Issue 108 - Privacy Desk

Enforcement updates

Dutch Data Protection Authority issues fine on Minister of Finance for violating GDPR

The Dutch Data Protection Authority (DPA) imposed a fine of EUR 2,750,000 for illegal and discriminatory processing of dual nationality status of Dutch nationals by tax authorities and violation of the General Data Protection Regulation (GDPR). The tax authorities had been keeping and using the data on dual nationality for assessing applications for childcare allowance. The DPA noted that the tax authorities were in serious violation of the GDPR for processing the dual nationality of applicants for childcare allowance in a discriminatory, unlawful, and improper manner.

Canadian Privacy Commissioner announces orders against Clearview AI’s facial recognition technology

The Office of the Privacy Commissioner of Canada announced that the Information and Privacy Commissioners of British Columbia and Alberta and the Quebec Commission on Access to Information issued orders against Clearview AI Inc. after a joint investigation on the company’s facial recognition technology. The company was allegedly collecting images and making facial recognition technology available to law enforcement agencies for identifying individuals without obtaining their consent which violated private sector privacy laws of the provinces. The provincial orders ordered Clearview AI to stop its facial recognition services that were subject to this investigation in British Columbia, Alberta, and Quebec.

Clearview AI ordered to cease collecting data from French data subjects

The French Data Protection Authority (CNIL) ordered Clearview AI Inc. to stop collecting and using data collected from data subjects in France and comply with their requests for violating the GDPR. CNIL received complaints from individuals regarding the company’s facial recognition software and initiated an investigation into the same. CNIL found that Clearview AI did not have any legal basis for collecting photographs that support its software from the individuals and failed to facilitate the data subject’s right of access.

Dating App, Grindr fined by Norway’s Data Protection Authority

Norwegian Data Protection Authority imposed a fine of NOK 65,000,000 on Grindr LLC for violating the GDPR. The Norwegian Consumer Council complained that Grindr, a location-based dating app targeted towards individuals identifying as LGBTQ+, had disclosed the GPS locations, IP addresses, age, gender, and mobile phone advertising tags of users to third parties for marketing purposes. The Data Protection Authority found that the company did not specifically seek user consent for disclosure of personal data to third parties for marketing purposes and information on disclosure was not clear or accessible enough for its users.

Guidance updates

Ireland’s Data Protection Commissioner publishes final version of guidance on child-specific data protection principles.
CNIL publishes the second version of the guide on best practices for web and app developers under GDPR.
Turkey’s Personal Data Protection Authority publishes the ‘Communiqué on Procedures and Principles on Personnel Certification Mechanism’.
Saudi Central Bank publishes information technology (IT) framework for financial institutions that address IT risks and controls.

Regulatory updates around the globe

Moldova’s National Centre for Personal Data Protection announces amendment to law on personal data protection.
British Columbia’s Special Committee to Review Personal Information Protection Act publishes report with recommendations on modernizing its private sector privacy legislation.
Russia proposes amendments to Federal Law on “Information, Information Technologies and Information Protection” for the formation of a National Data Management System.
Irish Council for Civil Liberties proposes amendments to EU Digital Markets Act to allow organizations to combine and use data collected from individuals from across businesses with a single consent.

US updates

New York City Council passes bill prohibiting employers from using automated employment decision tools to screen candidates without a bias audit which will come into effect on 1^st January 2023.
Federal Trade Commission considers making a rule for digital platforms to limit privacy abuses and reduce lax security practices.

EU updates

European Commission announces adequacy decision for transfer of personal data from EU to the Republic of Korea under GDPR.
EU Parliament and the Member States reach political agreement on the European Data Governance Act on personal data and consumer protection.
European Data Protection Board responds on the use of Pegasus Spyware assuring that it pays attention to developments on the interference with fundamental rights to privacy and data protection.
European Commission Joint Research Centre publishes report on assessment criteria including privacy and data governance for trustworthy AI in automated vehicles.

India updates

AIMIM President writes to the Home Ministry opposing the linking of birth and death data with the National Population Register and Aadhaar.
IT Minister shares thoughts on India leading the world in internet regulation and preparing for cyberattacks.

News around the globe

Spotify Wrapped reminds users how sharing data on their preferences may be used to send them ads. Reports Northeastern University.
Personal data including the name and banking formation of 80,000 South Australian government employees stolen in a cyber-attack. Reports The Guardian.
Danish Data Protection Authority receives funds worth DKK 16,800,000 for advising and guiding companies and authorities.
Malta publishes the Protection of the Whistleblower (Amendment) Act, 2021 requiring any processing of personal data under the act to be in accordance with GDPR.

Big tech updates

Twitter conducts internal review of new private information policy after making errors in enforcement.
Instagram introduces features like tagging restrictions and ‘take a break’ to make the platform safer for teen.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.