Issue 94 - Privacy Desk

Enforcement updates

Whatsapp faces massive fines in Ireland and Turkey

The Irish Data Protection Authority, DPC concluded its GDPR investigations to fine WhatsApp over transparency breaches. The binding decision was adopted by the European Data Protection Board (EDPB) and instructed the DPC to reassess and increase its proposed fine based on several factors contained in the EDPB’s decision. Following such reassessment, a fine of EUR 225 million was imposed on WhatsApp along with an order of bringing its processing into compliance.

The Data protection Authority of Turkey, KVKK also announced a fine of TL 1,950,000 on WhatsApp over for breach of obligations under the Law on protection of personal data. Further, WhatsApp was also ordered to comply with corrections on its newly introduced privacy policy within 3 months.

Apple’s Siri accused of recording unconsented conversations

Apple’s voice recognition software and virtual assistant, Siri, has been accused of recording conversations which were not consented to. Siri is only supposed to record conversations upon activation, by using the phrase “Hey Siri”. However, Apple, through Siri, has been accused to record conversations without the wake-up phrase. Such unconsented recording is a violation of California’s privacy law and California’s civil codes. The United States District Court has thus recognised and certified the case as a class action proposed to cover everyone who has been recorded by Siri-enabled device without consent from at least as early as October 12 2011, through the present.

Class action against Flo Health in California

Flo Health Inc, a popular health and fitness mobile application, faces class action complaints of knowingly collecting, transmitting, and disclosing users’ intimate health data to third parties, including Google, Facebook, Appsflyer and Flurry. Flo Health contravened its assurances to users that their information would not be disclosed. Such information was used by the third parties to specifically target the users. A class action lawsuit is filed with United States District Court of California against Flo Health.

SpyFone banned from the Surveillance Business by FTC

The Federal Trade Commission (FTC) banned SpyFone over allegations of the app secretly collecting data on people’s physical movements, phone use, and online activities through a hidden device hack and selling its real-time access to their secret surveillance, allowing stalkers and domestic abusers to track the potential targets of their violence. By lack of employed security measures, the stalkerware app company not only illegally gathered and shared people’s private information, but also failed to keep such sensitive information secure. The FTC has thus required SpyFone has to delete all the illegally collected data and banned them from the surveillance business.

Guidance updates

The Office of the Information and Data Protection Commissioner, Malta publishes guidance note on Cookies Consent Requirements.
The Swiss Federal Data Protection and Information Commissioner recognises the Standard Contractual Clauses as an adequate measure for transfer of data to third countries.
International Standards Organization published a new standard for maintaining cybersecurity in the electrical and electronic (E/E) systems of cars.
Office of the Australian Information Commissioner releases its latest data breach notification report highlighting ransomware and impersonation fraud.

Regulatory updates

UAE proposes to introduce new Federal Data Protection Law.
China’s Law on Protection of Minors comes into effect after revision.
New Personal Data Protection Law approved by the Council of Ministers of Saudi Arabia.

US updates

Minnesota adopts new Insurance data security law specifying new obligations in relation to the processing of personal information and in the case of breach.
Baltimore enacts ordinance to ban use of facial recognition technology.

News around the globe

The Take Back Your Privacy Foundation in cooperation with the Consumentenbond calls for support in suing TikTok over child privacy violations.
San Andreas Regional Centre notifies consumers of data breach. Reports Business Wire.
Facebook warns non-profit group, Algorithm Watch to stop collecting data of its users. Reports Politico.

India updates

No legal opinion obtained by National Testing Agency for the introduction of facial recognition for entrance exams. Reports Medianama.
Data Security Council of India published guidance on hybrid workplaces and their cybersecurity risks.

UK updates

The First UK GDPR certification scheme approved by ICO.
ICO to call on G7 countries data protection and privacy authorities to overhaul cookie consent pop-ups.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.