Issue 94

Enforcement Updates

Whatsapp faces massive fines in Ireland and Turkey

The Irish Data Protection Authority, DPC concluded its GDPR investigations to fine WhatsApp over transparency breaches. The binding decision was adopted by the European Data Protection Board (EDPB) and instructed the DPC to reassess and increase its proposed fine based on several factors contained in the EDPB’s decision. Following such reassessment, a fine of EUR 225 million was imposed on WhatsApp along with an order of bringing its processing into compliance.

The Data protection Authority of Turkey, KVKK also announced a fine of TL 1,950,000 on WhatsApp over for breach of obligations under the Law on protection of personal data. Further, WhatsApp was also ordered to comply with corrections on its newly introduced privacy policy within 3 months.

Apple’s Siri accused of recording unconsented conversations

Apple’s voice recognition software and virtual assistant, Siri, has been accused of recording conversations which were not consented to. Siri is only supposed to record conversations upon activation, by using the phrase “Hey Siri”. However, Apple, through Siri, has been accused to record conversations without the wake-up phrase. Such unconsented recording is a violation of California’s privacy law and California’s civil codes. The United States District Court has thus recognised and certified the case as a class action proposed to cover everyone who has been recorded by Siri-enabled device without consent from at least as early as October 12 2011, through the present.

Class action against Flo Health in California

Flo Health Inc, a popular health and fitness mobile application, faces class action complaints of knowingly collecting, transmitting, and disclosing users’ intimate health data to third parties, including Google, Facebook, Appsflyer and Flurry. Flo Health contravened its assurances to users that their information would not be disclosed. Such information was used by the third parties to specifically target the users. A class action lawsuit is filed with United States District Court of California against Flo Health.

SpyFone banned from the Surveillance Business by FTC

The Federal Trade Commission (FTC) banned SpyFone over allegations of the app secretly collecting data on people’s physical movements, phone use, and online activities through a hidden device hack and selling its real-time access to their secret surveillance, allowing stalkers and domestic abusers to track the potential targets of their violence. By lack of employed security measures, the stalkerware app company not only illegally gathered and shared people’s private information, but also failed to keep such sensitive information secure. The FTC has thus required SpyFone has to delete all the illegally collected data and banned them from the surveillance business.

Guidance Updates

  • The Office of the Information and Data Protection Commissioner, Malta publishes guidance note on Cookies Consent Requirements.
  • The Swiss Federal Data Protection and Information Commissioner recognises the Standard Contractual Clauses as an adequate measure for transfer of data to third countries.
  • International Standards Organization published a new standard for maintaining cybersecurity in the electrical and electronic (E/E) systems of cars.
  • Office of the Australian Information Commissioner releases its latest data breach notification report highlighting ransomware and impersonation fraud.

Regulatory Updates

  • UAE proposes to introduce new Federal Data Protection Law.
  • China’s Law on Protection of Minors comes into effect after revision.
  • New Personal Data Protection Law approved by the Council of Ministers of Saudi Arabia.

US Updates

  • Minnesota adopts new Insurance data security law specifying new obligations in relation to the processing of personal information and in the case of breach.
  • Baltimore enacts ordinance to ban use of facial recognition technology.

News around the globe

  • The Take Back Your Privacy Foundation in cooperation with the Consumentenbond calls for support in suing TikTok over child privacy violations.
  • San Andreas Regional Centre notifies consumers of data breach. Reports Business Wire.
  • Facebook warns non-profit group, Algorithm Watch to stop collecting data of its users. Reports Politico.

India Updates

  • No legal opinion obtained by National Testing Agency for the introduction of facial recognition for entrance exams. Reports Medianama.
  • Data Security Council of India published guidance on hybrid workplaces and their cybersecurity risks.

UK Updates

  • The First UK GDPR certification scheme approved by ICO.
  • ICO to call on G7 countries data protection and privacy authorities to overhaul cookie consent pop-ups.

Read our digital newsletter here.