Issue 91 - Privacy Desk

Enforcement updates

Cloud software company to face charges under California’s privacy law

Blackbaud Inc., a cloud computing company, admitted to paying off a ransomware attack in 2020. The company has since then faced a multiple class action which has been consolidated in multi-district litigation and now comprises of 29 cases. In the hearing, the US Federal judge ruled that all claims against Blackbaud fall under a violation of the California Consumer Privacy Act (CCPA). The company had defended the lawsuit by maintaining that it does not meet the definition of business under CCPA and was thus not liable to pay damages for data breach and security lapses under it. Rejecting the company’s claim, the judge ruled that it is a ‘for profit’ entity and would be liable for violations of the CCPA.

Pearson fined USD 1 million by SEC

Pearson plc, a public registered company has been fined by the US Securities and Exchange Commission for misleading investors about a cyber security incident, by deliberate omission and misleading statements. The incident occurred in 2018 where the records of millions of students, including dates of births and email addresses were stolen. It was noted that Pearson did not disclose and report the incident and were misleading the whole incident, until they were questioned. Without admitting or denying from the SEC’s charges, Pearson agreed to cease and desist from committing violations and has agreed to pay a USD 1 million civil penalty.

Soko Loans fined by NITDA for privacy violation

The National Information Technology Development Agency, Nigeria has raised a fine of NGN 10,000,000 on Soko Lending Company Limited. The company provides loans after downloading its mobile application to the customers and automatically activates a direct debit in its favor. The app gains unauthorized access in the mobile phone and sends unsolicited messages to the contacts of customer. Holding the company in violation of legal provisions of the Nigeria Data Protection Regulation, the authority in addition to levying fine, mandated the company to conduct a Data Protection Impact Assessment. The authority also imposed a mandatory Information Technology and Data Protection oversight on the company for 9 months.

Israel’s privacy watchdog reprimands Football association

Following a data security incident, Israel’s Privacy Protection Authority initiated an inspection against the Israel Football Association. The investigation revealed security vulnerabilities on website of the football association, and several lapses in compliance of the Privacy Protection Regulation. The security weakness on the website allowed any user to view personal information and passport photographs and IDs of players and referees. The association also failed to implement and practice data security and breach response measures. In this regard, the authority issued guidelines for rectification of compliance lapses and to prevent future data security incidents.

Guidance updates

South Korea’s Personal Information Protection Committee releases a summary report highlighting innovative solutions for data protection in technology companies.
Canada’s Office of the Privacy Commissioner updates several guidance documents to reaffirm inclusion of certain type of personal data as sensitive personal data.
CNIL releases guidance for preventing and responding to cyberattacks on email and courier services.
German State Hessian’s privacy authority guided, a telemedical solution technology project to comply with data protection regulations.
IAPP releases document to provide guidance in complying with the newly released Standard Contractual Clauses by the European Commission.

US updates

US Senators raise privacy concerns on Amazon’s biometric data collection practices.
US Congresswoman Lori Trahan seeks inputs on student data privacy bill.

News around the globe

Hamburg Data Protection Authority warns Senate Chancellery against use of Zoom over insufficient protection of data.
TikTok to introduce enhanced privacy protection features to ensure children and teen privacy. Reports Tech Crunch.
Facebook to provide end to end encryptions for conversations on the Messenger app. Reports Economic Times.
Ninety companies to form an association to protect cars from cyber-attacks. Reports Nikkei Asia.
UN human rights experts urge States to stop transfer and sale of surveillance technology till the guaranteed adoption of Human Rights Standards.

India updates

Government of India announces use of facial recognition technology for Biometric Boarding System at six airports in India. Raises privacy concerns.
Ransomware attack at Pine Labs, an Indian Merchant Company. 500,000 unique records exposed. Reports Cyble Research Lab.
Election Commission of India website hacked, 1000’s of fake voter IDs created. Reports TheWire.

China updates

Personal Information Protection Law of the People’s Republic of China adopted in China. Will enter into effect on 1^st November 2021.
China issues Regulations on the Security Protection of Critical Information Infrastructure.

Privacy tools issued

UK’s National Cyber Security Center (NCSC) releases a new tool to flag potential scam emails directly to the NCSC’s Suspicious Email Reporting Service with a single button.
Japan’s Ministry of Economy, Trade and Industry releases a cybersecurity tool which allows managers to visualize cyber security practice.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.