Issue 100 - Privacy Desk

Dear Subscribers and Readers,

We are pleased and honored to present to you our 100th issue of our periodical data protection and privacy newsletter! With the humble beginning of Do You Know section we have grown our newsletter to include multiple sections like detailed enforcements analysis, global regulatory and guidance updates, regional updates from EU, USA, India, Singapore, Australia etc. and time specific updates on COVID19 pandemic and Vaccine passports and regular insights on national and international news updates around the globe in the field of data protection and privacy.

We are beyond proud and thrilled to have reached this milestone alongside our avid readers. We thank you for your continued patronage and support which has brought us here today.

A special thanks to our contributors Tirthesh Shah, Amardeep Mathur and Ayushi Modi

Enforcement updates

Postal company fined for data privacy violation in Austria

Austrian Postal Services company Osterreichische Post announced that it has received a EUR 9.5 million fine from the Austrian data protection authority (‘DSB’), for failure to adequately disclose collection and processing activities of the company. The DSB also noted that, in addition to the existing options for contacting the company, data subjects should be allowed to exercise their data privacy rights and submit requests by email too.

7-Eleven Stores fined for processing facial recognition data in Australia

7-Eleven Stores Pty Ltd, the company which owns the retail store chain, received a fine from the Office of the Australian Information Commissioner (OAIC), for violating the Australian Privacy Principles and the Privacy Act. OAIC noted that the company, was processing sensitive biometric information, in the form of facial recognition data, or faceprints. The Authority in its decision notes, that the company unnecessarily and without obtaining consent, collected faceprints of customers, while they filled survey forms on company tablets. These faceprints were processed to ascertain demographics and filter out genuine participants. In process of collecting and processing such sensitive biometric information, the company violated Australian privacy principles and provisions of the Privacy Act 1988. As a result, the company was told to cease all collection of customer faceprints and destroy all previous records.

UK based Charity fined for data breach incident

UK based charity organization, HIV Scotland, was fined for a data breach incident which occurred in February 2020. The Information Commissioner’s Office (ICO) in an investigation reported that the charity organization sent out emails to 105 persons including patient advocates, which disclosed sensitive health details, and HIV status of the patients to all the recipients, thus causing a data breach incident. The ICO also noted that the charity organization continued using the bcc mailer system despite certain privacy red flags. Additional shortcoming noticed were, lack of an adequate privacy policy, lack of staff awareness and training etc. As a result, the organization was fined GBP 10000 by the ICO.

Mark Zuckerberg added as defendant in Columbia privacy lawsuit

Mark Zuckerberg, CEO of Meta (formerly Facebook), was added as a defendant by a Columbia district court, in relation to a lawsuit filed by the state district attorney. The attorney had argued that Mark Zuckerberg played a key role in the decisions taken by major executives. The attorney determined that there were enough evidence and records to hold Mark Zuckerberg personally liable in the privacy battle which was initiated in relation to the Cambridge Analytica Scandal. If found guilty, Mr. Zuckerberg would be liable to pay compensation to the affected parties.

Regulatory updates around the globe

K-12 Cybersecurity law to protect the sensitive information maintained by schools signed by US President.
ICO issues statement on DCMS consultation on reviewing the UK data protection legal framework.
California approves amendments to CCPA and bills to expand privacy requirements for genetic testing.

US updates

FTC urged to use authority and ensure that companies comply with their children’s and teen’s privacy policies.
The Department of Justice launched new Cyber-Fraud Initiative for combating cyber threats to sensitive information and critical systems.
Senators calls for FTC to impose federal data privacy and security standards.
Federal Communications Commission urged to address surveillance threats posed by foreign firms providing services to US telecos. Source: Reuters

EU updates

EU to develop a specific set of SCC’s for extraterritorial transfers
Guidelines on restrictions on data subject rights adopted by EDPB
EU Parliament approves e-CODEX, a data transfer system used for electronic transmission of information and documents in cross-border civil and criminal proceedings.

India updates

The PDP Bill will help the IT sector in India to get more business from abroad – Meity’s Additional Secretary.
RBI’s new e-mandate framework to help safeguards consumer data.
Data Protection Law likely in next few months: IT Minister of State

News around the globe

Google Play Store new data privacy section to go live in February 2022. Reports The Verge
ITRC reports that number of data breaches by September Quarter of 2021 surpasses the total breaches in 2020.
Stalkerware ads that encouraged phone spying taken down by Google. Source: Techcrunch
Twitch suffers data breach of its source code and user’s payout information. Source Video Game Chronicle
Cyber security incident reported at Japanese tech giant Olympus.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.