally identifiable data, email addresses and individuals' legal claims. The sanction asked Google to delete all the personal data shared with Lumen.
Spain's DPA, the Agencia Española de Protección de Datos, fined Google 10 million euros for violating EU GDPR. The AEPD found third-party data sharing by Google with legal database Lumen Project lacked an opt-out mechanism for data subjects. The shared data included personally identifiable data, email addresses and individuals' legal claims. The sanction asked Google to delete all the personal data shared with Lumen.
OPC issues interpretation of sensitive information under PIPEDADate: 24 May 2022
The OPC has issued an Interpretation Bulletin dealing with the issue of sensitive information under PIPEDA stating that "Health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs are among the types of information that will generally be considered sensitive and require a higher degree of protection."
The OPC has issued an Interpretation Bulletin dealing with the issue of sensitive information under PIPEDA stating that "Health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs are among the types of information that will generally be considered sensitive and require a higher degree of protection."
Hong Kong considers blocking Telegram for doxxed personal dataDate: 24 May 2022
Hong Kong's Office of the Privacy Commissioner for Personal Data is considering to limit the access to messenger service Telegram. The reason being that it was found to be rampant with doxxed personal data of government officials and citizens. If access is restricted, fears may return that the Chinese government will further erode civil liberties in Hong Kong after the passage of national security legislation in 2020.
Hong Kong's Office of the Privacy Commissioner for Personal Data is considering to limit the access to messenger service Telegram. The reason being that it was found to be rampant with doxxed personal data of government officials and citizens. If access is restricted, fears may return that the Chinese government will further erode civil liberties in Hong Kong after the passage of national security legislation in 2020.
Ministry of Foreign Affairs fined for 565K euros for GDPR violations by Dutch DPADate: 24 May 2022
The Netherlands' DPA, Autoriteit Persoonsgegevens, fined the Ministry of Foreign Affairs 565,000 euros for violation of EU GDPR by processing approximately 530,000 visa applications per year over the last three years without sufficient personal data protections. The risk being unauthorized individuals could access and change files within the ministry’s National Visa Information System was identified by DPA.
The Netherlands' DPA, Autoriteit Persoonsgegevens, fined the Ministry of Foreign Affairs 565,000 euros for violation of EU GDPR by processing approximately 530,000 visa applications per year over the last three years without sufficient personal data protections. The risk being unauthorized individuals could access and change files within the ministry’s National Visa Information System was identified by DPA.
UKHSA issues guidance for COVID-19 app privacyDate: 24 May 2022
"The U.K. Health and Security Agency released privacy guidance for the National Health Service’s COVID-19 mobile application. Using the app is voluntary for citizens and it cannot track the location of users, monitor users if they are self-isolating, be used by law enforcement or see personal messages on a user’s phone."
"The U.K. Health and Security Agency released privacy guidance for the National Health Service’s COVID-19 mobile application. Using the app is voluntary for citizens and it cannot track the location of users, monitor users if they are self-isolating, be used by law enforcement or see personal messages on a user’s phone."
Google announces new user privacy controlsDate: 24 May 2022
"Google at its I/O 2022 developer Conference announced that ""it will try to do more with less of it."" giving users more control over how their data is used in Google applications and search results. Google says that My Ad Center will help to give users control not just over how their data is used but also over how this affects their experience of the web."
"Google at its I/O 2022 developer Conference announced that ""it will try to do more with less of it."" giving users more control over how their data is used in Google applications and search results. Google says that My Ad Center will help to give users control not just over how their data is used but also over how this affects their experience of the web."
Costa Rica declared national emergency in the light of ransomware attacksDate: 10 May 2022
Costa Rican President Chaves declared a national emergency citing ongoing Conti ransomware attacks as the reason. The Conti ransomware group allegedly released 97% of the 672 GB of data it obtained from the agencies. Government agencies such as The Ministry of Finance, Ministry of Labor and Social Security, and Ministry of Science, Innovation, Technology and Telecommunications are among the agencies impacted.
Costa Rican President Chaves declared a national emergency citing ongoing Conti ransomware attacks as the reason. The Conti ransomware group allegedly released 97% of the 672 GB of data it obtained from the agencies. Government agencies such as The Ministry of Finance, Ministry of Labor and Social Security, and Ministry of Science, Innovation, Technology and Telecommunications are among the agencies impacted.
A new cookie popup appears after Google is fined by the CNILDate: 10 May 2022
Users will now be able to “deny all” to opt out of web tracking entirely with the click of one button. Google previously only offered users to “accept” or “customize” and users would have to opt out of tracking three separate times on a different webpage. The new feature would be rolled out on YouTube to start.
Users will now be able to “deny all” to opt out of web tracking entirely with the click of one button. Google previously only offered users to “accept” or “customize” and users would have to opt out of tracking three separate times on a different webpage. The new feature would be rolled out on YouTube to start.
$85M settlement approved in class-action lawsuit against ZoomDate: 10 May 2022
In a class-action lawsuit against Zoom, a US District Court judge has approved an $85 million settlement. Several million Zoom users have sued the company after it sold personal data to social media companies and hackers disrupted video conferences by "zoombombing" meetings.
In a class-action lawsuit against Zoom, a US District Court judge has approved an $85 million settlement. Several million Zoom users have sued the company after it sold personal data to social media companies and hackers disrupted video conferences by "zoombombing" meetings.
Google’s $100M BIPA settlement approvedDate: 10 May 2022
A judge granted preliminary approval of Google’s $100 million class-action settlement over allegations the company’s face grouping tool violates the Illinois Biometric Information Privacy Act. If a final order is approved, Illinois residents who appeared in an image on the Google Photos application within the last seven years may be eligible to receive between $200 and $400.
A judge granted preliminary approval of Google’s $100 million class-action settlement over allegations the company’s face grouping tool violates the Illinois Biometric Information Privacy Act. If a final order is approved, Illinois residents who appeared in an image on the Google Photos application within the last seven years may be eligible to receive between $200 and $400.
SafeGraph ends abortion clinic data sharingDate: 10 May 2022
SafeGraph was selling location data of people who have visited health clinics that provide abortion services. It halted the sales of location data and the fertility and menstrual cycle-tracking applications stand by the privacy notices. SafeGraph CEO Auren Hoffman said that, "he didn't even realize his company carried so-called 'patterns' data that traced the movements of patients."
SafeGraph was selling location data of people who have visited health clinics that provide abortion services. It halted the sales of location data and the fertility and menstrual cycle-tracking applications stand by the privacy notices. SafeGraph CEO Auren Hoffman said that, "he didn't even realize his company carried so-called 'patterns' data that traced the movements of patients."
Google, YouTube consent banners allegedly violate Hamburg data protection requirementsDate: 11 Apr 2022
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) informed Google last week that the consent banners on the pages of the Google search engine and on YouTube currently do not meet the data protection requirements. Users reportedly have to click the “I agree” button to consent to all processing of personal data for Google. However, users who did not want to give such consent had to refuse the settings for each data processing setting individually through the “Customize” page
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) informed Google last week that the consent banners on the pages of the Google search engine and on YouTube currently do not meet the data protection requirements. Users reportedly have to click the “I agree” button to consent to all processing of personal data for Google. However, users who did not want to give such consent had to refuse the settings for each data processing setting individually through the “Customize” page
Dozens of apps banned by the Google with data harvesting softwareDate: 11 Apr 2022
Google banned dozens of applications from its Google Play Store in which it identified hidden data-harvesting software. Measurement Systems, which wrote the code that ran on millions of Android devices, is tied to U.S. national security contractors, according to documents. The code was found within Muslim prayer apps, a highway speed-trap detection app, a QR-code reading app and others.
Google banned dozens of applications from its Google Play Store in which it identified hidden data-harvesting software. Measurement Systems, which wrote the code that ran on millions of Android devices, is tied to U.S. national security contractors, according to documents. The code was found within Muslim prayer apps, a highway speed-trap detection app, a QR-code reading app and others.
EDPB announced the statement on EU-US Trans-Atlantic Data Privacy FrameworkDate: 11 Apr 2022
The EDPB adopted a statement welcoming the agreement in principle on the Trans-Atlantic Data Privacy Framework between the EU and the U.S. on 25 March. The commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals is a positive first step in the right direction. the EDPB will conduct a review of the agreement to ensure "legal certainty" and examine how the agreement "translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union."
The EDPB adopted a statement welcoming the agreement in principle on the Trans-Atlantic Data Privacy Framework between the EU and the U.S. on 25 March. The commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals is a positive first step in the right direction. the EDPB will conduct a review of the agreement to ensure "legal certainty" and examine how the agreement "translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union."
Block confirms former employee stole CashApp user dataDate: 11 Apr 2022
In U.S. Securities and Exchange Commission filings, Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some U.S. customer information. The primary information in the reports included users’ full names and brokerage account numbers, and for some customers the accessed data also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day. The company declined to state how many customers were affected, only that it was notifying approximately 8.2 million CashApp users about the incident.
In U.S. Securities and Exchange Commission filings, Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some U.S. customer information. The primary information in the reports included users’ full names and brokerage account numbers, and for some customers the accessed data also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day. The company declined to state how many customers were affected, only that it was notifying approximately 8.2 million CashApp users about the incident.
EU, US agree 'in principle' to new trans-Atlantic data agreementDate: 31 Mar 2022
U.S. President Joe Biden and European Commission President Ursula von der Leyen announced on Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known. Reportedly this framework underscores the shared commitment to privacy, data protection, and the rule of law.
U.S. President Joe Biden and European Commission President Ursula von der Leyen announced on Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known. Reportedly this framework underscores the shared commitment to privacy, data protection, and the rule of law.
Background check company faces multiple lawsuitsDate: 31 Mar 2022
A Massachusetts background check company, Creative Services, is being sued in four parallel data breach lawsuits. The lawsuits alleged names, birth dates, financial accounts, Social Security numbers and driver’s license information of 164,673 clients were copied by an unauthorized user between 2018 and 2021. An investigation into the activity in January 2022 revealed that client PII belonging to CSI had been compromised.
A Massachusetts background check company, Creative Services, is being sued in four parallel data breach lawsuits. The lawsuits alleged names, birth dates, financial accounts, Social Security numbers and driver’s license information of 164,673 clients were copied by an unauthorized user between 2018 and 2021. An investigation into the activity in January 2022 revealed that client PII belonging to CSI had been compromised.
Okta breach in January may have exposed hundreds of customersDate: 31 Mar 2022
The CEO of two-factor authentication company Okta, Todd McKinnon, confirmed a breach that happened in January. It affected 2.5% of Okta's 15,000 customers, and customers were not required to take any corrective action.
The CEO of two-factor authentication company Okta, Todd McKinnon, confirmed a breach that happened in January. It affected 2.5% of Okta's 15,000 customers, and customers were not required to take any corrective action.
Utah becomes fourth US state to enact comprehensive consumer privacy legislationDate: 31 Mar 2022
Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law on 24th of March making Utah the 4th state after California, Virginia and Colorado to enact a comprehensive consumer privacy act. The law will be in effect from 31.12.2023. UCPA is largely based on the Virginia Consumer Protection Act, but overall is much more “business-friendly” than California, Colorado and Virginia.
Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law on 24th of March making Utah the 4th state after California, Virginia and Colorado to enact a comprehensive consumer privacy act. The law will be in effect from 31.12.2023. UCPA is largely based on the Virginia Consumer Protection Act, but overall is much more “business-friendly” than California, Colorado and Virginia.
