Issue 132 - Privacy Desk

Enforcement updates

The Personal Information Protection Commission has issued a fine on LG HelloVision Co., Ltd. for violations under the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001. It was held that the company had failed to implement appropriate safeguards, such as access logs and controls, encryption and had processed resident registration numbers without a valid legal basis. The company was thus fined KRW 11 million along with a corrective order.

The authority has announced an investigation into Kry International AB regarding a data security breach relating to the transfer of personal data to Facebook. The complaint states that the company had a Facebook pixel on two of its websites, which has led to the company transferring personal data to Facebook. The company is now required to report to the authority on their privacy measures such as types of personal data transferred, how many people may have been affected by the incident, and what technical and organisational security measures the company has taken.

The Portuguese data protection authority has ordered all electronic communications providers to delete data stored after a ruling that declared some of the provisions to be unconstitutional. The Constitutional Court held that the limits of proportionality are crossed, in the restriction of fundamental rights to the reservation of privacy of private life and to informative self-determination and the aggression of those fundamental rights are not counterweighed by the positive effects on the fight against crime.

Guidance updates

Ireland’s Data Protection Commission has released guidances on data protection of children
CNIL has released a guidance note on the responsibilities of a controller, subcontractor or joint controller under GDPR in case of public procurement.
US Department of Health and Human Services has issued guidance on how health care providers and plans can use remote communication technologies in compliance with the HIPAA Rules.
The Privacy Commissioner for Personal Data has published updated guidance for the property management sector regarding the protection of personal data and two Investigation Reports.

Regulatory updates

Canada’s government has introduced the Bill C-27, ‘the Digital Charter Implementation Act, 2022’ which includes: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
UK government has published their response to the ‘Data: a new direction’ consultation which sets out how the Data Reform Bill will strengthen the UK’s high data protection standards.
US House and Senate have released a Bipartisan US Federal Privacy Bill, ‘American Data Privacy and Protection Act’.
Minnesota’s Bill relating to data practices, modifying education data provisions, classifying education support service data, and amending the Minnesota Statutes, was signed into law.

Reports published

Hong Kong’s Privacy Commissioner for Personal Data has published investigation report regarding the improper collection, retention, and use of residents and visitors personal data by property management companies.
The Swedish Authority for Privacy Protection has published report of complaints received and the recommendations made to business.
Denmark’s Danish Business Authority has published its 2021 annual report on cookie supervision.

EU updates

Finland’s Office of the Data Protection Ombudsman has issued a statement on disclosure of vehicle maintenance history data to a new owner.
The Danish data protection authority has announced inspections to determine if notification letters to the data subjects in the event of data security breaches are GDPR compliant.
CNIL has launched a study on the geolocation data of people obtained by mobile applications to raise awareness about the issues of such collection.

India updates

Government denies data breach and assures of data security on the new income tax portal developed by Infosys. Reports The Mint
NordVPN pulls serves from India after CERT-In directives on maintaining basic information of customers, citing privacy concerns. Reports Economic Times
The Software Alliance has published letter concerning the cybersecurity direction issued and frequently asked questions by the Indian Computer Emergency Response Team.
Study shows India as the sixth-most data breached country in the world indicating steady rise in cybercrime.

News around the globe

Pegasus Air Transport Joint Stock Company has notified Turkey’s Personal Data Protection Authority of data breach.
Office of the Australian Information Commissioner has issued a statement regarding retailer compliance with privacy laws.
Spanish data protection authority released publication on Metaverse and privacy.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.