Issue 129

Enforcement updates

A class-action lawsuit has been brought against Snapchat’s parent company, alleging violation of Illinois’ Biometric Information Privacy Act (BIPA) by illegally collecting users’ biometric information without their consent. Snapchat collected, stored and shared users unique facial features and voices without the required disclosures about how the information will be used and for how long. They also failed to obtain a written release from users authorizing the company’s collection of their private information as required by the BIPA.

The Spanish Data Protection Agency (AEPD) has fined Google LLC for transferring data to third parties without legal base and hindering citizens’ right to erasure constituting a violation under GDPR. The AEPD found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The AEPD has ordered Google to inline policies and procedures with data protection rules and delete all personal data that have been the subject of a request for the right of erasure. 

The Italian data protection authority (Garante) has imposed two penalties of EUR 2 million and 120 thousand each, on Uber B.V. with registered office in Amsterdam, and Uber Technologies Inc, with registered office in San Francisco, for processing unsuitable information, processing data without consent and failure to notify the Authority upon data breach. Garante thus sanctioned the Dutch company Uber BV and the US Uber Technologies, as joint data controllers, each responsible for violations committed against the over 1 and a half million aggrieved Italian users.

Statements issued

  • Germany’s Federal Commissioner for Data Protection and Freedom of Information released statement on possibility of a personal data breach in connection with the online questionnaire on the building and housing census of the 2022 census.
  • Albania’s Office of the Information and Data Protection Commissioner has issued the results of the questionnaire on assessing the knowledge of public authorities regarding the right to personal data protection.

Reports published

  • Ireland’s Data Protection Commission published 2021 Annual Report.
  • The Spanish National Cybersecurity Institute has released report summarising the statistics regarding cybersecurity incidents managed by its Security Incident Response Centre.
  • The Hamburg Commissioner for Data Protection and Freedom of Information has published a frequently asked questions page concerning the 2022 census on topics such as data disclosure, data collection, and data subject’s rights under the General Data Protection Regulation.

Regulatory updates around the world

  • New Swiss Data Protection Act to enter into force by September 2023.
  • The Presidency of the Council of Ministers of Peru have announced the creation of the National Centre for Digital Security to enhance cybersecurity and mitigate risks in the country.
  • Singapore’s Personal Data Protection Commission has issued warnings to Toll Holdings entities for breach of data transfer obligations.

EU updates

  • The European Data Protection Board (EDPB) adopts Guidelines on calculation of fines and released Guidelines on the use of facial recognition technology in the area of law enforcement.
  • EDPB has proposed new EU legislation to prevent and combat child sexual abuse online.
  • The European Parliament and EU Member States reach agreement on Directive for measures for a high common level of cybersecurity across the Union.

UK updates

  • The Government of the United Kingdom has announced the launch of the Government Cyber Security Strategy and has now opened application for membership of the Government Cyber Security Advisory Board.
  • UK data reform bill may jeopardise EU’s data adequacy ruling, by establishing new data flows with countries including the US, Australia, South Korea and Singapore. Reports Euractiv

US updates

  • The Centres for Disease Control and Prevention accessed location data from mobile phones, using COVID-19 as a reason to buy access to the data. Reports Vice
  • National Institute of Standards and Technology has released a white paper ‘A Data Structure for Integrity Protection with Erasure Capability’.

India updates

  • MeitY released Draft National Data Governance Framework Policy for public consultation.
  • The Information Technology Industry Council has raised concerns on India’s Proposed Cybersecurity Directive that could negatively impact and undermine cybersecurity.
  • MeitY released FAQ’s on the CERT-In directions.

News around the globe

  • Britain’s computerised army recruitment system closed since March after possible hack. Reports The Guardian
  • The Office of the Privacy Commissioner of Canada has announced a Memorandum of Understanding signed with the Information and Privacy Commissioner of Alberta, the Information and Privacy Commissioner for British Columbia, and the Quebec Commission on Access to Information to promote domestic and international enforcement collaboration in the privacy sector.
  • Guernsey Office of the Data Protection Authority has published a cybersecurity checklist.

Big Tech updates

  • Twitter has launched a mini game, Twitter Data Dashto draw the attention of its users to the news in the privacy policy and security measures. Reports Tech News Inc
  • The District of Columbia has sued Meta chief Mark Zuckerberg to hold him personally liable for the Cambridge Analytica scandal. Reports The Washington post

Read our digital newsletter here.