The U.S. Federal Trade Commission is investigating Amazon over its use of "dark patterns," reports Gizmodo.Date: 21 Mar 2022
Amazon is being investigated for allegedly tricking people into signing up for Prime. As a result of its use of "dark patterns"-manipulative online interface tricks-Amazon faces scrutiny from the FTC for allegedly luring users into signing up for costly Prime memberships without their knowledge.
Amazon is being investigated for allegedly tricking people into signing up for Prime. As a result of its use of "dark patterns"-manipulative online interface tricks-Amazon faces scrutiny from the FTC for allegedly luring users into signing up for costly Prime memberships without their knowledge.
The CNIL publishes a guide for DPOsDate: 21 Mar 2022
France’s data protection authority, the Commission nationale de l'informatique et des libertés has published a guide for DPO's. This guide includes why and how to appoint a DPO, the role of DPO, FAQ on appointment of DPOs, etc.
France’s data protection authority, the Commission nationale de l'informatique et des libertés has published a guide for DPO's. This guide includes why and how to appoint a DPO, the role of DPO, FAQ on appointment of DPOs, etc.
Tesla Hit With Biometric Privacy Suit by Illinois resident over Alleged Facial ScansDate: 21 Mar 2022
Bloomberg Law reports that an Illinois resident is leading a class-action lawsuit against Tesla alleging that the company violated the Illinois Biometric Information Privacy Act. It is claimed that Tesla has been scanning drivers' faces while in autopilot or full self-driving modes during Model 3 and Model Y vehicles. It is alleged that the company failed to provide drivers with the ability to give informed consent for collection of biometric information.
Bloomberg Law reports that an Illinois resident is leading a class-action lawsuit against Tesla alleging that the company violated the Illinois Biometric Information Privacy Act. It is claimed that Tesla has been scanning drivers' faces while in autopilot or full self-driving modes during Model 3 and Model Y vehicles. It is alleged that the company failed to provide drivers with the ability to give informed consent for collection of biometric information.
Irish DPC fines Meta 17M euros over 2018 data breachesDate: 21 Mar 2022
Meta Platforms was fined 17 million euros by the Irish Data Protection Commission for a series of 12 data breaches that occurred between June and December 2018. According to the DPC investigation, Meta acted in violation of EU General Data Protection Regulation articles 5 and 24 related to the processing of data tied to breach notifications. In accordance with the GDPR's One-Stop-Shop mechanism, the DPC has published a statistical report on cross-border complaints.
Meta Platforms was fined 17 million euros by the Irish Data Protection Commission for a series of 12 data breaches that occurred between June and December 2018. According to the DPC investigation, Meta acted in violation of EU General Data Protection Regulation articles 5 and 24 related to the processing of data tied to breach notifications. In accordance with the GDPR's One-Stop-Shop mechanism, the DPC has published a statistical report on cross-border complaints.
NGO serves latest round of cookie complaintsDate: 07 Mar 2022
Advocacy group NOYB sent 270 complaints to a range of website operators in its latest round of filings regarding alleged cookie banner violations. Its first round was held in May, 2021 resulting which many websites changed their cookie display practices.
Advocacy group NOYB sent 270 complaints to a range of website operators in its latest round of filings regarding alleged cookie banner violations. Its first round was held in May, 2021 resulting which many websites changed their cookie display practices.
Greek DPA imposes highest ever fineDate: 07 Mar 2022
The HDPA fined Cosmote and OTE 9.25 million euros for multiple violations of the EU General Data Protection Regulation. This fine is the result of data breach occurred in 2020 after a successful cyberattack on the group's information systems. It affected more than 10 million OTE Group and non-OTE Group subscribers.
The HDPA fined Cosmote and OTE 9.25 million euros for multiple violations of the EU General Data Protection Regulation. This fine is the result of data breach occurred in 2020 after a successful cyberattack on the group's information systems. It affected more than 10 million OTE Group and non-OTE Group subscribers.
Facebook starts a Special Operations Center for Ukrainian users amid Russian invasionDate: 07 Mar 2022
Facebook has set up a Special Operations Center to monitor posts coming out of Ukraine amid the ongoing Russian invasion. It is staffed by native speakaer and could respond in "real time". The company will allow the users to lock their profiles for an additional security feature.
Facebook has set up a Special Operations Center to monitor posts coming out of Ukraine amid the ongoing Russian invasion. It is staffed by native speakaer and could respond in "real time". The company will allow the users to lock their profiles for an additional security feature.
Yahoo ceased providing email service in ChinaDate: 07 Mar 2022
Yahoo notified Chinese users on 26 February, 2022 about the move and advised them to download contacts and other work. The services were stopped from 28 February, 2022 for the reason being “the increasingly challenging business and legal environment in China, including new privacy regulations,”
Yahoo notified Chinese users on 26 February, 2022 about the move and advised them to download contacts and other work. The services were stopped from 28 February, 2022 for the reason being “the increasingly challenging business and legal environment in China, including new privacy regulations,”
Oman approves data protection lawDate: 22 Feb 2022
Oman's Information Ministry has issued the Personal Data Protection Law in Official Gazatte No. 1429. The Minister of Transport, Communications and Information Technology shall issue the implementing regulations for this law. The law will come into force with effect from 9 February, 2023.
Oman's Information Ministry has issued the Personal Data Protection Law in Official Gazatte No. 1429. The Minister of Transport, Communications and Information Technology shall issue the implementing regulations for this law. The law will come into force with effect from 9 February, 2023.
Swedish Authority IMY fines Uppsala Region for two security breachesDate: 22 Feb 2022
The Swedish Authority for Privacy Protection (IMY) has received two personal data breach notifications from Region Uppsala. The data breaches concern sensitive personal data sent without encryption to recipients in and outside Sweden in violation of the region's own guidelines. The region has not taken sufficient technical and organizational measures to ensure a security level that is appropriate in relation to the risks involved in the personal data processing. The Swedish DPA has issued an administrative fine of SEK 1.9 million against Region Uppsala for the identified shortcomings.
The Swedish Authority for Privacy Protection (IMY) has received two personal data breach notifications from Region Uppsala. The data breaches concern sensitive personal data sent without encryption to recipients in and outside Sweden in violation of the region's own guidelines. The region has not taken sufficient technical and organizational measures to ensure a security level that is appropriate in relation to the risks involved in the personal data processing. The Swedish DPA has issued an administrative fine of SEK 1.9 million against Region Uppsala for the identified shortcomings.
Irish Council ICCL and EPIC call on global brands to end consent spam, delete dataDate: 22 Feb 2022
Following the 2 February decision regarding the multiple voilations of GDPR offence by IAB TCF, Irish Council write to the CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM, and Mastercard demanding they stop consent spam and delete data.The decision requires that Companies take immediate steps to delete all personal data that their company collected or otherwise processed in the context thereof.
Following the 2 February decision regarding the multiple voilations of GDPR offence by IAB TCF, Irish Council write to the CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM, and Mastercard demanding they stop consent spam and delete data.The decision requires that Companies take immediate steps to delete all personal data that their company collected or otherwise processed in the context thereof.
Texas Attorney General filed a lawsuit against Meta over Facebook's facial recognitionDate: 22 Feb 2022
Texas Attorney General Ken Paxton alleged the Meta over Facebook's collection of facial images and videos for its own corporate profit. This collection was from 2010 to the end of its facial recognition program in November 2021, estimating "tens of millions of violations" during that time.
Texas Attorney General Ken Paxton alleged the Meta over Facebook's collection of facial images and videos for its own corporate profit. This collection was from 2010 to the end of its facial recognition program in November 2021, estimating "tens of millions of violations" during that time.
OPC investigating that Canadians’ cellphone location data used by the Public Health Agency of Canada was properly anonymizedDate: 15 Feb 2022
Canadian Privacy Commissioner Daniel Therrien is investigating the Public Health Agency of Canada using the third-party cellphone location data to track individuals’ movements during the COVID-19 pandemic, National Post reports. The investigator told that the government should have been more proactive in informing Canadians of the program.
Canadian Privacy Commissioner Daniel Therrien is investigating the Public Health Agency of Canada using the third-party cellphone location data to track individuals’ movements during the COVID-19 pandemic, National Post reports. The investigator told that the government should have been more proactive in informing Canadians of the program.
News Corp reported that the China-based hackers involved in cyberattack on journalistsDate: 15 Feb 2022
News Corp, the parent company of The Wall Street Journal and Fox News, announced a cyberattack, believed to be launched by China-based hackers, targeted journalists and other employees. News Corp notified the U.S. Federal Bureau of Investigation and hired cybersecurity firm Mandiant to investigate the attack. The hack is believed to be an effort to uncover intelligence to benefit China’s interests. A representative from the Chinese Embassy in Washington, D.C., denied China had involvement in the attack.
News Corp, the parent company of The Wall Street Journal and Fox News, announced a cyberattack, believed to be launched by China-based hackers, targeted journalists and other employees. News Corp notified the U.S. Federal Bureau of Investigation and hired cybersecurity firm Mandiant to investigate the attack. The hack is believed to be an effort to uncover intelligence to benefit China’s interests. A representative from the Chinese Embassy in Washington, D.C., denied China had involvement in the attack.
Illinois McDonald's restaurants to pay $50M settlement to their employees for lack of biometric disclosuresDate: 15 Feb 2022
McDonald's agreed to pay $50 million to its Illinois employees who entered biometric data to log into the restaurant’s system, reports op Class Actions reports. McDonald’s-branded restaurants in Illinois violated BIPA by requiring that certain employees submit their biometric information without first providing the required disclosures or obtaining the proper consent.
McDonald's agreed to pay $50 million to its Illinois employees who entered biometric data to log into the restaurant’s system, reports op Class Actions reports. McDonald’s-branded restaurants in Illinois violated BIPA by requiring that certain employees submit their biometric information without first providing the required disclosures or obtaining the proper consent.
Florida residents sue Marco Island's police for use of automated license plate recognition systemsDate: 15 Feb 2022
Several residents of Florida's Marco Island sued the city in U.S. federal court for their use of automated license plate recognition systems as it violates their privacy. The automated recognition systems photographed and logged the date and time of every driver who drove into Marco Island and this can easily draw a detailed profile of their day-to-day life. Police argued the recognition systems create a powerful disincentive against crime.
Several residents of Florida's Marco Island sued the city in U.S. federal court for their use of automated license plate recognition systems as it violates their privacy. The automated recognition systems photographed and logged the date and time of every driver who drove into Marco Island and this can easily draw a detailed profile of their day-to-day life. Police argued the recognition systems create a powerful disincentive against crime.
CCPA noncompliance notices issued over loyalty programsDate: 02 Feb 2022
On Data Privacy Day, Attorney General Bonta puts Businesses operating Loyalty Programs on notice for violations of California Consumer Privacy Act. Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. Letters were sent to major corporations in the retail, home improvement, travel, and food services industries, who have 30 days to cure and come into compliance with the law.
On Data Privacy Day, Attorney General Bonta puts Businesses operating Loyalty Programs on notice for violations of California Consumer Privacy Act. Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. Letters were sent to major corporations in the retail, home improvement, travel, and food services industries, who have 30 days to cure and come into compliance with the law.
