Issue 109 - Privacy Desk

Enforcement updates

French data protection watchdog fines Slimpay due to a data breach

The French Data Protection Authority (CNIL) imposed a fine of EUR 130,000 on Slimpay, a payment institution, for failing to implement appropriate security measures to protect its personal data which resulted in a data breach. CNIL found that Slimpay was conducting an internal research due to which they stored personal data on a server with inadequate security measures and this data was freely available on the internet. The incident affected around 12 million people and the fine was imposed accordingly.

Russian court imposed a fine on Google for repeatedly neglecting to delete illegal content

The Tagansky District Court of Moscow fined Google EUR 73 million over its failure to delete content banned by local Russian law. The court opined that Google repeatedly neglected to delete content that is deemed to be illegal as per Russian laws, which are aiming to exert tighter control over the internet. The court also imposed a fine of EUR 23 million on Facebook for the same reasons.

FTC announced a USD 2 million settlement with OpenX over alleged COPPA violations

Federal Trade Commission (FTC) announced a settlement amount of USD 2 million for alleged violations of Children Online Privacy Protection Act by an ad exchange company, OpenX Technologies. The complaint was filed by Department of justice on behalf of FTC alleging that OpenX knowingly collected information of children without parental consent. Additionally, FTC also alleged that OpenX violated FTC act by collecting geolocation data from its users who had opted out of it. In addition to the fine, OpenX is also ordered to delete ad request data for targeted ads and implement a comprehensive privacy policy.

Guidance updates

Data Protection Commission of Ireland published regulatory strategy for the next five years.
UK’s ICO published a response to the government’s consultation paper titled “Data: a new direction”.
Netherland’s Ombudsman released a report on how Dutch Data Protection Authority handles privacy complaints.

Regulatory updates around the globe

Ukraine government adopts regulations on organizational and technical model of cybersecurity.
Lithuania adopts Standard Contractual Clauses for data processing agreements as per GDPR.
Georgia’s Parliament adopts bill to restructure its State Inspector Service to establish a Data Protection Agency.

US updates

California Privacy Protection Agency published public comments they received for their preliminary rulemaking activities for California privacy Rights Act.
Federal Bank regulators finalized the regulation for cybersecurity incident notification requirement for banking organizations and their service providers.
US Seventh Circuit Court seeks clarification from Illinois Supreme Court on filing cases for violation of privacy rights under Biometric Information Privacy Act of 2008.

EU updates

European commission announces alliance to strengthen the position of EU industries in cloud and edge technologies and meet needs of EU businesses dealing with sensitive categories data.
European Parliament adopts amendments of the Digital Markets Act to ensure transparency in important digital services.
European Parliament Research Service published a study on privacy rights and ethics in biometrics through AI, along with recommendations for draft Artificial Intelligence Regulations.

India updates

Karnataka will release a consent management platform for sharing personal data with public and private companies. Reports The Hindu.
The Joint Parliament Committee re-introduced the penalty provisions as stated in the earlier drafts. Reports The Times of India.
NASSCOM suggests scope of non-personal data needs further analysis under the Data Protection Act of 2021. Reports News 18.

News around the globe

US Patent Office issues patent to OneTrust for privacy management systems and methods.
Germany’s Federal Minister of Justice suggests abolishing data retention for surveillance purposes in an interview.
Russian hackers threaten to leak UK police data on the dark web for refusal to pay ransom. Reports CPO.

Read the digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.