Issue 133

Enforcement updates

The Norwegian Data Protection Authority (Datatilsynet) published its decision to ban data processing carried out through a browser extension called Shinigami Eyes that highlights transphobic and trans-friendly social network pages and identifies users with different colours. Datatilsynet had previously imposed a preliminary ban on Shinigami Eyes for the same violations and that it has maintained its previous assessment in this decision. Datatilsynet found that Shinigami Eyes’ processing of personal data creates various negative impacts for data subjects, the data subjects do not receive any information regarding the processing, and the processing is clearly beyond the data subjects’ reasonable expectation.

The Personal Information Protection Commission (PIPC) issued a fine of KRW 11 million on Lightning Market Co. Ltd. for violating provisions of the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001. PIPC found that Lightning Market had failed to implement appropriate safeguards such as access control and encryption, and stored data for longer than required. Accordingly, the fine and a corrective order were imposed.

The Ministry of Communications and Multimedia announced that through the Department of Personal Data Protection (PDP), it had ordered the removal of a website following an investigation into its sale of data. Public concerns were first raised on Twitter by another opensource website. In the investigation it was noted that restrictions were introduced on the website to prevent data transactions, and actions were taken to remove the site. Moreover, PDP along with others will monitor and regulate the processing of personal data in commercial transactions to ensure compliance with the Personal Data Protection Act 2010.

Guidance updates

  • The office of the Data Protection Authority of Guernsey published three new guidance documents on data transfers.
  • Spanish Data Protection Authority published a blog titled ‘Personal Data Breaches: Development and Pre-Production Environments’.
  • Monetary Authority of Singapore issued its revised guidelines on business continuity management for financial institutions to strengthen against cyber security threats.

Regulatory updates

  • U.S. President signs State and Local Government Cybersecurity Act of 2021 into law.
  • U.S. Senator Wyden introduced a bill to protect the privacy of personal reproductive or sexual health information, and for other purposes, also known as My Body, My Data Act of 2022.

EU updates

  • French data protection authority published rules for the transmission of files and donors or contacts between associations and foundations.
  • European Court of Justice announced that it has limited member states’ ability to gather personal information of all air passengers to only collect information that is strictly required to combat terrorism.

US updates

  • The Network Advertising Initiative published a document titled ‘Precise Location Information Solution Provider Voluntary Enhanced Standards’.
  • The U.S. Office of Science and Technology Policy is seeking information on advancing privacy-enhancing technologies.

News around the globe

  • Children’s Hospital Network – Nemours was found to be sharing personal information of children and parents with Facebook. Reports The Markup
  • Ransomware attack disrupted municipal services in Palermo, Italy. Reports CPO

Big tech updates

  • Meta agrees to settle with U.S. Department of Justice to change its advertising delivery system following allegations of discriminatory advertising.
  • Microsoft published a guide on how it builds artificial intelligence systems.

Read our digital newsletter here.