Issue 100

Dear Subscribers and Readers,

We are pleased and honored to present to you our 100th issue of our periodical data protection and privacy newsletter! With the humble beginning of Do You Know section we have grown our newsletter to include multiple sections like detailed enforcements analysis, global regulatory and guidance updates, regional updates from EU, USA, India, Singapore, Australia etc. and time specific updates on COVID19 pandemic and Vaccine passports and regular insights on national and international news updates around the globe in the field of data protection and privacy.

We are beyond proud and thrilled to have reached this milestone alongside our avid readers. We thank you for your continued patronage and support which has brought us here today.

A special thanks to our contributors Tirthesh Shah, Amardeep Mathur and Ayushi Modi

Enforcement updates

Postal company fined for data privacy violation in Austria

Austrian Postal Services company Osterreichische Post announced that it has received a EUR 9.5 million fine from the Austrian data protection authority (‘DSB’), for failure to adequately disclose collection and processing activities of the company. The DSB also noted that, in addition to the existing options for contacting the company, data subjects should be allowed to exercise their data privacy rights and submit requests by email too.

7-Eleven Stores fined for processing facial recognition data in Australia

7-Eleven Stores Pty Ltd, the company which owns the retail store chain, received a fine from the Office of the Australian Information Commissioner (OAIC), for violating the Australian Privacy Principles and the Privacy Act. OAIC noted that the company, was processing sensitive biometric information, in the form of facial recognition data, or faceprints. The Authority in its decision notes, that the company unnecessarily and without obtaining consent, collected faceprints of customers, while they filled survey forms on company tablets. These faceprints were processed to ascertain demographics and filter out genuine participants. In process of collecting and processing such sensitive biometric information, the company violated Australian privacy principles and provisions of the Privacy Act 1988. As a result, the company was told to cease all collection of customer faceprints and destroy all previous records.

UK based Charity fined for data breach incident

UK based charity organization, HIV Scotland, was fined for a data breach incident which occurred in February 2020. The Information Commissioner’s Office (ICO) in an investigation reported that the charity organization sent out emails to 105 persons including patient advocates, which disclosed sensitive health details, and HIV status of the patients to all the recipients, thus causing a data breach incident.  The ICO also noted that the charity organization continued using the bcc mailer system despite certain privacy red flags. Additional shortcoming noticed were, lack of an adequate privacy policy, lack of staff awareness and training etc. As a result, the organization was fined GBP 10000 by the ICO.

Mark Zuckerberg added as defendant in Columbia privacy lawsuit

Mark Zuckerberg, CEO of Meta (formerly Facebook), was added as a defendant by a Columbia district court, in relation to a lawsuit filed by the state district attorney. The attorney had argued that Mark Zuckerberg played a key role in the decisions taken by major executives. The attorney determined that there were enough evidence and records to hold Mark Zuckerberg personally liable in the privacy battle which was initiated in relation to the Cambridge Analytica Scandal. If found guilty, Mr. Zuckerberg would be liable to pay compensation to the affected parties.

Regulatory updates around the globe

  • K-12 Cybersecurity law to protect the sensitive information maintained by schools signed by US President.
  • ICO issues statement on DCMS consultation on reviewing the UK data protection legal framework.
  • California approves amendments to CCPA and bills to expand privacy requirements for genetic testing.

US updates

  • FTC urged to use authority and ensure that companies comply with their children’s and teen’s privacy policies.
  • The Department of Justice launched new Cyber-Fraud Initiative for combating cyber threats to sensitive information and critical systems.
  • Senators calls for FTC to impose federal data privacy and security standards.
  • Federal Communications Commission urged to address surveillance threats posed by foreign firms providing services to US telecos. Source: Reuters

EU updates

  • EU to develop a specific set of SCC’s for extraterritorial transfers
  • Guidelines on restrictions on data subject rights adopted by EDPB
  • EU Parliament approves e-CODEX, a data transfer system used for electronic transmission of information and documents in cross-border civil and criminal proceedings.

India updates

  • The PDP Bill will help the IT sector in India to get more business from abroad – Meity’s Additional Secretary.
  • RBI’s new e-mandate framework to help safeguards consumer data.
  • Data Protection Law likely in next few months: IT Minister of State

News around the globe

  • Google Play Store new data privacy section to go live in February 2022. Reports The Verge
  • ITRC reports that number of data breaches by September Quarter of 2021 surpasses the total breaches in 2020.
  • Stalkerware ads that encouraged phone spying taken down by Google. Source: Techcrunch
  • Twitch suffers data breach of its source code and user’s payout information. Source Video Game Chronicle
  • Cyber security incident reported at Japanese tech giant Olympus.

Read our digital newsletter here.


© 2019 Reina Consulting LLP – All rights reserved