Issue 134 - Privacy Desk

Enforcement updates

Florida-based Carnival Cruise Line has agreed to a multistate settlement of USD 1.25 million for a 2019 data breach that involved the personal information of approximately 180,000 employees and customers nationwide. Breach notifications stated that Carnival first became aware of suspicious email activity in late May of 2019 and reported the breach, 10 months later. Along with the settlement Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices.

The local health authority Roma 1 had published names and health data of the individuals who, between 2017 and 2018, had requested access to medical documents such as medical records, disability assessments, tests, and technical reports on their website. They thus violated the provisions of GDPR and were fined EUR 46,000 by the data protection authority.

The Tagansky District Court of Moscow has decided to fine foreign internet companies- Twitch Interactive Inc., Pinterest Inc., Airbnb Inc., and United Parcel Service, Inc (UPS) for failing to store and process the personal data of Russian citizens within the Russian territory. The companies also failed to provide such data in a timely manner The Court thus decided to fine UPS, RUB 1 million and Twitch, Pinterest, and Airbnb, RUB 2 million each.

Guidance updates

US Department of Health and Human Services has released guidance to amp up protection of reproductive health data.
The German Data Protection Conference has released FAQs in relation to the use of Facebook fan pages.
The Office of the Privacy Commissioner of Canada has released guidance on credential stuffing attacks.

Regulatory updates

California Bill amending the Confidentiality of Medical Information Act and the Insurance Information and Privacy Protection Act, has entered into effect from 1 July 2022.
Bill to amend the Indiana Code with respect to the timeframe for notifying breaches, limiting it to 45 days, has entered into effect.
The Cyberspace Administration of China has requested public comments on its draft of the Standard Contract Provisions for the Exit of Personal Information, until 29 July 2022.

EU updates

CJEU has ruled upon compatibility of the German provisions requiring just cause for the termination of a DPO’s with the GDPR.
Hessian data watchdog has approved the use of a Zoom model which can be configured and operated by the universities without violating the data protection requirements.
CJEU provides clarity on passenger name record directive applicable to flights between the EU and third-party countries.

India updates

The Indian Computer Emergency Response Team has given Virtual Private Network providers and cloud service operators until 25 September 2022, to comply with the new cybersecurity rules.
RBI has issued master direction on outsourcing IT services which includes data privacy measures to be adopted to reduce risks.

News around the globe

OpenSea has reported major email security breach after their email delivery vendor misused their employee access to download and share email addresses.
Hackers have claimed to put on sale the personal information of up to a billion Chinese residents, after breaching and accessing a Shanghai police database. Reports Bloomberg
State’s Department of Justice has launched an investigation after suffering data breach of the Firearms Dashboard Portal.

Big tech updates

Republican commissioner from the Federal Communications Commission urges the CEO’s of Apple and Google to remove TikTok over privacy concerns. Reports Fortune
Google has announced the deletion of users location history when they visit abortion clinics, domestic violence shelters and such other places where privacy is expected.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.