Issue 97 - Privacy Desk

Enforcement updates

SEC issues fine for USD 10 Million for misrepresenting alternate data

The Securities and Exchange Commission (SEC) has fined USD 10 million on the app Annie Inc., as securities fraud charges for making material misrepresentations about how the alternative data was derived. Annie is a leading alternative data provider for the mobile app industry. Alternate data, such as estimates on the number of times an app is downloaded and how often it’s used, was agreed not to be disclosed to third parties. Contrary to these undertaking, the app used non-aggregated and non-anonymized data to alter its model-generated estimates for making them more valuable to sell to trading firms and thus have been held in violation.

T-Mobile faces privacy investigation in Massachusetts

T-Mobile, an international wireless carrier is facing an investigation by the office of Attorney General Maura Healey. In July 2021, the company faced a massive breach of their computer network which resulted in data compromised of over 13.1 million current customers and 40 million former and prospective customers. The information breached included names, drivers license information, government identification numbers, social security numbers, addresses, and date of birth. The investigation has been launched to determine the steps taken to address the breach and notify the consumers, and to determine whether the company had proper safeguards in place to protect consumer information.

University fined for using non-compliant proctoring software

It is reported that the Italian Data Protection Authority, Garante has issued a fine of EUR 200 thousand on a University in Milan for using proctoring tools from the company ‘Respondus Inc’. The Luigi Bocconi University used proctoring tools to supervise written tests during the pandemic. It was reported that these systems are invasive and involve unnecessary monitoring of students. It was also held that the use of such technology for processing the biometric data of students for exams cannot be considered as a legal basis for processing under GDPR.

Reserve Bank of New Zealand served privacy compliance notice

The Reserve Bank of New Zealand faced a cyber-attack in December 2020. Upon the introduction of the Privacy Act 2020 and the powers bestowed on the Office of the Privacy Commissioner, a compliance notice has been issued on the Reserve Bank. The Privacy Act allows for the publication of compliance notices on a case-by-case basis if the Commissioner believes it is desirable to do so in the public interest. The compliance notice issued provides a template for the Bank to report, confirming the improvements made to policies and procedures to make the systems more secure and less prone to cyber-attacks.

Guidance updates

The Irish Council for Civil Liberties has published a report titled, ‘Europe’s Enforcement Paralysis’ to highlight the enforcement capacity of data protection authorities.
The U.S. Department of Health and Human Services has released a guidance note on the applicability of Health Insurance Portability and Accountability Act of 1996 Privacy Rule, for disclosures and COVID-19 vaccination status.
South Korea’s Personal Information Protection Committee has released a series of infographics on ways to handle personal data in emergency situations.
CNIL, France has released its draft guide to processing personal data in compliance with GDPR within the recruitment sector.

Regulatory updates

HongKong has passed a Personal Data (Privacy) (Amendment) Bill 2021.
Nevada’s law about internet privacy takes effect.

News around the globe

Ikea has launched an investigation after staff finds unauthorized CCTV camera’s in washrooms. Reports Telegraph.
Apple to help detect and diagnose mental illness by tracking users actions. Reports The Wall Street Journal.
Facebook working in coordination with the Italian data protection authority, to create awareness for responsible use of Ray-Ban Stories smart glasses.

Singapore updates

The PDPC has released a guide to data protection practices and a handbook on guard against data breaches.
Cyber Security Agency released a framework for licensing the cybersecurity service providers.
Amended Personal Data Protection (Notification of Data Breaches) Regulations 2021 and the Personal Data Protection Regulations 2021 have entered into force.

International updates

The United Nations Conference on Trade and Development publishes Digital Economy Report 2021, focusing on cross-border data flows and development.
The U.S.-EU Trade and Technology Council release statement affirming willingness to develop and implement artificial intelligence systems to enhance privacy protections.

US updates

The National Institute of Standards and Technology is seeking comments on draft guide, ‘Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources’.
The U.S. Congressional Research Service releases report titled: ‘EU-US Privacy Shield and transatlantic data flows’ discussing the Privacy Shield framework and future prospects of data flow.
California Attorney General releases a bulletin reminding health care providers to report health care data breaches and to comply with state and federal data privacy laws.

India updates

The Delhi High Court seeks actions against Google Pay for illegally storing and accessing Aadhar and banking information of its users. Reports LiveLaw.
The Personal Data Protection bill, likely to be discussed in Parliament’s winter session. Reports India Today.

Recent developments

Connecticut law concerning data breach notification has come into force on 1^st October. Read more.
The new Standard Contractual Clauses have come into effect from 27^th September. Read more.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.