Dutch Data Protection Authority issues fine on Minister of Finance for violating GDPR
The Dutch Data Protection Authority (DPA) imposed a fine of EUR 2,750,000 for illegal and discriminatory processing of dual nationality status of Dutch nationals by tax authorities and violation of the General Data Protection Regulation (GDPR). The tax authorities had been keeping and using the data on dual nationality for assessing applications for childcare allowance. The DPA noted that the tax authorities were in serious violation of the GDPR for processing the dual nationality of applicants for childcare allowance in a discriminatory, unlawful, and improper manner.
Canadian Privacy Commissioner announces orders against Clearview AI’s facial recognition technology
The Office of the Privacy Commissioner of Canada announced that the Information and Privacy Commissioners of British Columbia and Alberta and the Quebec Commission on Access to Information issued orders against Clearview AI Inc. after a joint investigation on the company’s facial recognition technology. The company was allegedly collecting images and making facial recognition technology available to law enforcement agencies for identifying individuals without obtaining their consent which violated private sector privacy laws of the provinces. The provincial orders ordered Clearview AI to stop its facial recognition services that were subject to this investigation in British Columbia, Alberta, and Quebec.
Clearview AI ordered to cease collecting data from French data subjects
The French Data Protection Authority (CNIL) ordered Clearview AI Inc. to stop collecting and using data collected from data subjects in France and comply with their requests for violating the GDPR. CNIL received complaints from individuals regarding the company’s facial recognition software and initiated an investigation into the same. CNIL found that Clearview AI did not have any legal basis for collecting photographs that support its software from the individuals and failed to facilitate the data subject’s right of access.
Dating App, Grindr fined by Norway’s Data Protection Authority
Norwegian Data Protection Authority imposed a fine of NOK 65,000,000 on Grindr LLC for violating the GDPR. The Norwegian Consumer Council complained that Grindr, a location-based dating app targeted towards individuals identifying as LGBTQ+, had disclosed the GPS locations, IP addresses, age, gender, and mobile phone advertising tags of users to third parties for marketing purposes. The Data Protection Authority found that the company did not specifically seek user consent for disclosure of personal data to third parties for marketing purposes and information on disclosure was not clear or accessible enough for its users.
- Ireland’s Data Protection Commissioner publishes final version of guidance on child-specific data protection principles.
- CNIL publishes the second version of the guide on best practices for web and app developers under GDPR.
- Turkey’s Personal Data Protection Authority publishes the ‘Communiqué on Procedures and Principles on Personnel Certification Mechanism’.
- Saudi Central Bank publishes information technology (IT) framework for financial institutions that address IT risks and controls.
Regulatory updates around the globe
- Moldova’s National Centre for Personal Data Protection announces amendment to law on personal data protection.
- British Columbia’s Special Committee to Review Personal Information Protection Act publishes report with recommendations on modernizing its private sector privacy legislation.
- Russia proposes amendments to Federal Law on “Information, Information Technologies and Information Protection” for the formation of a National Data Management System.
- Irish Council for Civil Liberties proposes amendments to EU Digital Markets Act to allow organizations to combine and use data collected from individuals from across businesses with a single consent.
- New York City Council passes bill prohibiting employers from using automated employment decision tools to screen candidates without a bias audit which will come into effect on 1st January 2023.
- Federal Trade Commission considers making a rule for digital platforms to limit privacy abuses and reduce lax security practices.
- European Commission announces adequacy decision for transfer of personal data from EU to the Republic of Korea under GDPR.
- EU Parliament and the Member States reach political agreement on the European Data Governance Act on personal data and consumer protection.
- European Data Protection Board responds on the use of Pegasus Spyware assuring that it pays attention to developments on the interference with fundamental rights to privacy and data protection.
- European Commission Joint Research Centre publishes report on assessment criteria including privacy and data governance for trustworthy AI in automated vehicles.
- AIMIM President writes to the Home Ministry opposing the linking of birth and death data with the National Population Register and Aadhaar.
- IT Minister shares thoughts on India leading the world in internet regulation and preparing for cyberattacks.
News around the globe
- Spotify Wrapped reminds users how sharing data on their preferences may be used to send them ads. Reports Northeastern University.
- Personal data including the name and banking formation of 80,000 South Australian government employees stolen in a cyber-attack. Reports The Guardian.
- Danish Data Protection Authority receives funds worth DKK 16,800,000 for advising and guiding companies and authorities.
- Malta publishes the Protection of the Whistleblower (Amendment) Act, 2021 requiring any processing of personal data under the act to be in accordance with GDPR.
Big tech updates
- Twitter conducts internal review of new private information policy after making errors in enforcement.
- Instagram introduces features like tagging restrictions and ‘take a break’ to make the platform safer for teen.
Read our digital newsletter here.