Issue 122

Enforcement updates

The European Securities and Markets Authority (ESMA) has fined trade repository REGIS-TR S.A., EUR 186,000 for violations under the European Market Infrastructure Regulation (EMIR). The authority noted that the company failed to ensure the integrity of the data reported to it due to various data processing incidents. It was also noted that REGIS-TR committed three further breaches resulting in the provision of wrong and unreliable reports to regulators by failing to verify the correctness and completeness of the data received by the reporting parties.

Swedish Authority for Privacy Protection (IMY) issued a fine of SEK 7,500,000 on Klarna Bank AB. Upon conducting the investigation, IMY noted that the bank failed to provide information on the purpose and the legal basis of processing personal data. Further, the bank provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies.

The Danish Data Protection Agency warned FysioDanmark Hillerod ApS’ for their intended use of a facial recognition system for conducting access control with customers and employees. The agency issued a warning to the company that it would probably be contrary to the rules of the General Data Protection Regulation if the company used the system without the consent of the company’s customers.

Guidance updates

  • CNIL published a guide for providing useful knowledge and best practices to help organisations in appointing and supporting DPOs.
  • The Norwegian data protection authority published a guide on employee background checks.
  • Japan’s Ministry of Economy, Trade and Industry has released revised Personal Information Protection Guidelines on the use of Personal Genetic Information in the Economic and Industrial Fields.
  • Singapore’s Personal Data Protection Commission has released a guide on Basic Anonymisation to provide practical guidance on how to appropriately perform basic anonymisation and de-identification.

Regulatory updates

  • Bahrain’s Ministry of Justice, Islamic Affairs and Endowments has released ten executive decisions supplementing the Personal Data Protection Law No. (30) of 2018.
  • Brazil’s Chamber of Deputies of the National Congress has announced Bill to prohibit telemarketing companies from contacting users without prior consent.
  • Indiana Governor has signed a House Bill to amend the Indiana Code with respect to the timeframe for notifying breaches.

US updates

  • The Oklahoma House has voted to pass the Oklahoma Computer Data Privacy Act.
  • US Representative has introduced a House Resolution for the Electronic Currency and Secure Hardware Act, to promote consumer protection and data privacy in digital assets.
  • USA’s Network Advertising Initiative issued a statement titled ‘Getting to Know the Latest State Consumer Privacy Law: Key Takeaways for the Digital Advertising Industry’.
  • The Securities and Exchange Commission has proposed rules for enhancing and standardising disclosures regarding cybersecurity risk management, strategy, governance and reporting by public companies.

EU updates

  • The Council and the Parliament have reached a provisional agreement on the Digital Markets Act which aims to make the digital sector fairer and more competitive.
  • The Court of Justice of the European Union has issued a judgement regarding the interpretation of the supervisory authorities’ power to supervise the courts in relation to the disclosure of documents to journalists.

India updates

  • Proposed changes to the 2019 Personal Data Protection Bill draft may impact the gaming platforms since they will need to offer parents precise information to which they offer their consent. Reports Medianama
  • The 2022 National Trade Estimate Report on Foreign Trade Barriers cites India’s proposed and promulgated restrictive data policies as ‘Digital Trade Barriers’.

News around the globe

  • The Philippine National Privacy Commission has extended the validity of all existing Certificates of Registration of Data Protection Officers issued in 2021 till 8 March 2023.
  • As contact tracing becomes less relevant, it may legitimately question the storage of data. Reports Financial Times
  • The proposed protections to restrict US government monitoring in the US-EU Data Privacy Deal may face legal challenges. Reports The Wall Street Journal

Big tech updates

  • Apple and Meta have allegedly provided customer data to hackers who masqueraded as law enforcement official. Reports Bloomberg
  • Google shows support for the Trans-Atlantic Data Privacy Framework.
  • Microsoft identified and announced a data breach activity that exfiltrates and destroys personal data

Read our digital newsletter here.