Brazilian data protection authority improves LGPD to reduce burden on small businessesDate: 02 Feb 2022
Members of the Brazilian data protection authority, unanimously approved for a new regulation for application of the General Data Protection Law for small businesses, according to ANPD. The Regulation aims to guarantee the rights of data subjects, at the same time as it brings balance between the rules contained in the LGPD and the size of the data processing agent. The ANPD recognized the regulatory burden LGPD placed on small- and micro-sized companies needed to be improved for their growth.
Members of the Brazilian data protection authority, unanimously approved for a new regulation for application of the General Data Protection Law for small businesses, according to ANPD. The Regulation aims to guarantee the rights of data subjects, at the same time as it brings balance between the rules contained in the LGPD and the size of the data processing agent. The ANPD recognized the regulatory burden LGPD placed on small- and micro-sized companies needed to be improved for their growth.
French Council of State validates CNIL fines against Google for cookie violationsDate: 02 Feb 2022
The Council of State validated a 100 million euros fine issued in December 2020 by by French data protection authority CNIL against the Google and Google Ireland for placing cookies on users’ computers without their consent. The CNIL reported that the actions violated the France's DPA and the Council “confirmed the competence of the CNIL to take sanctions on cookies outside the one-stop-shop mechanism provided for by the (EU General Data Protection Regulation) and thus validated the sanction of the CNIL.”
The Council of State validated a 100 million euros fine issued in December 2020 by by French data protection authority CNIL against the Google and Google Ireland for placing cookies on users’ computers without their consent. The CNIL reported that the actions violated the France's DPA and the Council “confirmed the competence of the CNIL to take sanctions on cookies outside the one-stop-shop mechanism provided for by the (EU General Data Protection Regulation) and thus validated the sanction of the CNIL.”
80% of users' browser history is captured by online trackers within two hours of surfing the internetDate: 02 Feb 2022
As per Norton Labs’ quarterly Consumer Cyber Safety Pulse Report, an average of 177 different organizations per week monitors the consumers. Half of these trackers can obtain the 80% of browsing history within the first two hours of surfing the internet. Despite the users deleting browsing history everyday, they would re-encounter half the trackers within two hours. It also reported blocking approximately 3.6 billion cyberthreats last year.
As per Norton Labs’ quarterly Consumer Cyber Safety Pulse Report, an average of 177 different organizations per week monitors the consumers. Half of these trackers can obtain the 80% of browsing history within the first two hours of surfing the internet. Despite the users deleting browsing history everyday, they would re-encounter half the trackers within two hours. It also reported blocking approximately 3.6 billion cyberthreats last year.
Personal data of 515,000 'highly vulnerable' victims aided by Red Cross stolenDate: 25 Jan 2022
60 Red Cross and Red Crescent National Societies breached the personal data of more than 515,000 “highly vulnerable” victims. The data was stolen from a Swiss contractor that stored it for the global humanitarian organization based in Geneva, Switzerland. The breach affected some of the most vulnerable people in the world, including those separated from their families due to conflict, migration or disaster, missing persons, and those in detention in various countries.
60 Red Cross and Red Crescent National Societies breached the personal data of more than 515,000 “highly vulnerable” victims. The data was stolen from a Swiss contractor that stored it for the global humanitarian organization based in Geneva, Switzerland. The breach affected some of the most vulnerable people in the world, including those separated from their families due to conflict, migration or disaster, missing persons, and those in detention in various countries.
Garante issues 26.5M euro GDPR fine on Enel EnergiaDate: 25 Jan 2022
The Guarantor for the protection of personal data has imposed a fine of over 26 million and 500 thousand euros on Enel Energia for the unlawful processing of users' personal data for telemarketing purposes. The company was unlawfully processing personal data for telemarketing purposes while violating provisions around accountability and user consent.
The Guarantor for the protection of personal data has imposed a fine of over 26 million and 500 thousand euros on Enel Energia for the unlawful processing of users' personal data for telemarketing purposes. The company was unlawfully processing personal data for telemarketing purposes while violating provisions around accountability and user consent.
German publishers, advertisers seek EU intervention on Google’s cookie phaseoutDate: 25 Jan 2022
German publishers and advertisers are seeking the intervention by EU lawmakers on the Google’s plan to phase out third-party cookies by next year. Germany’s federal association of digital publishers said “Publishers must remain in a position where they are allowed to ask their users for consent to process data, without Google capturing this decision”.
German publishers and advertisers are seeking the intervention by EU lawmakers on the Google’s plan to phase out third-party cookies by next year. Germany’s federal association of digital publishers said “Publishers must remain in a position where they are allowed to ask their users for consent to process data, without Google capturing this decision”.
16 member Committee formed to implement Thailand's Personal Data Protection ActDate: 25 Jan 2022
Thailand's PDPA will come into effect from June, for which a committee has been formed. The Committee has wide scope of responsibilities in terms of the promotion and protection of personal data. Their core functions would be to draft a master plan for data protection, issuing rules for executing the law and advising the cabinet on how the PDPA or other laws may be revised to better protect personal data.
Thailand's PDPA will come into effect from June, for which a committee has been formed. The Committee has wide scope of responsibilities in terms of the promotion and protection of personal data. Their core functions would be to draft a master plan for data protection, issuing rules for executing the law and advising the cabinet on how the PDPA or other laws may be revised to better protect personal data.
Accellion fined $8.1 million in data breach class-action lawsuitDate: 18 Jan 2022
Accellion reached a $8.1 million agreement in a nationwide class-action lawsuit in U.S. District Court, reports Reuters. The lawsuit was initiated for a breach in its legacy file transfer product, after it failed to properly secure sensitive personal information belonging to millions after hackers exploited a vulnerability in Accellion's platform.
Accellion reached a $8.1 million agreement in a nationwide class-action lawsuit in U.S. District Court, reports Reuters. The lawsuit was initiated for a breach in its legacy file transfer product, after it failed to properly secure sensitive personal information belonging to millions after hackers exploited a vulnerability in Accellion's platform.
Third party scrapes TransUnion's TLO database disclosing personal informationDate: 18 Jan 2022
A third party has recently scraped the contents of TransUnion's TLO and posted it elsewhere on the internet disclosing the personal information, including peoples’ physical addresses, phone numbers, email addresses and the contact details of their relatives. The data was password protected on the website it was posted onto, however, the report cast doubt on how secure the password was.
A third party has recently scraped the contents of TransUnion's TLO and posted it elsewhere on the internet disclosing the personal information, including peoples’ physical addresses, phone numbers, email addresses and the contact details of their relatives. The data was password protected on the website it was posted onto, however, the report cast doubt on how secure the password was.
Google explains Google Analytics’ privacy, data sharing practicesDate: 18 Jan 2022
Austrian ruling declared that the use of Google Analytics voilates the EU GDPR. Google responded with the statement that it uses "Data transfer agreements like EU Standard Contractual Clauses for transferring data to the United States with additional safeguards." Also, the service is designed to protect and safeguard data from government access.
Austrian ruling declared that the use of Google Analytics voilates the EU GDPR. Google responded with the statement that it uses "Data transfer agreements like EU Standard Contractual Clauses for transferring data to the United States with additional safeguards." Also, the service is designed to protect and safeguard data from government access.
Facebook faces $3.2 bln UK class action over market dominanceDate: 18 Jan 2022
Social Media gaint Facebook's parent company, Meta Platforms is facing a $3.2 billion class-action lawsuit in the U.K., reported by Reuters. It abused its market dominance by exploiting the personal data of 44 million users. Facebook in defence said that the "people have meaningful control of what information they share on Meta's platforms and who with."
Social Media gaint Facebook's parent company, Meta Platforms is facing a $3.2 billion class-action lawsuit in the U.K., reported by Reuters. It abused its market dominance by exploiting the personal data of 44 million users. Facebook in defence said that the "people have meaningful control of what information they share on Meta's platforms and who with."
PCPD outlines PIPL's transfer requirementsDate: 27 Dec 2021
The Office of the Privacy Commissioner for Personal Data in Hong Kong released guidance on requirements for cross-border data transfers under China's Personal Information Protection Law. The guidance discusses processors' obligations to collect consent and perform data protection impact assessments.
The Office of the Privacy Commissioner for Personal Data in Hong Kong released guidance on requirements for cross-border data transfers under China's Personal Information Protection Law. The guidance discusses processors' obligations to collect consent and perform data protection impact assessments.
DuckDuckGo developing desktop browser with robust privacy protectionDate: 27 Dec 2021
DuckDuckGo is known for its privacy-focused search engine is now developing a robust privacy focused desktop browser. This will bring the same focus on avoiding being tracked to your entire web experience.
DuckDuckGo is known for its privacy-focused search engine is now developing a robust privacy focused desktop browser. This will bring the same focus on avoiding being tracked to your entire web experience.
Comparison of India's PDPB with EU GDPRDate: 27 Dec 2021
The JCP recommendations on the Personal Data Protection Bill are in some quite similar to global standards such as European Union’s General Data Protection Regulation, but differs in certain aspects. Similarities can be found in provisions for user consent, data breaches, anonymized data and enforcement.
The JCP recommendations on the Personal Data Protection Bill are in some quite similar to global standards such as European Union’s General Data Protection Regulation, but differs in certain aspects. Similarities can be found in provisions for user consent, data breaches, anonymized data and enforcement.
Breach of gaming company Ubisoft exposes data of video game playersDate: 27 Dec 2021
Ubisoft says data related to players of its Just Dance game may have been exposed in a breach of its IT systems. The company said impacted data was “limited to ‘technical identifiers’" and an investigation has not shown “that any Ubisoft account information has been compromised as a result of this incident.”
Ubisoft says data related to players of its Just Dance game may have been exposed in a breach of its IT systems. The company said impacted data was “limited to ‘technical identifiers’" and an investigation has not shown “that any Ubisoft account information has been compromised as a result of this incident.”
CNIL issues developer guidance and issues cookie compliance noticesDate: 20 Dec 2021
France's data protection authority, the Commission nationale de l'informatique et des libertés, published an updated guide to the EU GDPR for web and application developers highlighting the third-party cookies and other tracers. The CNIL also issued approximately 60 cookie compliance notices and 30 new orders to organizations for not offering users the ability to refuse cookies as easily as accepting them.
France's data protection authority, the Commission nationale de l'informatique et des libertés, published an updated guide to the EU GDPR for web and application developers highlighting the third-party cookies and other tracers. The CNIL also issued approximately 60 cookie compliance notices and 30 new orders to organizations for not offering users the ability to refuse cookies as easily as accepting them.
Irish DPC finalizes children's privacy guidelinesDate: 20 Dec 2021
Ireland's Data Protection Commission published its Fundamentals for a Child-Oriented Approach to Data Processing. The guidance introduce principles and recommended best practices for children's data protection during processing activities. The DPC said children "cannot be expected to manage this process themselves" and expects the guidelines to "create safer, more appropriate and more privacy-respecting online environments."
Ireland's Data Protection Commission published its Fundamentals for a Child-Oriented Approach to Data Processing. The guidance introduce principles and recommended best practices for children's data protection during processing activities. The DPC said children "cannot be expected to manage this process themselves" and expects the guidelines to "create safer, more appropriate and more privacy-respecting online environments."
Facebook notified nearly 50K users that may have been surveillance targetsDate: 20 Dec 2021
Nearly 50,000 Facebook users in more than 100 countries may have been targeted by surveillance companies. Facebook notified the users they may have been victims of hacking attempts by the companies working for government agencies or private clients. Facebook said it sent cease-and-desist letters to seven surveillance companies in four countries, removed 1,500 fake accounts and blocked malicious web addresses.
