Issue 129 - Privacy Desk

Enforcement updates

A class-action lawsuit has been brought against Snapchat’s parent company, alleging violation of Illinois’ Biometric Information Privacy Act (BIPA) by illegally collecting users’ biometric information without their consent. Snapchat collected, stored and shared users unique facial features and voices without the required disclosures about how the information will be used and for how long. They also failed to obtain a written release from users authorizing the company’s collection of their private information as required by the BIPA.

The Spanish Data Protection Agency (AEPD) has fined Google LLC for transferring data to third parties without legal base and hindering citizens’ right to erasure constituting a violation under GDPR. The AEPD found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The AEPD has ordered Google to inline policies and procedures with data protection rules and delete all personal data that have been the subject of a request for the right of erasure.

The Italian data protection authority (Garante) has imposed two penalties of EUR 2 million and 120 thousand each, on Uber B.V. with registered office in Amsterdam, and Uber Technologies Inc, with registered office in San Francisco, for processing unsuitable information, processing data without consent and failure to notify the Authority upon data breach. Garante thus sanctioned the Dutch company Uber BV and the US Uber Technologies, as joint data controllers, each responsible for violations committed against the over 1 and a half million aggrieved Italian users.

Statements issued

Germany’s Federal Commissioner for Data Protection and Freedom of Information released statement on possibility of a personal data breach in connection with the online questionnaire on the building and housing census of the 2022 census.
Albania’s Office of the Information and Data Protection Commissioner has issued the results of the questionnaire on assessing the knowledge of public authorities regarding the right to personal data protection.

Reports published

Ireland’s Data Protection Commission published 2021 Annual Report.
The Spanish National Cybersecurity Institute has released report summarising the statistics regarding cybersecurity incidents managed by its Security Incident Response Centre.
The Hamburg Commissioner for Data Protection and Freedom of Information has published a frequently asked questions page concerning the 2022 census on topics such as data disclosure, data collection, and data subject’s rights under the General Data Protection Regulation.

Regulatory updates around the world

New Swiss Data Protection Act to enter into force by September 2023.
The Presidency of the Council of Ministers of Peru have announced the creation of the National Centre for Digital Security to enhance cybersecurity and mitigate risks in the country.
Singapore’s Personal Data Protection Commission has issued warnings to Toll Holdings entities for breach of data transfer obligations.

EU updates

The European Data Protection Board (EDPB) adopts Guidelines on calculation of fines and released Guidelines on the use of facial recognition technology in the area of law enforcement.
EDPB has proposed new EU legislation to prevent and combat child sexual abuse online.
The European Parliament and EU Member States reach agreement on Directive for measures for a high common level of cybersecurity across the Union.

UK updates

The Government of the United Kingdom has announced the launch of the Government Cyber Security Strategy and has now opened application for membership of the Government Cyber Security Advisory Board.
UK data reform bill may jeopardise EU’s data adequacy ruling, by establishing new data flows with countries including the US, Australia, South Korea and Singapore. Reports Euractiv

US updates

The Centres for Disease Control and Prevention accessed location data from mobile phones, using COVID-19 as a reason to buy access to the data. Reports Vice
National Institute of Standards and Technology has released a white paper ‘A Data Structure for Integrity Protection with Erasure Capability’.

India updates

MeitY released Draft National Data Governance Framework Policy for public consultation.
The Information Technology Industry Council has raised concerns on India’s Proposed Cybersecurity Directive that could negatively impact and undermine cybersecurity.
MeitY released FAQ’s on the CERT-In directions.

News around the globe

Britain’s computerised army recruitment system closed since March after possible hack. Reports The Guardian
The Office of the Privacy Commissioner of Canada has announced a Memorandum of Understanding signed with the Information and Privacy Commissioner of Alberta, the Information and Privacy Commissioner for British Columbia, and the Quebec Commission on Access to Information to promote domestic and international enforcement collaboration in the privacy sector.
Guernsey Office of the Data Protection Authority has published a cybersecurity checklist.

Big Tech updates

Twitter has launched a mini game, Twitter Data Dashto draw the attention of its users to the news in the privacy policy and security measures. Reports Tech News Inc
The District of Columbia has sued Meta chief Mark Zuckerberg to hold him personally liable for the Cambridge Analytica scandal. Reports The Washington post

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.