Issue 104

Enforcement updates

Belgian Data Protection Watchdog proposes to fine IAB Europe over consent pop-ups

The Belgian data protection authority notified a draft ruling against the Interactive Advertising Bureau(‘IAB’) Europe, where it held that operations by IAB has resulted in infringement of the GDPR. Specifically, the authority noted that IAB’s Transparency & Consent Framework under which ‘TC Strings’ are sent to online users in order to record their choices and consent for processing data for advertising purposes violates GDPR. The authority noted that choices recorded by pop ups or TC strings is personal data under GDPR and IAB is the data controller in this regard. Following the notification of the draft ruling IAB is eying a large fine for GDPR violations.

Health Service Provider found in violation of Israel’s Privacy Law

Israel’s data protection authority announced that it has finalized investigation against a health service provider company, Maccabi Health Services, and found it to be in violation of the Israel’s Protection of Privacy Law. The authority noted that Maccabi Health had sent SMS based questionnaire on diabetes to individuals, wherein personal and health information of these subjects was revealed to incorrect recipients. Findings of the authority also revealed several other compliance lapses in Maccabi Health Service’s privacy program and ordered it to cure all the privacy defects at the earliest.

Norwegian municipality and auto parts company faces enforcement action by Danish Data Protection Authority

The Danish data protection authority (‘Datatilsynet’) recently published an order disparaging data privacy and protection practices of an auto parts company T.Hansen Gruppen A/S and ordered it to cure defects in its GDPR compliance at the earliest. The inquiry was initiated basis a compliant where it was alleged that personal data of the customer was unauthorizedly accessed and processed erroneously. The inquiry by the authority further revealed that company’s data protection and processing activities were not in compliance with GDPR. Consequently, the authority ordered the company to make rectifications in its data protection and privacy compliance.

Datatilsynet also fined, Oster Toten municipality NOK 4 million, for failing to maintain appropriate technological and organizational security measures as required under GDPR. It was reported that the IT servers of the municipality suffered a ransomware attack whereby the threat actor gained access to personal data of municipality residents and put it on dark web. Consequently, the authority noted the municipality failed to take appropriate steps to secure IT servers. In addition to fine, the authority also asked the municipality to record and documents its measures and carry out risk assessment exercises.

Guidance updates

  • The Ibero-American Data Protection Network releases guidance on adopting model contractual clauses.
  • Philippines National Privacy Commission releases mark of certification for data protection compliance.
  • Portuguese Data Protection Authority publishes opinion on draft law on the use of surveillance by security forces. Highlights issues with data privacy.

Regulatory updates around the globe 

  • Notice regarding extensive territorial applicability and scope of Personal Information Protection Law published by Macau’s data protection authority.
  • Discussions on draft personal data protection bill resumes in Indonesia. Law likely to be passed in next session of parliament.
  • New York bill requiring employers to notify employees regarding electronic monitoring activities signed into law.

 French updates

  • Guidance on role of Data Protection Officer released by CNIL.
  • CNIL adopts new standard on the processing of data within health data warehouses.
  • Recommendation on data logging tools adopted by CNIL.

China updates

  • Cyberspace Administration of China released Network Data Security Management Regulations for Public Comments.
  • National Information Security Standardization Technical Committee requests comments on guidelines for the identification of personal information on instant messaging platforms.

US updates

  • Federal Trade Commission to strengthen enforcement action on ‘dark patterns’ as part of new policy.
  • National Institute of Standards and Technology released a report on Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management.
  • Federal Trade Commission publish guide on steps to be taken by small businesses to protect themselves against ransomware risks.

EU updates

  • Advocate General of European Court of Justice argues that bulk data retention of personal data by European authorities is illegal.
  • EDPB issues clarification detailing interplay between Article 3 and Chapter 5 of the GDPR.

India updates

  • Government proposes unified data base to record births and deaths and link it with Aadhaar. Sparks privacy concerns.
  • UIDAI chief summoned by standing committee on IT over privacy and data security concerns. Reports Business Standard.
  • Draft report on Personal Data Protection Bill, 2019 adopted by the Joint Parliamentary Committee. Reports India Today. Few members file dissent notes.

News around the globe

  • Mozilla adopts Global Privacy Control mechanism for its browser.
  • UK Government proposes to remove requirement of appointing data protection officers as part of privacy reforms.
  • US Court denies access to personal data of consumers to automotive companies. Upholds ruling under Arizona privacy law.

Big tech updates

  • US Consumer Financial Protection Bureau orders inquiry into payment data handled by big tech companies.
  • Apple’s privacy changes have forced companies to overhaul their data collection and handling practices.
  • Facebook continues to misuse and harvest children’s data claims research.

Read our digital newsletter here.