Nearly 50,000 Facebook users in more than 100 countries may have been targeted by surveillance companies. Facebook notified the users they may have been victims of hacking attempts by the companies working for government agencies or private clients. Facebook said it sent cease-and-desist letters to seven surveillance companies in four countries, removed 1,500 fake accounts and blocked malicious web addresses.
Canadian prime minister calls for enhanced consumer privacy protectionsDate: 20 Dec 2021
Canadian Prime Minister Justin Trudeau’s mandate letter to Minister of Innovation, Science and Industry François-Philippe Champagne includes a commitment to “enhance the privacy protections for consumers” and calls for “a clear set of rules that ensure fair competition in the online marketplace”. Trudeau also commits to ensuring that Canadians are protected from anti-consumer practices in critical sectors.
Canadian Prime Minister Justin Trudeau’s mandate letter to Minister of Innovation, Science and Industry François-Philippe Champagne includes a commitment to “enhance the privacy protections for consumers” and calls for “a clear set of rules that ensure fair competition in the online marketplace”. Trudeau also commits to ensuring that Canadians are protected from anti-consumer practices in critical sectors.
Patient sues Planned Parenthood Los Angeles over data breachDate: 20 Dec 2021
"A patient is suing Planned Parenthood Los Angeles over a ransomware attack that exposed records of more than 400,000 patients online. Filed in the U.S. District Court of Central California, the lawsuit claims the company violated data protection laws and the breach compromised sensitive medical information, exposing patients to identity and economic harms."
"A patient is suing Planned Parenthood Los Angeles over a ransomware attack that exposed records of more than 400,000 patients online. Filed in the U.S. District Court of Central California, the lawsuit claims the company violated data protection laws and the breach compromised sensitive medical information, exposing patients to identity and economic harms."
Indian Parliament likely to consider PDPB in December, 21Date: 13 Dec 2021
The Economic Times reports Indian Parliament is expected to table a Joint Parliamentary Committee's final report on the Personal Data Protection Bill and consider the proposed law Dec. 21 ahead of the end of its current legislative session Dec. 23. The bill that seeks to provide protection of personal data of individuals and establish a Data Protection Authority for the same, was brought in Parliament in 2019.
The Economic Times reports Indian Parliament is expected to table a Joint Parliamentary Committee's final report on the Personal Data Protection Bill and consider the proposed law Dec. 21 ahead of the end of its current legislative session Dec. 23. The bill that seeks to provide protection of personal data of individuals and establish a Data Protection Authority for the same, was brought in Parliament in 2019.
Irish DPC submits Article 60 draft decision on inquiry into InstagramDate: 13 Dec 2021
The Irish Data Protection Commission announced Tuesday it submitted an Article 60 draft decision inquiry into Instagram relating to the processing of personal data of children by Facebook Ireland. In addition to this Instagram inquiry, two other DPC inquiries into Facebook are currently at the Article 60 stage.”
The Irish Data Protection Commission announced Tuesday it submitted an Article 60 draft decision inquiry into Instagram relating to the processing of personal data of children by Facebook Ireland. In addition to this Instagram inquiry, two other DPC inquiries into Facebook are currently at the Article 60 stage.”
Phone mail-in repairs allegedly result in leaked dataDate: 13 Dec 2021
Two individuals in the last two weeks have claimed their private data and photographs were leaked from Google phones sent in for repair. Game designer and author Jane McGonigal said someone accessed her Gmail, Google Drive, photos and more. Google spokesperson Alex Moriconi said the company conducted a “thorough investigation” and said the issue was not related to its Return Merchandise Authorization process.
Two individuals in the last two weeks have claimed their private data and photographs were leaked from Google phones sent in for repair. Game designer and author Jane McGonigal said someone accessed her Gmail, Google Drive, photos and more. Google spokesperson Alex Moriconi said the company conducted a “thorough investigation” and said the issue was not related to its Return Merchandise Authorization process.
Microsoft seizes 42 US-based websites run by Chinese hacking groupDate: 13 Dec 2021
Microsoft’s request to seize 42 U.S.-based websites run by a Chinese hacking group was grnated by the Virginia federal court. Microsoft claims that it has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.”
Microsoft’s request to seize 42 U.S.-based websites run by a Chinese hacking group was grnated by the Virginia federal court. Microsoft claims that it has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.”
Dutch DPA fines tax authority 2.75M eurosDate: 13 Dec 2021
The Netherlands’ data protection authority fined the Tax and Customs Administration 2.75 million euros for data processing violations under the EU General Data Protection Regulation.
The Netherlands’ data protection authority fined the Tax and Customs Administration 2.75 million euros for data processing violations under the EU General Data Protection Regulation.
ICO hits Clearview AI Inc. with 17M GBP fine noticeDate: 07 Dec 2021
The U.K. Information Commissioner's Office announced intent to fine Clearview AI 17 million GBP for alleged misuse of scraped images and data, along with its use of facial recognition technology. In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
The U.K. Information Commissioner's Office announced intent to fine Clearview AI 17 million GBP for alleged misuse of scraped images and data, along with its use of facial recognition technology. In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
DNA testing company breach exposes personal data of 2M individualsDate: 07 Dec 2021
Ohio-based DNA Diagnostics Center reported the personal data of more than 2.1 million individuals was exposed in an “external hacking” incident, GovInfoSecurity reports. Exposed data includes Social Security numbers and payment information.
Ohio-based DNA Diagnostics Center reported the personal data of more than 2.1 million individuals was exposed in an “external hacking” incident, GovInfoSecurity reports. Exposed data includes Social Security numbers and payment information.
EU officials reach Data Governance Act agreementDate: 07 Dec 2021
The European Commission announced a provisional agreement with European Parliament and the Council of the European Union to move forward with the EU Data Governance Act. The proposed legislation creates a framework to help companies or individuals share data securely. European Commission Executive Vice President Margrethe Vestager called the DGA "a first building block for establishing a solid and fair data-driven economy." The draft Act was published by the European Commission on November 25, 2020.
The European Commission announced a provisional agreement with European Parliament and the Council of the European Union to move forward with the EU Data Governance Act. The proposed legislation creates a framework to help companies or individuals share data securely. European Commission Executive Vice President Margrethe Vestager called the DGA "a first building block for establishing a solid and fair data-driven economy." The draft Act was published by the European Commission on November 25, 2020.
Advocacy groups opposing the UK policing billDate: 07 Dec 2021
Human rights groups are pushing back against the proposed U.K. Police, Crime, Sentencing and Courts Bill. The measures will give police new powers to gather and share data on people allegedly involved in “serious violence”, but human rights champions and civil society groups claim this has the potential to undermine existing data rights and further entrench discriminatory policing practices.
Human rights groups are pushing back against the proposed U.K. Police, Crime, Sentencing and Courts Bill. The measures will give police new powers to gather and share data on people allegedly involved in “serious violence”, but human rights champions and civil society groups claim this has the potential to undermine existing data rights and further entrench discriminatory policing practices.
Tech manufacturer's file server accessed in cyberattackDate: 07 Dec 2021
Technology manufacturer Panasonic said data on a file server was accessed illegally during a cyberattack discovered on Nov. 11, ZDNet reports. The company said it immediately reported the incident to authorities, “implemented security countermeasures,” and is investigating the leak on its own and through a third-party organization to determine if it “involved customers" personal information and/or sensitive information related to social infrastructure.”
Technology manufacturer Panasonic said data on a file server was accessed illegally during a cyberattack discovered on Nov. 11, ZDNet reports. The company said it immediately reported the incident to authorities, “implemented security countermeasures,” and is investigating the leak on its own and through a third-party organization to determine if it “involved customers" personal information and/or sensitive information related to social infrastructure.”
Bank Millennium fined for failure to notify the breach and the data subjects about the incidentDate: 30 Nov 2021
The Personal Data Protection Office (UODO) learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), identification number assigned to the bank’s customers, etc. The complainants were informed about this fact by the bank, but the information was not sufficient as it did not meet the requirements set out in the GDPR.
The Personal Data Protection Office (UODO) learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), identification number assigned to the bank’s customers, etc. The complainants were informed about this fact by the bank, but the information was not sufficient as it did not meet the requirements set out in the GDPR.
GoDaddy breach exposes data of 1.2M WordPress usersDate: 30 Nov 2021
A security breach exposed email addresses and customer numbers of more than 1.2 million of web hosting company GoDaddy’s WordPress users. The company discovered unauthorized access by a third party to its Managed WordPress hosting environment Nov. 17. Some original WordPress Admin passwords were also exposed.
A security breach exposed email addresses and customer numbers of more than 1.2 million of web hosting company GoDaddy’s WordPress users. The company discovered unauthorized access by a third party to its Managed WordPress hosting environment Nov. 17. Some original WordPress Admin passwords were also exposed.
UAE president signs off on Personal Data Protection LawDate: 30 Nov 2021
Gulf News reports UAE President approved wide-ranging reforms to the country’s legal system, including passage of the Personal Data Protection Law. It constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of community members by providing proper governance for optimal data management and protection, in addition to defining the rights and duties of all concerned parties.
Gulf News reports UAE President approved wide-ranging reforms to the country’s legal system, including passage of the Personal Data Protection Law. It constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of community members by providing proper governance for optimal data management and protection, in addition to defining the rights and duties of all concerned parties.
Italy's antitrust regulator fines Google and Apple 10M euros for violation of Consumer CodeDate: 30 Nov 2021
Italy's Antitrust Authority, Autorita' Garante della Concorrenza e del Mercato, fined Google and Apple 10 million euros each for two violations of the Consumer Code, one for information deficiencies and another for aggressive practices regarding the acquisition and use of consumer data.
Italy's Antitrust Authority, Autorita' Garante della Concorrenza e del Mercato, fined Google and Apple 10 million euros each for two violations of the Consumer Code, one for information deficiencies and another for aggressive practices regarding the acquisition and use of consumer data.
PCPD Commissioner publishes details to better understand PIPLDate: 22 Nov 2021
Hong Kong’s Privacy Commissioner for Personal Data Ada Chung published a booklet on PIPL’s major requirements and a comparison to Hong Kong’s Personal Data (Privacy) Ordinance. This will help the public and businesses better understand China’s Personal Information Protection Law.
Hong Kong’s Privacy Commissioner for Personal Data Ada Chung published a booklet on PIPL’s major requirements and a comparison to Hong Kong’s Personal Data (Privacy) Ordinance. This will help the public and businesses better understand China’s Personal Information Protection Law.
CNIL recommends appropriate logging practicesDate: 22 Nov 2021
France's data protection authority, the Commission nationale de l’informatique et des libertés, published its recommendations for companies' data logging measures. For general logging practices, the CNIL recommends measures include traceability, data minimization and risk mitigation principles. The regulator also offered more targeted suggestions for specific companies.
France's data protection authority, the Commission nationale de l’informatique et des libertés, published its recommendations for companies' data logging measures. For general logging practices, the CNIL recommends measures include traceability, data minimization and risk mitigation principles. The regulator also offered more targeted suggestions for specific companies.
EDPB adopts guidance with data transfer clarificationsDate: 22 Nov 2021
The EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR. By clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
The EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR. By clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
US lawmakers reintroduce Online Privacy Act with improved provisionsDate: 22 Nov 2021
U.S. Reps. Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19) reintroduced the Online Privacy Act, legislation that creates user data rights, places limitations and obligations on companies collecting and using user data, and establishes the Digital Privacy Agency (DPA) to enforce privacy laws. The updated legislation includes several improved provisions and additional privacy protections, including adding an Office of Civil Rights in the DPA and authorizing state privacy regulators to enforce the legislation alongside state attorneys general.
