Issue 86

Enforcement Updates

EDPB orders investigation against WhatsApp and Facebook

The European Data Protection Board (EDPB) ordered an urgent investigation upon Facebook and WhatsApp following launch of WhatsApp’s controversial privacy policy. EDPB while delivering its binding decision noted that that Facebook is already processing WhatsApp user data as joint controller for both applications. However, it is unclear at the moment to determine in detail exactly what processing operations are carried out on WhatsApp user data by Facebook and in what capacity. As a result, the Irish Supervisory Authority was ordered to launch statutory investigations against Facebook and its group companies to determine the processing operations being carried out and ascertain whether they are conducted in accordance with the GDPR.

Trade Repository fined for data privacy violations

UK based trade repository, DTCC Derivatives Repository PLC (DDRL) has been fined for infringing the European Market Infrastructure Regulation (EMIR) by the European Securities and Markets Authority. The authority issued the fine for violations in relation to data confidentiality and data integrity under the EMIR. Particularly, the violations include, granting unauthorized access, weak IT system and failure to provide information to the regulators, with a specific fine for every breach. As a result, a fine totaling to EUR 408,000 was issued against DDRL.

Use of biometrics banned at Port of Seattle

The Port of Seattle Commission voted to ban biometric technology which uses measures such as facial recognition for enforcement, surveillance, and security purposes. As a result, port authorities, or any other private entity is banned from using any form of biometric technology for traveler functions. Such vote puts a moratorium on all uses of the biometric technology until they can be reviewed and renewed. The port would extend the use of such technology only upon voluntary use and strict privacy compliance.

India Updates

  • Reserve Bank of India bans Mastercard from issuing new cards to domestic customers due to its failure to meet data localization requirements.
  • An accused can have his name redacted from Court orders upon acquittal to protect his privacy – Madras High Court.

Guidance Issued 

  • ICO, UK issues an opinion note on the use of live facial recognition technology in public places.
  • California AG suggests use of Global Privacy Control (GPC) for receiving opt of sale requests under CCPA to online business. Refer FAQ’s
  • Irish DPC released guidance on accidental receipt of personal data by third party and for data controllers who lose data to a third Party.

 Regulatory updates around the globe

  • Personal Privacy Act introduced in Ohio.
  • New bill for maintaining registry of Data Brokers introduced in US Senate.
  • Report on the Telecommunications Legislation Amendment (International Production Order) Bill 2020 placed in Parliament of Australia.

 News around the globe 

  • US, EU, UK and NATO jointly accuse China of malicious cyber activity. 
  • Investors seek action against Nielsen for misrepresenting effect of GDPR on the company.
  • Bytedance, TikTok’s parent defers IPO plans due to data security failures. Reports WSJ

Read our digital newsletter here.