Issue 82

Enforcement Updates

Sweden’s watchdog fines controller and processors

The Swedish Authority for Privacy Protection (IMY), had conducted investigations into matter concerning calls made to Swedish medical consultation service 1177 and noted that organizations handling calls engaged in certain third-party service providers for technological and service support. The call recordings were stored on a storage server, which was publicly available without any security on the internet.  
Concluding the investigation, IMY fined Medhelp, the service provider company, SEK 12 million.  IMY also fined SEK 650000 to Voice Integrate, the data processer company for failing to incorporate adequate security measures.  Administrative sanctions were also imposed on regions of Stockholm, Sodermanland and Varmland in total of SEK 750000 for failing to ensure compliance under the GDPR.

Sales co. fined for multiple GDPR violations

The French data protection authority (CNIL) issued its decision to fine French sales company Brico Prive under GDPR. CNIL in its investigations, noted that the company breached the data retention periods it had set, did not incorporate adequate security measures and failed to respect right to erasure requests. Other violations which were observed was sending of marketing emails without consent, as well as placing advertising cookies without consent. As a result, the company was fined EUR 500,000 for multiple GDPR violations.

Amazon set to face largest ever GDPR fine

It is reported that Luxemburg’s Data Protection Authority the National Commission for Data Protection CNPD has circulated a draft decision among other EU states data protection authorities, intending to fine Amazon Inc. for its data collection and processing practices being the lead privacy regulator. Basis the company’s annual revenue from last year, CNPD has proposed a USD 425 million fine under GDPR. If the decision is finalized, it would be the largest fine ever imposed under GDPR. Source: The Wall Street Journal

Guidance Issued 

  • US President passes Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries.
  • Opinion on the use of live facial recognition technology in public places published by ICO UK.
  • New system to notify personal data breach launched by AEPD, the Spanish Data Protection Authority.

US Updates

  • Nevada’s Act relating to Internet Privacy receives Governor Approval. Will come into force from 1st October 2021.
  • Amendments proposed to Colorado’s Act for protection of personal data privacy.
  • US Federal Trade Commission adopts the TRACED Act, will establish portal for reporting robocalls and spoofing.

EU Updates

  • EIOPA publishes report on AI governance principles for the European insurance sector.
  • European Union Member States vote in favor of the British standards for the protection of personal data. – Report’s Reuters.
  • Irish Council for Civil Liberties to file suit against IAB Tech labs for its unfair use of real time bidding technology and violation of the GDPR.  – Report’s Reuters.

India Updates

  • Personal Data Protection Bill to offer digitally enabled consent framework. – Report’s Indian Express.
  • Parliamentary Standing Committee on Information Technology summons Facebook and Google to represent on subject of safeguarding of citizen’s rights.
  • Government issuing Unique Health ID to citizens without consent, using personal data collected for CoWIN vaccination registration. – Reports National Herald.

News around the Globe

  • Google agrees to UK government’s oversight on its Privacy Sandbox.
  • Law passed in Mexico to formulate data registry containing personal details of the cellphone users. Spark’s privacy concerns. – Report’s Global Voices.
  • Experts urge EU and US to strike a deal for sharing of personal data, in order promote digital privacy and resolve the issues concerning sharing of passenger data.

Read the digital copy of our newsletter here.