U.S. Reps. Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19) reintroduced the Online Privacy Act, legislation that creates user data rights, places limitations and obligations on companies collecting and using user data, and establishes the Digital Privacy Agency (DPA) to enforce privacy laws. The updated legislation includes several improved provisions and additional privacy protections, including adding an Office of Civil Rights in the DPA and authorizing state privacy regulators to enforce the legislation alongside state attorneys general.
Yahoo ceases operations in ChinaDate: 16 Nov 2021
Yahoo is no longer offering its services in China, citing what a spokesman called “increasingly challenging business and legal environment". While Yahoo shut down certain services — including email and news — in China in 2013, its full exit coincides with the November 1 implementation of China’s Personal Information Protection Law.
Yahoo is no longer offering its services in China, citing what a spokesman called “increasingly challenging business and legal environment". While Yahoo shut down certain services — including email and news — in China in 2013, its full exit coincides with the November 1 implementation of China’s Personal Information Protection Law.
New Jersey companies agree to pay $130K for improper health care data disclosuresDate: 16 Nov 2021
The Office of the Attorney General of New Jersey announced two printing companies agreed to pay $130,000 after mishandling of personal health information exposed the personal and sensitive health data of 55,715 New Jerseyans in 2016. Command Marketing Innovations and Strategic Content Imaging failed to detect a printing error occurring between October and November 2016 that disclosed protected health data, including claim numbers, medical care dates and descriptions of service.
The Office of the Attorney General of New Jersey announced two printing companies agreed to pay $130,000 after mishandling of personal health information exposed the personal and sensitive health data of 55,715 New Jerseyans in 2016. Command Marketing Innovations and Strategic Content Imaging failed to detect a printing error occurring between October and November 2016 that disclosed protected health data, including claim numbers, medical care dates and descriptions of service.
Colorado construction company agrees to pay $63K after 2018 breachDate: 16 Nov 2021
The Colorado Office of the Attorney General announced SEMA Construction agreed to pay more than $63,000 after a data breach. In 2018, a phishing attack at the company exposed the personal information of nearly 2,000 individuals. The personal information, including Social Security numbers and financial information, was improperly stored in employee emails. While the company learned of the breach in 2019, it did not notify employees until 2020.
The Colorado Office of the Attorney General announced SEMA Construction agreed to pay more than $63,000 after a data breach. In 2018, a phishing attack at the company exposed the personal information of nearly 2,000 individuals. The personal information, including Social Security numbers and financial information, was improperly stored in employee emails. While the company learned of the breach in 2019, it did not notify employees until 2020.
Washington data breaches rose 500% in 2021Date: 16 Nov 2021
Washington state experienced a growth in data breaches across the board in 2021, according to the newly released 2021 Data Breach Report from the attorney general's office. Organizations sent out 6.3 million data breach notices to individuals across the state. There was a 500% increase in data breaches reported to the attorney general's office, going from 60 in 2020 to 280 in 2021.
Washington state experienced a growth in data breaches across the board in 2021, according to the newly released 2021 Data Breach Report from the attorney general's office. Organizations sent out 6.3 million data breach notices to individuals across the state. There was a 500% increase in data breaches reported to the attorney general's office, going from 60 in 2020 to 280 in 2021.
JPC reviewing India's PDPB expected to adopt final report on November 22Date: 16 Nov 2021
Several members of a JPC examining the data protection bill have opposed a proposal to reduce the penalty amount. The JPC was initially expected to adopt the report on November 12, but was unable to do so after additional amendments were proposed. It is now expected to be adopted on November 22.
Several members of a JPC examining the data protection bill have opposed a proposal to reduce the penalty amount. The JPC was initially expected to adopt the report on November 12, but was unable to do so after additional amendments were proposed. It is now expected to be adopted on November 22.
FTC updates Safeguards Rule to better protect consumers’ financial dataDate: 29 October 2021
The U.S. Federal Trade Commission announced updates to the Safeguards Rule, requiring financial institutions to develop, implement and maintain a comprehensive system to protect customers’ financial data. The updates "detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats".
The U.S. Federal Trade Commission announced updates to the Safeguards Rule, requiring financial institutions to develop, implement and maintain a comprehensive system to protect customers’ financial data. The updates "detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats".
Draft bill in Australia proposes higher privacy penalties, parental consent for minorsDate: 29 October 2021
The Australian government released a Privacy Act review discussion paper, along with a draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The bill would impose higher penalties for privacy violations, create a new Online Privacy Code and require social media companies to obtain parental consent for users under 16. The code would be developed by industry to regulate social media services, data brokers and large online platforms, including requirements for transparency on how they handle personal information.
The Australian government released a Privacy Act review discussion paper, along with a draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The bill would impose higher penalties for privacy violations, create a new Online Privacy Code and require social media companies to obtain parental consent for users under 16. The code would be developed by industry to regulate social media services, data brokers and large online platforms, including requirements for transparency on how they handle personal information.
Norway DPA fines municipality NOK 4MDate: 29 October 2021
Norway's data protection authority, Datatilsynet, announced a fine of NOK 4 million against municipality Ostre Toten due to security deficiencies that led to a ransom attack on its IT systems and data in January. The ransomware attack compromised all personal information of Ostre Toten residents and employees, some of which was later published online.
Norway's data protection authority, Datatilsynet, announced a fine of NOK 4 million against municipality Ostre Toten due to security deficiencies that led to a ransom attack on its IT systems and data in January. The ransomware attack compromised all personal information of Ostre Toten residents and employees, some of which was later published online.
Dental data breach impacts 125K patientsDate: 22 October 2021
A data breach of a dental administrative network potentially compromised the data and personal health information of 125,760 U.S. dental patients in 10 states. The system's data and email was accessed through a phishing scam by a bad actor at the end of March 2021, though the Professional Dental Alliance has yet to find any evidence of misuse of the data.
A data breach of a dental administrative network potentially compromised the data and personal health information of 125,760 U.S. dental patients in 10 states. The system's data and email was accessed through a phishing scam by a bad actor at the end of March 2021, though the Professional Dental Alliance has yet to find any evidence of misuse of the data.
EDPB adopts guidelines on restrictions of data subject rights under GDPR’s Article 23Date: 22 October 2021
The European Data Protection Board adopted a final version of its guidelines on restrictions of data subject rights under the EU General Data Protection Regulation’s Article 23. The guidelines aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR.
The European Data Protection Board adopted a final version of its guidelines on restrictions of data subject rights under the EU General Data Protection Regulation’s Article 23. The guidelines aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR.
Data scraped from 2.6 million Instagram and TikTok users exposed online by firmDate: 22 October 2021
Data scraped from 2.6 million Instagram and TikTok users was accidentally exposed online for more than a month by an analytics firm. Online safety review site Safety Detectives discovered the data on a server without any protections and found it belonged to marketing insight firm IGBlade.
Data scraped from 2.6 million Instagram and TikTok users was accidentally exposed online for more than a month by an analytics firm. Online safety review site Safety Detectives discovered the data on a server without any protections and found it belonged to marketing insight firm IGBlade.
CFPB orders six large tech companies to disclose payment system dataDate: 22 October 2021
The Consumer Financial Protection Bureau (CFPB) has ordered six technology platforms offering payment services to turn over information about their products, plans and practices when it comes to payments. The orders were issued to Google, Apple, Facebook, Amazon, Square, and PayPal.
The Consumer Financial Protection Bureau (CFPB) has ordered six technology platforms offering payment services to turn over information about their products, plans and practices when it comes to payments. The orders were issued to Google, Apple, Facebook, Amazon, Square, and PayPal.
Venice uses cellphone data, surveillance cameras to track touristsDate: 08 October 2021
City officials in Venice are collecting tourists' cellphone data and using surveillance cameras to monitor visitors to prevent crowding. Software can track individuals' speed and path of travel, as well as age, sex and country of origin. A data manager in Venice, Luca Corsato, said the city's "massive and constant" use of data is "dangerous."
City officials in Venice are collecting tourists' cellphone data and using surveillance cameras to monitor visitors to prevent crowding. Software can track individuals' speed and path of travel, as well as age, sex and country of origin. A data manager in Venice, Luca Corsato, said the city's "massive and constant" use of data is "dangerous."
Police reprimanded for illegal processing of personal data with facial recognition softwareDate: 08 October 2021
The Deputy Data Protection Ombudsman has issued a statutory reprimand to the National Police Board for illegal processing of special categories of personal data during a facial recognition technology trial. The National Bureau of Investigation unit specialising in the prevention of child sexual abuse had experimented with facial recognition technology in identifying potential victims.
The Deputy Data Protection Ombudsman has issued a statutory reprimand to the National Police Board for illegal processing of special categories of personal data during a facial recognition technology trial. The National Bureau of Investigation unit specialising in the prevention of child sexual abuse had experimented with facial recognition technology in identifying potential victims.
German DPA updates data transfer FAQDate: 08 October 2021
Baden-Württemberg Commissioner for Data Protection and Freedom of Information published a revised frequently-asked-questions document on international data transfers. The updates reflect the European Data Protection Board's guidance on the definitions of controller and processor under the EU General Data Protection Regulation while also reflecting consideration of the European Commission's new standard contractual clauses.
Baden-Württemberg Commissioner for Data Protection and Freedom of Information published a revised frequently-asked-questions document on international data transfers. The updates reflect the European Data Protection Board's guidance on the definitions of controller and processor under the EU General Data Protection Regulation while also reflecting consideration of the European Commission's new standard contractual clauses.
JPC to discuss India's draft PDPB changes during Oct. 20 meetingDate: 08 October 2021
The next meeting, likely to happen on October 20 under the Chairmanship of P P Chaudhary, will deliberate upon the proposal of including non-personal data as well. Other changes to the proposed Bill will also take place such as amendments to Section 91 (2), which so far says that the provisions of the PDP Bill would not apply to anonymised data.
The next meeting, likely to happen on October 20 under the Chairmanship of P P Chaudhary, will deliberate upon the proposal of including non-personal data as well. Other changes to the proposed Bill will also take place such as amendments to Section 91 (2), which so far says that the provisions of the PDP Bill would not apply to anonymised data.
IAB Europe suspends consent management firms as global privacy authorities signal tougher actionDate: 01 October 2021
Digiday reports the Interactive Advertising Bureau in Europe issued warnings to several companies that provide consent management services and suspended "one or two" consent management platforms for failing to comply with the Transparency and Consent Framework.
Digiday reports the Interactive Advertising Bureau in Europe issued warnings to several companies that provide consent management services and suspended "one or two" consent management platforms for failing to comply with the Transparency and Consent Framework.
Hong Kong passes anti-doxxing privacy billDate: 01 October 2021
Hong Kong passed an anti-doxxing privacy bill that empowers the Office of the Privacy Commissioner for Personal Data to investigate and prosecute doxxing incidents. The legislation is intended to "fight doxxing behavior that divides society, as early as possible."
Hong Kong passed an anti-doxxing privacy bill that empowers the Office of the Privacy Commissioner for Personal Data to investigate and prosecute doxxing incidents. The legislation is intended to "fight doxxing behavior that divides society, as early as possible."
