Issue 90

Enforcement Updates

Garante fines Food delivery platform and Airport Co.

The Italian Privacy Authority, Garante announced fines for data privacy violations as part of its enforcement action. The authority fined the food delivery platform, Deliveroo Italy, EUR 2.5 million for unlawfully processing personal data of about 8000 of its riders. Particularly, the delivery company was found in violation of using non-transparent algorithms for delivery management of its riders.

The authority also announced fine on Guglielmo Marconi Airport of EUR 40,000 and its software provider of EUR 20,000 for using a software which failed to protect the personal data of whistleblowers. Garante noted that the Airport company, was not using secure protocols to process and handle personal data of whistleblower applications, thereby violating GDPR’s privacy by design principle.

Fintech settles privacy class action for USD 58 million.

Plaid, a fintech firm in US, was accused of using and distributing bank account credentials and financial information of around 98 million people to third parties without consent. The class action suit was filled accusing Plaid of selling user’s transaction histories and financial data to third party and also to Visa Inc. as part of its acquisition, without informing its users. Plaid agreed to pay settlement amount of USD 58 million to settle the class action.

Fine of NOK 100,000 for illegal surveillance.

Waxing Palace AS, a workshop run by a waxing salon has been fined by the Norwegian Data Protection Authority, after a complaint was issued against the surveillance camera of the workshop. The authority found the workshop to be in non-compliance of GDPR, because it had no legal basis for surveillance using a camera. Thus, holding them in breach of privacy, the Authority fined them NOK 100,000 after concluding an overall assessment.

Guidance updates 

  • Israel’s Privacy Protection Authority releases guide to help organizations assess and reduce privacy risks.
  • Hong Kong’s Office of the Privacy Commissioner for Personal Data issued clarification on the proposed amendments to the Personal Data Privacy Ordinance.
  • Philippines’s National Privacy Commission denies requests for excluding contact tracing from purview of Data Privacy Act.

UK updates 

  • ICO calls for opinions on data protection in employment practices.
  • ICO launches public consultation on the draft International Data Transfer Agreement (IDTA). The IDTA will replace E.U. Standard Contractual Clauses.

News around the globe

  • Privacy Organization, NOYB files 422 formal cookie complaints to data protection authorities in ten countries.
  • Apple plans to scan user personal data for child safety, raises privacy concerns.

EU updates

  • EDPB releases overview it’s on resources made avail to the Authorities and on enforcement actions by the Authorities.
  • EDPB issue’s opinion on the draft decisions regarding Controller, Processor Binding Corporate Rules.

India updates

  • Central Government asked to respond on Domino’s, Big Basket, Mobikwik and Air India data security incidents by Delhi High Court. Reports Bar and Bench.
  • 7 new members added to vacant positions in the Joint Parliamentary Committee on the Personal Data Protection Bill.
  • India completes 4 years to landmark Right to Privacy Judgement – refer this space to read more about data privacy developments in India.

Read our digital newsletter here.