Issue 95 - Privacy Desk

Enforcement updates

IT Data Processer fined for violating Data Processing Agreement in Spain

The Spanish data protection authority (‘AEPD’) recently published its decision levying a fine of EUR 100,000 on Signallia Marketing Distribution, S.A. for violating GDPR data processor obligations. The company was providing its services as an IT data processor, and owing to the GDPR requirements, the activity was governed by a data processing agreement between the company and the data controller. AEPD in its finding noted that the company acting as a data processer failed to return the personal data it received back to the data controller after the processing operations were finished, thereby violating GDPR provisions for data processors.

TikTok faces privacy challenges in Netherlands and Ireland

Ireland’s Data Protection Commission (‘DPC’) announced that it has initiated two inquires against TikTok Inc. for issues relating to Data Protection by Design and Default, and Cross border data transfers under the GDPR. The DPC stated that it will investigate TikTok’s compliance with GDPR requirements of data protection by design and default, in relation to consent management, age verification and other privacy by design features, as well as TikTok’s data transfers to China.

TikTok also faces a consumer action in Netherlands from privacy NGO, The Mass Damage & Consumer Foundation. The NGO announced that it has initiated collective legal action against TikTok Inc, for privacy violations under GDPR as well as other Dutch consumer legislations and demands EUR 6 billion in compensation. The NGO in its internal research discovered severe privacy lapses and has accused TikTok of falling to obtain proper consent and basis, illegal data transfers and lack of adequate data security measures.

Estate Agent fined for illegal telemarketing call in Hong Kong

An estate agent received a fine under Hong Kong’s privacy law, the Personal Data (Privacy) Ordinance (PDPO) for violating the privacy of a data subject. The local magistrate’s court noted that the estate agent had called to ask his potential clients if they wanted to sell their property. The data subject had exercised his right to not receive marketing calls from the estate agent and asked him to cease processing his personal data. Noting that the estate agent acted in violation of the PDPO, a fine of HKD15,000 was levied against him.

30 Companies comply as part of CNIL’s cookie enforcement campaign

CNIL, the French Data Protection Authority, issued press release regarding future course of action as part of its Cookie enforcement campaign which began in July. As part of the campaign, CNIL had sent notices to 40 national and international organizations asking them to make their cookie policy and practices compliant with GDPR, mandating that rejecting cookies should be as easy as accepting them. Organizations had until 6^th September to comply with the CNIL notice. CNIL announced that close to 30 organizations have fully complied with CNIL directions, while rest sought extension. Organizations failing to comply with CNIL cookie instructions may face a fine up to 2% of their turnover. CNIL plans to further advance on its cookie enforcement plan, and will send further cookie notices to government organizations, political parties etc.

Guidance updates

Datatilsynet the Norwegian data protection authority published its guidance note on cross border personal data transfers post the Schrems II judgement.
Guidelines on proper handling of specific personal information by businesses and government agencies released by Japan’s Personal Information Protection Commission.
The Office of the Information Commissioner of Ontario publishes its response on the Canada’s proposed private sector privacy law.

Regulatory updates around the globe

GDPR code of conduct for the National Chamber of Notaries published by The Belgian Data Protection Authority.
Oklahoma Computer Data Privacy Act 2022 introduced.
Public consultation for reforming the UK National Data Protection Regime launched by ICO UK.

EU updates

The European Union Agency for Cybersecurity releases ‘’Methodology for Sectoral Cybersecurity Assessments’’
Amnesty International, European Network Against Racism and other NGO’s express concern over parliamentarian’s plan to reform EURODAC regulation into mass surveillance tool for refugees.
Government Whistleblowing Authorities urge legislators to enforce EU Whistleblower Directive before December 2021 deadline.

US updates

Legislative recommendation to create a Federal Trade Commission Privacy Bureau introduced.
Food delivery services to share customer personal data with restaurant if requested, under the amended New York law.
The Electronic Privacy Information Center and other privacy organizations writes to Department of Homeland Security, urging them to stop some of their surveillance programs and ensure privacy

India updates

Tamil Nadu Government announces digital unique heath ID for all state residents. Move raises privacy concern. Report’s Times of India
Data Security Council of India (‘DSCI’) published its Privacy guide for Healthcare Sector.
NATGRID, the intelligence data sharing, and security network will be launched soon. Report’s The Hindu.

International updates

UK, US, and Australia form a new strategic security partnership. Will focus on areas of cybersecurity, AI and quantum technologies.
International privacy organizations submit their recommendations for the draft Second Additional Protocol to the Budapest Convention on Cybercrime.
The Office of the High Commissioner for Human Rights releases report highlighting privacy issues with use of AI technology.

News around the globe

Apple introduces consent notice for showing personalized ads on ios15. – Report’s The Verge.
Major privacy flaw noticed in El Salvador’s official crypto wallet. – Report’s Tech Story
Servers of South Africa’s Information Regulator and Department of Justice suffer ransomware attack. Raises data security concerns.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.