JPC member: India’s PDPB needs state-level DPAsDate: 01 October 2021
Parliamentarian and member of the Joint Parliamentary Committee reviewing provisions of India’s draft Personal Data Protection Bill Amar Patnaik said state-level data protection authorities and a national watchdog are needed to ensure a robust law. The key amendments are under consideration of the House panel, which aims to table its report in the winter session of Parliament.
Parliamentarian and member of the Joint Parliamentary Committee reviewing provisions of India’s draft Personal Data Protection Bill Amar Patnaik said state-level data protection authorities and a national watchdog are needed to ensure a robust law. The key amendments are under consideration of the House panel, which aims to table its report in the winter session of Parliament.
California hospital hit with class action over data breachDate: 01 October 2021
A class-action lawsuit has been initiated against University of California San Diego Health for failing to protect the data following a phishing attack and data breach between Dec. 2020 and April 2021 that potentially exposed 495,949 individuals' data, including medical records, government identification numbers and financial account information.
A class-action lawsuit has been initiated against University of California San Diego Health for failing to protect the data following a phishing attack and data breach between Dec. 2020 and April 2021 that potentially exposed 495,949 individuals' data, including medical records, government identification numbers and financial account information.
UK investigates Afghan interpreter breachDate: 24 September 2021
The U.K.’s Ministry of Defense is investigating after the email addresses and pictures of more than 250 members of the Afghan Relocations Assistance Policy team were exposed in an email from the agency, Politico reports. “We apologize to everyone impacted by this breach and are working hard to ensure it does not happen again,” a spokesperson said.
The U.K.’s Ministry of Defense is investigating after the email addresses and pictures of more than 250 members of the Afghan Relocations Assistance Policy team were exposed in an email from the agency, Politico reports. “We apologize to everyone impacted by this breach and are working hard to ensure it does not happen again,” a spokesperson said.
CNIL released guidance on COVID-19 testing data breachDate: 24 September 2021
France’s data protection authority, the Commission nationale de l’informatique et des libertés, released guidance for the 1.4 million people impacted by a data breach of the Assistance Publique-Hôpitaux de Paris. The individuals affected tested positive for COVID-19 in mid-2020 and exposed data includes names, birthdates, Social Security numbers, addresses and test data.
France’s data protection authority, the Commission nationale de l’informatique et des libertés, released guidance for the 1.4 million people impacted by a data breach of the Assistance Publique-Hôpitaux de Paris. The individuals affected tested positive for COVID-19 in mid-2020 and exposed data includes names, birthdates, Social Security numbers, addresses and test data.
Hackers demand $5.9M to release data obtained in cyberattack; two health care orgs report data breachesDate: 24 September 2021
Iowa grain co-op New Cooperative was the victim of cyberattack. BlackMatter allegedly hacked into the co-op's system and encrypted more than 1,000 files containing invoices, research and other material. BlackMatter has demanded $5.9 million to release the data.
Iowa grain co-op New Cooperative was the victim of cyberattack. BlackMatter allegedly hacked into the co-op's system and encrypted more than 1,000 files containing invoices, research and other material. BlackMatter has demanded $5.9 million to release the data.
Brazilian government launches data protection campaignDate: 24 September 2021
Brazil's government launched a data protection guide to promote awareness with the general public. The report has been created in cooperation with the national data protection authority and details the rights of data users, including the right to opt out, how to protect personal information and what steps to take if they have been involved in a data breach.
Brazil's government launched a data protection guide to promote awareness with the general public. The report has been created in cooperation with the national data protection authority and details the rights of data users, including the right to opt out, how to protect personal information and what steps to take if they have been involved in a data breach.
NYC sued over food delivery data-sharing lawDate: 17 September 2021
DoorDash filed a suit against New York City in a Manhattan federal courts over a law that requires it to share personal data of customers with every restaurant that fulfills their order on DoorDash’s platform. DoorDash called it a ""shocking and invasive intrusion of consumers’ privacy.
DoorDash filed a suit against New York City in a Manhattan federal courts over a law that requires it to share personal data of customers with every restaurant that fulfills their order on DoorDash’s platform. DoorDash called it a ""shocking and invasive intrusion of consumers’ privacy.
Saudi Arabia approves Personal Data Protection LawDate: 17 September 2021
The Council of Ministers of Saudi Arabia approved the Personal Data Protection Law, which will take effect March 13, 2022. In a statement, Saudi Data & AI Authority President Abdullah bin Sharaf Alghamdi said the law will accelerate Saudi Arabia's digitization efforts while helping to create an information-based society.
The Council of Ministers of Saudi Arabia approved the Personal Data Protection Law, which will take effect March 13, 2022. In a statement, Saudi Data & AI Authority President Abdullah bin Sharaf Alghamdi said the law will accelerate Saudi Arabia's digitization efforts while helping to create an information-based society.
Reserve Bank receives Privacy Act compliance notice following data breachDate: 17 September 2021
The Reserve Bank of New Zealand received a compliance notice under the new Privacy Act. An independent review was conducted by KPMG after the December 2020 cyber attack which revealed ""multiple areas of non-compliance with Privacy Principle 5,” stating organizations must ensure reasonable safeguards to “prevent loss, misuse or disclosure of personal information.”
Reserve Bank Governor Adrian Orr said work is underway to address the issues.
The Reserve Bank of New Zealand received a compliance notice under the new Privacy Act. An independent review was conducted by KPMG after the December 2020 cyber attack which revealed ""multiple areas of non-compliance with Privacy Principle 5,” stating organizations must ensure reasonable safeguards to “prevent loss, misuse or disclosure of personal information.”
Reserve Bank Governor Adrian Orr said work is underway to address the issues.
SEC imposes fine of $10M on App Annie over data practicesDate: 17 September 2021
U.S. Securities and Exchange Commission imposed a $10 million settlement on App Annie, a mobile applications analytics company, in relation to allegations of insufficient disclosure of data practices, reported by The Wall Street Journal. Additionally, the firm's Co-Founder and former CEO Bertrand Schmitt was fined $300,000 for his role in the alleged malpractice.
U.S. Securities and Exchange Commission imposed a $10 million settlement on App Annie, a mobile applications analytics company, in relation to allegations of insufficient disclosure of data practices, reported by The Wall Street Journal. Additionally, the firm's Co-Founder and former CEO Bertrand Schmitt was fined $300,000 for his role in the alleged malpractice.
Hackers leaked 500,000 username and passwords of cybersecurity firm Fortinet VPN usersDate: 13 September 2021
Gizmodo reports a hacker group allegedly collected and leaked approximately 500,000 usernames and passwords of cybersecurity firm Fortinet VPN users on a dark web forum. The data is believed to have been accessed through a previously discovered security flaw, identified by federal agencies in April and subsequently patched by the company. The information reportedly belongs to 498,908 users and 12,856 devices from as many as 74 countries.
Gizmodo reports a hacker group allegedly collected and leaked approximately 500,000 usernames and passwords of cybersecurity firm Fortinet VPN users on a dark web forum. The data is believed to have been accessed through a previously discovered security flaw, identified by federal agencies in April and subsequently patched by the company. The information reportedly belongs to 498,908 users and 12,856 devices from as many as 74 countries.
French DPA imposed 1.75 million penalty against AG2R LA MONDIALEDate: 13 September 2021
CNIL carried out an inspection in 2019 at the AG2R LA MONDIALE group. CNIL considered that the company had failed to comply with Data retention period provided in articles 5-1-e and Information to be provided to data subjects based on article 13 and 14 of the GDPR. The company was storing the data of more than 2 million customers, including some of a health or bank details, beyond the legal retention periods allowed after the end of the contract.
CNIL carried out an inspection in 2019 at the AG2R LA MONDIALE group. CNIL considered that the company had failed to comply with Data retention period provided in articles 5-1-e and Information to be provided to data subjects based on article 13 and 14 of the GDPR. The company was storing the data of more than 2 million customers, including some of a health or bank details, beyond the legal retention periods allowed after the end of the contract.
Recent data breaches:Date: 13 September 2021
Howard University faced ransomware attack: The university’s network was shut down Tuesday and classes were canceled following a ransomware attack.
Data breach at US restaurant and gambling chain Dotty’s: It reported that malware was discovered on “certain computer systems” on January 16, 2021, allowing an unauthorized individual to gain access to, and copy, data.
Dallas Schools Data Breach Exposed Student, Parent, Teacher Personal Information: A data breach at the Dallas public school system earlier this month exposed the personal information of students, parents, teachers, and staff dating to 2010, revealed by system officials.
Howard University faced ransomware attack: The university’s network was shut down Tuesday and classes were canceled following a ransomware attack.
Data breach at US restaurant and gambling chain Dotty’s: It reported that malware was discovered on “certain computer systems” on January 16, 2021, allowing an unauthorized individual to gain access to, and copy, data.
Dallas Schools Data Breach Exposed Student, Parent, Teacher Personal Information: A data breach at the Dallas public school system earlier this month exposed the personal information of students, parents, teachers, and staff dating to 2010, revealed by system officials.
Irish DPC hits WhatsApp with 225M euro GDPR fineDate: 03 September 2021
The long-awaited EU General Protection Regulation enforcement from Ireland's Data Protection Commission against WhatsApp has arrived. A fine of 225 million euro was announced on September 2 by DPC against the messaging platform for violations of GDPR transparency principles.
The long-awaited EU General Protection Regulation enforcement from Ireland's Data Protection Commission against WhatsApp has arrived. A fine of 225 million euro was announced on September 2 by DPC against the messaging platform for violations of GDPR transparency principles.
ICO fines increased 1580% in 2020-2021Date: 03 September 2021
An analysis conducted by law firm RPC found the U.K. Information Commissioner's Office issued 42 million GBP in fines in the financial year 2020-2021. The 42 million GPB total represents a 1580% increase from the previous year. A large amount of the figure comes from penalties issued against British Airways and Marriott International for their respective data breaches.
An analysis conducted by law firm RPC found the U.K. Information Commissioner's Office issued 42 million GBP in fines in the financial year 2020-2021. The 42 million GPB total represents a 1580% increase from the previous year. A large amount of the figure comes from penalties issued against British Airways and Marriott International for their respective data breaches.
Israel DPA says collecting employee location is a privacy violationDate: 03 September 2021
Israel’s Privacy Protection Authority issued an opinion on employers collecting and monitoring employee location data, saying it violates employee privacy. The practice creates "a constant state of surveillance" and violates an employee's right to privacy "even when activities are monitored within the working day."
Israel’s Privacy Protection Authority issued an opinion on employers collecting and monitoring employee location data, saying it violates employee privacy. The practice creates "a constant state of surveillance" and violates an employee's right to privacy "even when activities are monitored within the working day."
Dutch advocacy groups file children's privacy claim against TikTokDate: 03 September 2021
Netherlands-based advocacy groups are leading a new lawsuit against ByteDance, the parent company to video platform TikTok, over alleged children's privacy allegations. The Take Back Your Privacy Foundation and the Consumentenbond are suing for 2 billion euros in damages for deemed "pure exploitation" of 1.5 million Dutch minors.
Netherlands-based advocacy groups are leading a new lawsuit against ByteDance, the parent company to video platform TikTok, over alleged children's privacy allegations. The Take Back Your Privacy Foundation and the Consumentenbond are suing for 2 billion euros in damages for deemed "pure exploitation" of 1.5 million Dutch minors.
