Issue 111 - Privacy Desk

Message for our subscribers and readers

Dear Subscribers and Readers,

Wish you a very happy Data Protection Week, 2022! We thank you for your continuous patronage and support. We have published over 110 issues of our weekly newsletter on data protection and privacy covering enforcement, guidance, regulatory, big-tech, and region-specific updates from around the globe.

We hope you enjoy reading our newsletter just as much as we enjoy creating it. If you have any thoughts, feedback, and suggestions on our newsletter, please reach out to us on our contact form.

We will continue to bring you regular insights into the national and international developments in the field of data protection and privacy. Stay tuned for exciting updates coming soon this week! Follow us on LinkedIn and Twitter and ask your peers and colleagues to subscribe to our newsletter.

Enforcement updates

CNIL fines Google and Meta for violating cookie consent regulations

The French data protection authority (CNIL) has fined Facebook Ireland Limited for EUR 60 million, as a part of its ongoing enforcement campaign on guidelines and recommendations on cookies. The CNIL found that Facebook Ireland had inadequate measures in place failing to make it easy to reject consent to the use of cookies as it is to accept the same. In light of this, CNIL opined that this was a breach of Article 82 of the French Data Protection Act and issued the fine accordingly.

Illinois court denies Amazon’s defense in a lawsuit regarding illegal collection of biometric data

In a lawsuit filed in the US District Court of Northern District of Illinois, Eastern Division an Amazon warehouse employee accused the company of unlawfully collecting facial scans of its employees as a part of its COVID-19 wellness checks. The former employee alleged that the e-commerce giant collected his facial and other biometric data without proper consent under the Illinois Biometric Information Privacy Act. In response to this, Amazon filed a motion to dismiss the lawsuit which was declined by the court.

Morgan Stanley agrees to pay for settlement for data breach

Morgan Stanley agreed to pay USD 60 million to settle a class action lawsuit which accused them of exposing personal data of about 15 million customers. In 2016, customers had accused Morgan Stanley of negligently decommissioning two wealth management data centers which were unencrypted and contained personal data of its customers when they were sold to unauthorized third parties. According to the settlement papers, Morgan Stanley denied wrongdoings and has made substantial upgrades to its data security practices.

Guidance updates

Italian Data Protection Authority published new guidelines on cookies and similar technologies.
French Data Protection Authority published guidance on the right of employees to access their data and professional emails.
Croatia’s Personal Data Protection Authority issued its views on the processing of personal data of employees for the purpose of recording work hours.
Germany’s Minister of Justice announced transposition of the EU Directive on certain aspects concerning contracts for the supply of digital content services.

Regulatory updates around the globe

UK’s Department of Business, Energy and Industrial Strategy published Appropriate Policy Document for sensitive processing for law enforcement purposes.
Florida Privacy Protection Act was introduced to the Florida State Senate as a Senate Bill.
Brazil’s Official Gazette of the Union announced the enactment of a law for preserving the confidentiality of personal information related to HIV.

US updates

Federal Communications Commission published proposals for new data breach reporting requirements.
New York Attorney General announced results of its investigation into credential stuffing cyberattacks at 17 companies and released a business guide on the same.

EU updates

NOYB issued statement on European Data Protection Supervisor’s sanction on the EU parliament for illegal EU-US data transfers.
European Data Protection Supervisor published report emphasizing data protection in card-based payments.
European Data Protection Board published its opinion on whether powers of the supervisory authority under the GDPR can serve as a legal basis for orders of ex-officio erasure of personal data.

India updates

Telecommunication Engineering Center released Code of Practice for Securing Consumer Internet of Things.
Ministry of Electronics and Information Technology is preparing a formal note for the Union Cabinet on the proposed Data Protection Bill. Reports The Economic Times.

News around the globe

WhatsApp Ireland Limited appealed to the Court of Justice of the European Union against the decision of the European Data Protection Board to fine the company.
Meta published a report banning surveillance-for-hire companies from its platform following an investigation.
GDPR fines in 2021 added up to more than EUR 1 billion. Reports AtlasVPN.

Read our digital newsletter here

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.