Issue 191


  • Spanish data protection authority imposed fines for a total of EUR 72,000, against Fourth Party Logistics S.L., for the violation of the General Data Protection Regulation.
  • Germany’s Federal Office for Information Security published technical guidelines on cyber resilience requirements for the software supply chain.
  • Spanish data protection authority imposed a fine of EUR 1,200 on Forkmerge S.L. for violation of the General Data Protection Regulation.
  • UK’s Information Commissioner’s Office launched a public consultation on the first phase of its guidance on biometric data and biometric technologies.


  • USA’s Future of Privacy Forum filed its written comments with the Federal Trade Commission regarding the use of the Privacy-Protective Facial Age Estimation technology as a mechanism for obtaining verifiable parental consent under the Children’s Online Privacy Protection Act Rule.
  • Massachusetts Gaming Commission approved a regulation on Sports Wagering Data Privacy which will enter into effect on September 1, 2023.
  • Senate Bill 7623 for an Act to amend the labor law, in relation to restricting the use of electronic monitoring and automated employment decision tools, was introduced to the New York State Senate and thereafter referred to the Senate Rules Committee.
  • USA’s National Credit Union Administration (NCUA) issued guidelines for Federally Insured Credit Unions on submitting cyber incident notifications to the NCUA under the Cyber Incident Notification Requirements Rule.


  • China’s National Information Security Standardization Technical Committee requested public comments on the draft National Standard Information Security Technology Data Security Risk Assessment Method.
  • Thailand’s Ministry of Digital Economy and Society published a Royal Decree determining organizations that are exempt from data controller’s obligations under the Personal Data Protection Act 2019.
  • South Korea’s Personal Information Protection Commission announced the publication for public comment of its Guidelines for Publication and Publication Order for Violation of the Personal Information Protection Act.
  • Australian Communications and Media Authority imposed a fine of AUD 2 million to DoorDash Technologies Australia Pty Ltd for violations of the Spam Act 2003.