Malta DPA publishes cookie consent guidanceDate: 27 August 2021
The Office of the Information and Data Protection Commissioner of Malta published guidance on cookie consent requirements based on the ePrivacy Directive and the EU General Data Protection Regulation and lists practices not compliant with data protection rules, such as cookie walls and pre-ticked boxes.
The Office of the Information and Data Protection Commissioner of Malta published guidance on cookie consent requirements based on the ePrivacy Directive and the EU General Data Protection Regulation and lists practices not compliant with data protection rules, such as cookie walls and pre-ticked boxes.
Danish DPA conducting security inspections with 30 organizationsDate: 27 August 2021
The Danish data protection authority, Datatilsynet, is conducting written security inspections for 30 organizations. The security inspections cover their maturity in the areas of data protection and security. The DPA also published guidance for data controllers regarding bodycams.
The Danish data protection authority, Datatilsynet, is conducting written security inspections for 30 organizations. The security inspections cover their maturity in the areas of data protection and security. The DPA also published guidance for data controllers regarding bodycams.
OAIC releases latest data breach reportDate: 27 August 2021
The Office of the Australian Information Commissioner published the newest iteration of its Notifiable Data Breaches Report, which covers activity from January to June. OAIC received 446 breach notifications during the period and saw a 24% rise in ransomware attacks from the prior reporting period.
The Office of the Australian Information Commissioner published the newest iteration of its Notifiable Data Breaches Report, which covers activity from January to June. OAIC received 446 breach notifications during the period and saw a 24% rise in ransomware attacks from the prior reporting period.
Irish DPC launches investigation into Public Services CardsDate: 27 August 2021
The Irish Data Protection Commission launched an investigation into the State's Public Services Card, The Irish Examiner reports. The DPC's probe comes after 670 complaints were made regarding alternate uses of the card, which are only meant to serve for welfare purposes.
The Irish Data Protection Commission launched an investigation into the State's Public Services Card, The Irish Examiner reports. The DPC's probe comes after 670 complaints were made regarding alternate uses of the card, which are only meant to serve for welfare purposes.
China adopts Personal Information Protection LawDate: 24 August 2021
The top legislative body in the People's Republic of China voted to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing. PIPL will take effect from November 1, 2021. Though some of the commercial aspects of the law resemble the GDPR, PIPL will not prevent the PRC's central government from accessing data.
The top legislative body in the People's Republic of China voted to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing. PIPL will take effect from November 1, 2021. Though some of the commercial aspects of the law resemble the GDPR, PIPL will not prevent the PRC's central government from accessing data.
US Department of State is potential cyberattack victim, and other data breach newsDate: 24 August 2021
The U.S. Department of State is the victim of a potentially serious data breach, but details have not been disclosed. “The Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected,” a spokesperson said, adding they could not discuss specifics. The Wall Street Journal reports the information companies collect may increase potential damages from data breach incidents.
The U.S. Department of State is the victim of a potentially serious data breach, but details have not been disclosed. “The Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected,” a spokesperson said, adding they could not discuss specifics. The Wall Street Journal reports the information companies collect may increase potential damages from data breach incidents.
US Census Bureau accused of mishandling 2020 breachDate: 24 August 2021
The U.S. Department of Commerce's Office of the Inspector General released a report revealing missteps by the U.S. Census Bureau in relation to a 2020 server breach. OIG found the bureau did not conduct sufficient scans of IT assets or notify government officials about the incident and continued to run the affected servers post-incident despite being outdated and unsupported.
The U.S. Department of Commerce's Office of the Inspector General released a report revealing missteps by the U.S. Census Bureau in relation to a 2020 server breach. OIG found the bureau did not conduct sufficient scans of IT assets or notify government officials about the incident and continued to run the affected servers post-incident despite being outdated and unsupported.
NITDA fines Soko Loans N10m for invasion of privacyDate: 24 August 2021
The National Information Technology Development Agency (NITDA) has slammed a N10 million sanction on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion. This was after a series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as not carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
The National Information Technology Development Agency (NITDA) has slammed a N10 million sanction on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion. This was after a series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as not carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).
China rebukes 43 apps including Tencent's WeChat for breaking data transfer rulesDate: 24 August 2021
China's Ministry of Industry and Information Technology (MIIT) said that 43 apps, including Tencent Holdings Ltd.’s WeChat, were found to have illegally transferred user data, and ordered their parent companies to make rectifications. The move comes as Chinese authorities tighten regulatory oversight on a range of industry, with a particular emphasis on privacy and data.
China's Ministry of Industry and Information Technology (MIIT) said that 43 apps, including Tencent Holdings Ltd.’s WeChat, were found to have illegally transferred user data, and ordered their parent companies to make rectifications. The move comes as Chinese authorities tighten regulatory oversight on a range of industry, with a particular emphasis on privacy and data.
Social media platforms secure Afghans' privacyDate: 24 August 2021
Facebook, Twitter and LinkedIn moved to increase the privacy of accounts belonging to citizens of Afghanistan to combat potential targeting in the wake of the Taliban seizing control of the country. All three platforms are providing varying levels of increased security, ranging from limiting account searchability to accepting requests to delete archived communications.
Facebook, Twitter and LinkedIn moved to increase the privacy of accounts belonging to citizens of Afghanistan to combat potential targeting in the wake of the Taliban seizing control of the country. All three platforms are providing varying levels of increased security, ranging from limiting account searchability to accepting requests to delete archived communications.
Data brokers advertise US military personnel dataDate: 24 August 2021
A survey of 10 data brokers in a report for Duke University’s Sanford School of Public Policy’s Cyber Policy Program found they advertise sensitive data on U.S. individuals, including military personnel. The data included demographic information, political preferences and beliefs, and real-time GPS locations.
A survey of 10 data brokers in a report for Duke University’s Sanford School of Public Policy’s Cyber Policy Program found they advertise sensitive data on U.S. individuals, including military personnel. The data included demographic information, political preferences and beliefs, and real-time GPS locations.
Norwegian DPA: Moss Municipal Council finedDate: 16 August 2021
The Norwegian Data Protection Authority has imposed a EUR 50,000 (NOK 500,000) fine on Moss Municipal Council for failing to adequately protect personal data. In connection with the amalgamation of the municipalities of Rygge and Moss in January 2020, efforts were made to combine the use of IT systems for various municipal service areas. Moss Council itself reported that aspects of its data processing violated the requirements for confidentiality, integrity, and accessibility.
The Norwegian Data Protection Authority has imposed a EUR 50,000 (NOK 500,000) fine on Moss Municipal Council for failing to adequately protect personal data. In connection with the amalgamation of the municipalities of Rygge and Moss in January 2020, efforts were made to combine the use of IT systems for various municipal service areas. Moss Council itself reported that aspects of its data processing violated the requirements for confidentiality, integrity, and accessibility.
Fine for a company for carrying out direct marketing with robocalls without consentDate: 16 August 2021
The Data Protection Ombudsman’s sanctions board has imposed a fine on publisher of magazine due to data protection violations related to direct marketing. The Office of the Data Protection Ombudsman received four complaints from persons who stated that they received direct marketing for a magazine published by the controller in the form of robocalls. The complainants were not able to exercise their rights as data subjects in accordance with the GDPR, because the robot could not understand the question of where the data subjects’ personal data was obtained from, for instance.
The Data Protection Ombudsman’s sanctions board has imposed a fine on publisher of magazine due to data protection violations related to direct marketing. The Office of the Data Protection Ombudsman received four complaints from persons who stated that they received direct marketing for a magazine published by the controller in the form of robocalls. The complainants were not able to exercise their rights as data subjects in accordance with the GDPR, because the robot could not understand the question of where the data subjects’ personal data was obtained from, for instance.
Coordinated German investigation of international data transfersDate: 16 August 2021
Companies’ data transfers to countries outside the European Union or the European Economic Area (third countries) are reviewed as part of a nationwide investigation. The Court has made clear its expectation that authorities "suspend or prohibit" transfers which do not match the criteria of the Schrems-II-decision.
Companies’ data transfers to countries outside the European Union or the European Economic Area (third countries) are reviewed as part of a nationwide investigation. The Court has made clear its expectation that authorities "suspend or prohibit" transfers which do not match the criteria of the Schrems-II-decision.
Dutch DPA: TikTok fined for violating children’s privacyDate: 16 August 2021
TikTok was fined € 750,000 for violating the privacy of young children by Dutch Data Protection Authority (DPA). The information provided by TikTok to Dutch users while installing and using the app was in English and thus not readily understandable for all users, many of whom are young children.
TikTok was fined € 750,000 for violating the privacy of young children by Dutch Data Protection Authority (DPA). The information provided by TikTok to Dutch users while installing and using the app was in English and thus not readily understandable for all users, many of whom are young children.
Zimbabwe on the peak of finalizing data protection lawDate: 06 August 2021
Zimbabwe's Cybersecurity and Data Protection Bill is headed for presidential approval after passing the Senate of Zimbabwe reported by Techzim. The proposed law includes data processor and controller requirements, rules for data collection, codes of conduct provisions for international transfers and more.
Zimbabwe's Cybersecurity and Data Protection Bill is headed for presidential approval after passing the Senate of Zimbabwe reported by Techzim. The proposed law includes data processor and controller requirements, rules for data collection, codes of conduct provisions for international transfers and more.
Japan publishes data transfer guideDate: 06 August 2021
A draft guide on international data transfers has been published by Japan's data protection authority, the Personal Information Protection Commission. The guide covers the criteria countries must meet to match Japan's Act on the Protection of Personal Information and includes responses to comments made during previous consultation periods.
A draft guide on international data transfers has been published by Japan's data protection authority, the Personal Information Protection Commission. The guide covers the criteria countries must meet to match Japan's Act on the Protection of Personal Information and includes responses to comments made during previous consultation periods.
Garante serves up 2.5M euro fine over gig worker privacyDate: 06 August 2021
A 2.5 million euro fine has been laid on food delivery service Deliveroo for improperly processing workers' personal data by Italy's data protection authority Garante. Deliveroo's violations stemmed from "the lack of transparency of the algorithms used to manage" approximately 8,000 contract workers. It was found that the Deliveroo used geolocation data to track workers beyond purpose limitation principles under the EU General Data Protection Regulation.
A 2.5 million euro fine has been laid on food delivery service Deliveroo for improperly processing workers' personal data by Italy's data protection authority Garante. Deliveroo's violations stemmed from "the lack of transparency of the algorithms used to manage" approximately 8,000 contract workers. It was found that the Deliveroo used geolocation data to track workers beyond purpose limitation principles under the EU General Data Protection Regulation.
Zoom agrees to pay $85M to settle privacy lawsuitDate: 03 August 2021
Reuters reports Zoom will pay $85 million and upgrade its security practices as part of a preliminary class-action settlement over privacy claims filed to the U.S. District Court for the Northern District of California. The settlement still needs approval from U.S. District Judge Lucy Koh.
Reuters reports Zoom will pay $85 million and upgrade its security practices as part of a preliminary class-action settlement over privacy claims filed to the U.S. District Court for the Northern District of California. The settlement still needs approval from U.S. District Judge Lucy Koh.
Amazon faces $888M GDPR fineDate: 03 August 2021
Amazon is issued with the largest ever penalty of 746 million euros ($888 million) for violating the EU's strict data protection laws, known as the GDPR. Regulators are concerned that the company's data processing policies violate privacy protections for consumers. The investigation into Amazon was based on a 2018 complaint by French privacy group La Quadrature du Net Which claims to represent the interests of thousands of Europeans.
