Issue 96 - Privacy Desk

Enforcement updates

ICO and FTC announce decisions against companies for unsolicited messages and calls

UK’s Information Commissioner’s Office (ICO) recently published their decision announcing fines on four well-known companies, for sending up to 354 million nuisance messages. The companies ‘We Buy Any Car’ was fined for GBP 200,000 ; ‘Saga Services Ltd’ and ‘Saga Personal Finance’ were fined GBP 150,000 and GBP 75,000 and ‘Sports Direct’ has been fined GBP 70,000. These companies were not permitted to send any marketing messages to customers without their consent and were thus held in violation of the Privacy and Electronic Communications Regulations 2003.

The Federal Trade Commission (FTC) has released its proposed settlement order of the complaints against Grand Bahama Cruise Line LLC for making millions of illegal calls to consumers nationwide, pitching free cruise vacations between Florida and the Bahamas. The controllers of the operation have been ordered to pay USD 50,000 civil penalty to the U.S. Treasury each. The other defendants of the complaints have been banned from engaging in, or assisting others in engaging in, making robocalls to consumers.

Hamburg watchdog announces fine on energy company

The Hamburg Commissioner for Data Protection and Freedom of Information (‘HmbBfDI’) imposed a fine of EUR 901,389 on Vattenfall Europe Sales GmbH for violating the transparency obligations covered under GDPR. The company failed to inform its customers about them conducting an internal data comparison relating to contract inquiries for special contracts which were associated with special bonus payments. A total of 500,000 customers were affected due to such data comparison. Upon displaying extensive cooperation and stopping the non-transparent data comparison immediately, the HmbBfDI reduced their fine significantly, imposing a total fine of EUR 901,389.

Health system faces lawsuit over data breach

UC San Diego Health faced a data breach spanning from December 2020 to April 2021 which had exposed sensitive information of almost 500,000 individuals. The health system posted an announcement on its website in July informing patients that hackers had conducted a phishing attack on their system. Patients have approached the court, seeking the status of a class action lawsuit, alleging that UC San Diego Health failed to implement adequate security practices and train employees on how to prevent phishing attacks. The suit claims that such data breach is a violation of the health care system’s responsibility to comply with the privacy and security rules related to the Health Insurance Portability and Accountability Act.

Double Trouble for TikTok in Ireland

Ireland’s Data Protection Commission (DPC) has launched a formal investigation against TikTok alleging their noncompliance in regard to their GDPR’s data protection by design and default requirements. DPC has thus inquired into TikTok’s transparency obligations for processing of personal data of children (users under age 18). DPC also launched another inquiry into TikTok’s GDPR compliance requirements for transfers of personal data to China and other third countries alleging their noncompliance.

Guidance updates

The French watchdog, CNIL, released a template for organisations to assess their level of maturity to improve their data protection management.
The Liechtensteiner Data protection authority has released a guidance note on profiling and automated decision-making.
USA’s FTC releases guidance on its ‘Health Breach Notification Rule’ for Health Apps and Connected Devices Companies.
Macau’s Office for Personal Data Protection urges for compliance with the Personal Information Protection Law of the People’s Republic of China.

Regulatory updates

The California Senate Bill 41 on practices for genetic testing of companies’ data presented to the government.
Quebec adopts Bill No. 64, to modernize provisions of the protection of personal information.
The Parliament of the Republic of Tajikistan has published the Draft Information Code of the Republic of Tajikistan.
Saudi Arabia’s new Personal Data Protection Law published.

EU updates

European Data Protection Board (EDPB) establishes taskforce in response to complaints against cookie banners.
EDPB releases opinion the draft adequacy decision for the Republic of Korea adopted by European Commission.
European Data Protection Supervisor issues opinion on the proposed anti-money laundering legislative package by the Commission.

US updates

US Senate urges FTC to protect consumer data privacy. Calls for new rules.
Office of Foreign Assets Control of the US Treasury released an updated advisory on the risks associated with facilitating ransomware payments.
California Privacy Protection Agency Board seeks public comments on proposed rulemaking under the California Privacy Rights Act of 2020, till 8 November 2021.
The U.S. Congressional Research Service releases report on EU-US Privacy Shield and transatlantic data flows.

India updates

WhatsApp to encrypt chat backups to protect user’s sensitive data. Reports Facebook.
Tamil Nadu Public Department hit by ransomware attack for the second time this year. 1,950 USD in cryptocurrency demanded. Reports The Hindu.
India’s PDPB may see over 100 changes as introduced by the new chairperson and BJP MP PP Chaudhary. Changes may lead social media companies in losing their safe harbour status. Reports Hindustan Times.

International updates

Council of Europe along with seven major organisations launches online portal promoting global cooperation on artificial intelligence.
The Basel Committee on Banking Supervision urges banks to strengthen cybersecurity.
The Payment Card Industry Security Standards Council issued best practices guidelines to for the appropriate use of remote assessments.

News around the globe

UK Government Department for Digital, Culture, Media & Sport launches consultation on reforms to the data privacy regime. Open for comments till 19 November 2021.
Google to auto reset sensitive data permissions given to apps not used in months.
UK launches investigation into a data breach of information from the Afghan Relocations Assistance Policy team, which included details of Afghan interpreters working with the British. Reports Politico.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.