Issue 122 - Privacy Desk

Enforcement updates

The European Securities and Markets Authority (ESMA) has fined trade repository REGIS-TR S.A., EUR 186,000 for violations under the European Market Infrastructure Regulation (EMIR). The authority noted that the company failed to ensure the integrity of the data reported to it due to various data processing incidents. It was also noted that REGIS-TR committed three further breaches resulting in the provision of wrong and unreliable reports to regulators by failing to verify the correctness and completeness of the data received by the reporting parties.

Swedish Authority for Privacy Protection (IMY) issued a fine of SEK 7,500,000 on Klarna Bank AB. Upon conducting the investigation, IMY noted that the bank failed to provide information on the purpose and the legal basis of processing personal data. Further, the bank provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies.

The Danish Data Protection Agency warned FysioDanmark Hillerod ApS’ for their intended use of a facial recognition system for conducting access control with customers and employees. The agency issued a warning to the company that it would probably be contrary to the rules of the General Data Protection Regulation if the company used the system without the consent of the company’s customers.

Guidance updates

CNIL published a guide for providing useful knowledge and best practices to help organisations in appointing and supporting DPOs.
The Norwegian data protection authority published a guide on employee background checks.
Japan’s Ministry of Economy, Trade and Industry has released revised Personal Information Protection Guidelines on the use of Personal Genetic Information in the Economic and Industrial Fields.
Singapore’s Personal Data Protection Commission has released a guide on Basic Anonymisation to provide practical guidance on how to appropriately perform basic anonymisation and de-identification.

Regulatory updates

Bahrain’s Ministry of Justice, Islamic Affairs and Endowments has released ten executive decisions supplementing the Personal Data Protection Law No. (30) of 2018.
Brazil’s Chamber of Deputies of the National Congress has announced Bill to prohibit telemarketing companies from contacting users without prior consent.
Indiana Governor has signed a House Bill to amend the Indiana Code with respect to the timeframe for notifying breaches.

US updates

The Oklahoma House has voted to pass the Oklahoma Computer Data Privacy Act.
US Representative has introduced a House Resolution for the Electronic Currency and Secure Hardware Act, to promote consumer protection and data privacy in digital assets.
USA’s Network Advertising Initiative issued a statement titled ‘Getting to Know the Latest State Consumer Privacy Law: Key Takeaways for the Digital Advertising Industry’.
The Securities and Exchange Commission has proposed rules for enhancing and standardising disclosures regarding cybersecurity risk management, strategy, governance and reporting by public companies.

EU updates

The Council and the Parliament have reached a provisional agreement on the Digital Markets Act which aims to make the digital sector fairer and more competitive.
The Court of Justice of the European Union has issued a judgement regarding the interpretation of the supervisory authorities’ power to supervise the courts in relation to the disclosure of documents to journalists.

India updates

Proposed changes to the 2019 Personal Data Protection Bill draft may impact the gaming platforms since they will need to offer parents precise information to which they offer their consent. Reports Medianama
The 2022 National Trade Estimate Report on Foreign Trade Barriers cites India’s proposed and promulgated restrictive data policies as ‘Digital Trade Barriers’.

News around the globe

The Philippine National Privacy Commission has extended the validity of all existing Certificates of Registration of Data Protection Officers issued in 2021 till 8 March 2023.
As contact tracing becomes less relevant, it may legitimately question the storage of data. Reports Financial Times
The proposed protections to restrict US government monitoring in the US-EU Data Privacy Deal may face legal challenges. Reports The Wall Street Journal

Big tech updates

Apple and Meta have allegedly provided customer data to hackers who masqueraded as law enforcement official. Reports Bloomberg
Google shows support for the Trans-Atlantic Data Privacy Framework.
Microsoft identified and announced a data breach activity that exfiltrates and destroys personal data

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.