Amazon is issued with the largest ever penalty of 746 million euros ($888 million) for violating the EU's strict data protection laws, known as the GDPR. Regulators are concerned that the company's data processing policies violate privacy protections for consumers. The investigation into Amazon was based on a 2018 complaint by French privacy group La Quadrature du Net Which claims to represent the interests of thousands of Europeans.
VPN supplier caught without encryptionDate: 29 July 2021
Ars Technica reports Ukranian authorities confiscated unencrypted servers from Canadian virtual private network provider Windscribe. Windscribe acknowledged potential consequences of leaving the servers unsecured, including conditions that would allow a hacker to overtake systems and view web traffic and most messages. Windscribe Director Yegor Sak said no user data "was or is at risk" while noting "security measures that should have been in place were not."
Ars Technica reports Ukranian authorities confiscated unencrypted servers from Canadian virtual private network provider Windscribe. Windscribe acknowledged potential consequences of leaving the servers unsecured, including conditions that would allow a hacker to overtake systems and view web traffic and most messages. Windscribe Director Yegor Sak said no user data "was or is at risk" while noting "security measures that should have been in place were not."
A look at the California attorney general's cookie-related enforcement lettersDate: 29 July 2021
CCPA-related enforcement letters sent to companies recently by Rob Bonta, the state’s AG, make clear his position that data tracking for advertising and analytics purposes, including cookie-based tracking, fits within the CCPA’s definition of a data “sale.” It was revealed that letters companies have received, ask them to provide details about data sharing specifically in relation to their use of cookies and other tracking technologies for ads and analytics.
CCPA-related enforcement letters sent to companies recently by Rob Bonta, the state’s AG, make clear his position that data tracking for advertising and analytics purposes, including cookie-based tracking, fits within the CCPA’s definition of a data “sale.” It was revealed that letters companies have received, ask them to provide details about data sharing specifically in relation to their use of cookies and other tracking technologies for ads and analytics.
NPC to consider final passage of China's PIPLDate: 29 July 2021
National People's Congress of China's in its 30th meeting to be held on August 17 to 20 will read China's Personal Information Protection Law for the third and final time. If the law is read without further objection, the PIPL will be enacted following the reading.
National People's Congress of China's in its 30th meeting to be held on August 17 to 20 will read China's Personal Information Protection Law for the third and final time. If the law is read without further objection, the PIPL will be enacted following the reading.
OAIC released report on Uber’s 2016 data breach affecting 57 million individualsDate: 29 July 2021
The Office of the Australian Information Commissioner released a report on its investigation of Uber's 2016 data breach that affected 57 million individuals. OAIC will not issue a fine because the 1.2 million Australians affected did not file complaints. However, Uber will be required to create and maintain an information security program and appoint a coordinator to lead the initiative.
The Office of the Australian Information Commissioner released a report on its investigation of Uber's 2016 data breach that affected 57 million individuals. OAIC will not issue a fine because the 1.2 million Australians affected did not file complaints. However, Uber will be required to create and maintain an information security program and appoint a coordinator to lead the initiative.
US companies sued over ransomware harmsDate: 29 July 2021
The Washington Post reported that the workers and consumers affected by the recent wave of ransomware attacks in the U.S. have begun filing lawsuits seeking damages from the incidents. Some of the companies sued for insufficient cybersecurity measures that resulted in various forms of harm to individuals are Colonial Pipeline and California-based hospital system Scripps Health.
The Washington Post reported that the workers and consumers affected by the recent wave of ransomware attacks in the U.S. have begun filing lawsuits seeking damages from the incidents. Some of the companies sued for insufficient cybersecurity measures that resulted in various forms of harm to individuals are Colonial Pipeline and California-based hospital system Scripps Health.
EDPB adopts urgent binding decision on Facebook-WhatsApp data sharingDate: 16 July 2021
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the Irish SA against Facebook IE in this case.
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the Irish SA against Facebook IE in this case.
Colorado Privacy Act signed into lawDate: 16 July 2021
The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021. Colorado’s governor, Jared Polis signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021. It will be effective from July 1, 2023.
The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021. Colorado’s governor, Jared Polis signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021. It will be effective from July 1, 2023.
Lawmakers introduce Ohio Personal Privacy ActDate: 16 July 2021
House Bill 376, also known as the Ohio Personal Personal Privacy Act (OPPA), contains standard data subject rights and attorney general enforcement, HB 376 also carries a threshold for businesses generating more than $25 million gross revenue in Ohio and provides a safe harbor to companies complying with the U.S.
House Bill 376, also known as the Ohio Personal Personal Privacy Act (OPPA), contains standard data subject rights and attorney general enforcement, HB 376 also carries a threshold for businesses generating more than $25 million gross revenue in Ohio and provides a safe harbor to companies complying with the U.S.
No extension granted for Indian privacy bill joint committeeDate: 16 July 2021
There will not be an extension for the joint committee on the Personal Data Protection Bill, 2019 says Lok Sabha Speaker Om Birla. The Hindu Business Line reports. "Most of the work of the committee is over”
There will not be an extension for the joint committee on the Personal Data Protection Bill, 2019 says Lok Sabha Speaker Om Birla. The Hindu Business Line reports. "Most of the work of the committee is over”
No 'one-size-fits-all approach' to EU anonymization standardsDate: 16 July 2021
The EU GDPR being one of the most influential data privacy laws in the world, but one of its most important provisions is unclear. Some privacy experts said that “it’s unclear anyone really knows what ‘anonymization’ means in practice.” They explore conflicting regulatory guidance and how organizations can best comply with anonymization requirements, saying there is “no one-size-fits-all approach.”
The EU GDPR being one of the most influential data privacy laws in the world, but one of its most important provisions is unclear. Some privacy experts said that “it’s unclear anyone really knows what ‘anonymization’ means in practice.” They explore conflicting regulatory guidance and how organizations can best comply with anonymization requirements, saying there is “no one-size-fits-all approach.”
Coordinated German investigation of international data transfersDate: 16 July 2021
Companies’ data transfers to countries outside the EU or the EEA (third countries) are reviewed as part of a nationwide investigation. The Court ruled that data transfers to the U.S. can no longer be made based on the Privacy Shield adequacy decision. The German data protection authorities participating in the inspection have contacted companies individually with standardized questionnaires.
Companies’ data transfers to countries outside the EU or the EEA (third countries) are reviewed as part of a nationwide investigation. The Court ruled that data transfers to the U.S. can no longer be made based on the Privacy Shield adequacy decision. The German data protection authorities participating in the inspection have contacted companies individually with standardized questionnaires.
Italian DPA fines food delivery app 2.6M euros for GDPR violationsDate: 07 July 2021
Italy's data protection authority, the Garante, fined food delivery application Foodinho 2.6 million euros for violations of the EU General Data Protection Regulation. The DPA found the app violated GDPR principles around transparency and lawfulness of processing and cited illegal algorithmic discrimination against certain employees.
Italy's data protection authority, the Garante, fined food delivery application Foodinho 2.6 million euros for violations of the EU General Data Protection Regulation. The DPA found the app violated GDPR principles around transparency and lawfulness of processing and cited illegal algorithmic discrimination against certain employees.
Ransomware attack hits hundreds of businesses globallyDate: 07 July 2021
WASHINGTON, July 5 (Reuters) - Between 800 and 1,500 businesses around the world have been affected by a ransomware attack centred on U.S. information technology firm Kaseya, its chief executive said on Monday.
WASHINGTON, July 5 (Reuters) - Between 800 and 1,500 businesses around the world have been affected by a ransomware attack centred on U.S. information technology firm Kaseya, its chief executive said on Monday.
British Airways, US grocer reach breach settlements and more privacy litigation newsDate: 07 July 2021
Reuters reports British Airways settled a class suit, paying out an undisclosed sum to customers and staff involved in its 2018 data breach.
Reuters reports British Airways settled a class suit, paying out an undisclosed sum to customers and staff involved in its 2018 data breach.
The latest updates on recent data breachesDate: 07 July 2021
The personal information of more than 40,000 UofL Health patients was mistakenly emailed to an address outside of the Kentucky-based health care system’s network, Info Security Magazine reports.
Renown Health announced a data breach of its cloud-based storage provider may have exposed health data of patients in Nevada
Data of 700 million LinkedIn users was posted for sale by a user on RaidForums, Forbes reports.
The personal information of more than 40,000 UofL Health patients was mistakenly emailed to an address outside of the Kentucky-based health care system’s network, Info Security Magazine reports.
Renown Health announced a data breach of its cloud-based storage provider may have exposed health data of patients in Nevada
Data of 700 million LinkedIn users was posted for sale by a user on RaidForums, Forbes reports.
EDPB to address codes of conduct as transfer toolDate: 07 July 2021
The European Data Protection Board announced the agenda for its 51st plenary session, which includes discussion on guidelines for using codes of conduct as an international data transfer mechanism. The EDPB also plans to consider guidance on the concepts for controllers and processors.
The European Data Protection Board announced the agenda for its 51st plenary session, which includes discussion on guidelines for using codes of conduct as an international data transfer mechanism. The EDPB also plans to consider guidance on the concepts for controllers and processors.
FTC's FY25 budget request includes the requirements for enforcementDate: 18 March 2024
In its 2025 budget proposal, the U.S. Federal Trade Commission stated that it would require an extra 55 employees to support its enforcement activities. Of these, 10 would be devoted to the growing complexity of privacy concerns and the advancement of artificial intelligence in the advertising sector. USD 535 million was the projected amount for the suggested request for total financial resources.
In its 2025 budget proposal, the U.S. Federal Trade Commission stated that it would require an extra 55 employees to support its enforcement activities. Of these, 10 would be devoted to the growing complexity of privacy concerns and the advancement of artificial intelligence in the advertising sector. USD 535 million was the projected amount for the suggested request for total financial resources.
Related News
Related News
- A regulatory roadmap to AI and privacy April 26, 2024
- Unpacking FISA Section 702 reauthorization April 26, 2024
- A view from DC: Maryland's data minimization ups the ante April 26, 2024
- The aftermath of UnitedHealth Group's large-scale data breach April 26, 2024
- A view from Brussels: To be sovereign, or not to be April 26, 2024
- Advocacy group seeks investigation into pregnancy centers' privacy practices April 26, 2024
- ByteDance prefers US TikTok ban over divesture April 26, 2024
- The top 5 most-read articles for the week of 22 April 2024 April 26, 2024
- ANPD unveils efforts to streamline DSAR process April 26, 2024
- Ransomware most prevalent in firm's annual security incident report April 26, 2024
- European Commission releases Q&A on Health Data Space proposal April 26, 2024
- What the proposed APRA could mean for the AI policy landscape April 25, 2024
- Upper Tribunal dismisses ICO's appeal in Experian case April 25, 2024
- EU will not follow US on potential TikTok ban April 25, 2024
- Czech Republic DPA issues CZK351M GDPR fine April 25, 2024
- European Parliament approves Health Data Space April 25, 2024
- CJEU opinion addresses use of 'manifestly public' data for targeted ads April 25, 2024
- CPPA announces statewide consultations on latest rulemaking initiatives April 25, 2024
- MEPs weigh in on proposed UK data transfer changes April 25, 2024
- European Commission's proposed 'cookie pledge' lacks commitments April 25, 2024