Issue 121

Enforcement updates

The Irish Data Protection Authority has imposed a fine of EUR 17,000,000 on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). The authority had led an inquiry on Meta, after receiving twelve breach notifications and found that Meta did not have appropriate technical and organisational measures to demonstrate implemented security measures to protect EU users’ data.

The Federal Trade Commission ordered the former owner of CafePress, an online customized merchandise platform, to pay USD 500,000 and required the company to bolster its data security. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.

Information Commissioner’s Office has fined UK Platinum Home Care Services Limited for GBP 110,000 for making unsolicited calls for direct marketing purposes and thus contravening the provisions of the Privacy and Electronic Communications Regulations.

Guidance updates

  • National Cybersecurity Agency for France published certification framework for cloud service providers.
  • Danish Data Protection Authority published guide on use of cloud services.
  • Brazilian Centre for Prevention, Treatment, and Response to Government Cyber Incidents published alert on abuse on VPNs.

Regulatory updates

  • Sri Lankan Parliament passed the bill for Regulation of Processing of Personal Data.
  • Dubai International Financial Centre announced amendment to the data protection law.
  • Bill on cybersecurity and critical information infrastructure introduced to the Chilean Senate.

UK updates

  • Department for Digital, Culture, Media & Sport published Government response to the report on the draft Online Safety Bill.
  • ICO published International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.

US updates

  • National Institute of Standards and Technology released a special publication on assessment procedures for enhanced security requirements.
  • California’s Attorney General issued an opinion on the applicability of California Consumer Privacy Act on internally generated inferences held by businesses.
  • Wyoming’s Governor enacted the Genetic Data Privacy Act. The act will be effective from 1 July 2022.

EU updates

  • European Commission (EC) launches public consultation on European Cyber Resilience Act. Consultation will be open until 25 May 2022.
  • European Data Protection Supervisor published a blog on targeting online advertising.

News around the globe

  • Australian Communications and Media Authority joined the Digital Platform Regulators Forum.
  • Natural gas producers in the United Stated faced cyber attacks. Reports Bloomberg 
  • US and EC agreed on new Trans-Atlantic Data Privacy Framework.

 Big tech updates

  • Tinder’s criminal background check feature reportedly problematic. Reports The Guardian
  • AI company Sandbox AQ announced a collaboration with Mount Sinai Health System for the protection of patient data. Reports PR Newswire
  • Google’s messages and dialer applications on Android phones found to be sending data to Google without notice and consent.

Read our digital newsletter here.