Issue 95

Enforcement updates

IT Data Processer fined for violating Data Processing Agreement in Spain

The Spanish data protection authority (‘AEPD’) recently published its decision levying a fine of EUR 100,000 on Signallia Marketing Distribution, S.A. for violating GDPR data processor obligations. The company was providing its services as an IT data processor, and owing to the GDPR requirements, the activity was governed by a data processing agreement between the company and the data controller. AEPD in its finding noted that the company acting as a data processer failed to return the personal data it received back to the data controller after the processing operations were finished, thereby violating GDPR provisions for data processors.

TikTok faces privacy challenges in Netherlands and Ireland

Ireland’s Data Protection Commission (‘DPC’) announced that it has initiated two inquires against TikTok Inc. for issues relating to Data Protection by Design and Default, and Cross border data transfers under the GDPR. The DPC stated that it will investigate TikTok’s compliance with GDPR requirements of data protection by design and default, in relation to consent management, age verification and other privacy by design features, as well as TikTok’s data transfers to China.

TikTok also faces a consumer action in Netherlands from privacy NGO, The Mass Damage & Consumer Foundation. The NGO announced that it has initiated collective legal action against TikTok Inc, for privacy violations under GDPR as well as other Dutch consumer legislations and demands EUR 6 billion in compensation. The NGO in its internal research discovered severe privacy lapses and has accused TikTok of falling to obtain proper consent and basis, illegal data transfers and lack of adequate data security measures.

Estate Agent fined for illegal telemarketing call in Hong Kong

An estate agent received a fine under Hong Kong’s privacy law, the Personal Data (Privacy) Ordinance (PDPO) for violating the privacy of a data subject. The local magistrate’s court noted that the estate agent had called to ask his potential clients if they wanted to sell their property. The data subject had exercised his right to not receive marketing calls from the estate agent and asked him to cease processing his personal data. Noting that the estate agent acted in violation of the PDPO, a fine of HKD15,000 was levied against him.

30 Companies comply as part of CNIL’s cookie enforcement campaign

CNIL, the French Data Protection Authority, issued press release regarding future course of action as part of its Cookie enforcement campaign which began in July. As part of the campaign, CNIL had sent notices to 40 national and international organizations asking them to make their cookie policy and practices compliant with GDPR, mandating that rejecting cookies should be as easy as accepting them. Organizations had until 6^th September to comply with the CNIL notice. CNIL announced that close to 30 organizations have fully complied with CNIL directions, while rest sought extension. Organizations failing to comply with CNIL cookie instructions may face a fine up to 2% of their turnover. CNIL plans to further advance on its cookie enforcement plan, and will send further cookie notices to government organizations, political parties etc.

Guidance updates

Datatilsynet the Norwegian data protection authority published its guidance note on cross border personal data transfers post the Schrems II judgement.
Guidelines on proper handling of specific personal information by businesses and government agencies released by Japan’s Personal Information Protection Commission.
The Office of the Information Commissioner of Ontario publishes its response on the Canada’s proposed private sector privacy law.

Regulatory updates around the globe

GDPR code of conduct for the National Chamber of Notaries published by The Belgian Data Protection Authority.
Oklahoma Computer Data Privacy Act 2022 introduced.
Public consultation for reforming the UK National Data Protection Regime launched by ICO UK.

EU updates

The European Union Agency for Cybersecurity releases ‘’Methodology for Sectoral Cybersecurity Assessments’’
Amnesty International, European Network Against Racism and other NGO’s express concern over parliamentarian’s plan to reform EURODAC regulation into mass surveillance tool for refugees.
Government Whistleblowing Authorities urge legislators to enforce EU Whistleblower Directive before December 2021 deadline.

US updates

Legislative recommendation to create a Federal Trade Commission Privacy Bureau introduced.
Food delivery services to share customer personal data with restaurant if requested, under the amended New York law.
The Electronic Privacy Information Center and other privacy organizations writes to Department of Homeland Security, urging them to stop some of their surveillance programs and ensure privacy

India updates

Tamil Nadu Government announces digital unique heath ID for all state residents. Move raises privacy concern. Report’s Times of India
Data Security Council of India (‘DSCI’) published its Privacy guide for Healthcare Sector.
NATGRID, the intelligence data sharing, and security network will be launched soon. Report’s The Hindu.

International updates

UK, US, and Australia form a new strategic security partnership. Will focus on areas of cybersecurity, AI and quantum technologies.
International privacy organizations submit their recommendations for the draft Second Additional Protocol to the Budapest Convention on Cybercrime.
The Office of the High Commissioner for Human Rights releases report highlighting privacy issues with use of AI technology.

News around the globe

Apple introduces consent notice for showing personalized ads on ios15. – Report’s The Verge.
Major privacy flaw noticed in El Salvador’s official crypto wallet. – Report’s Tech Story
Servers of South Africa’s Information Regulator and Department of Justice suffer ransomware attack. Raises data security concerns.

Read our digital newsletter here.