Issue 101

Enforcement Updates

Ireland’s data protection watchdog publishes draft decision to fine Facebook

The Irish GDPR supervisory authority, the Data Protection Commission published a draft decision to fine, Facebook Inc. for violating transparency obligations under the GDPR. The authority acting pursuant to a complaint filed by ‘Nyob’, noted that Facebook was not transparent in providing information regarding its legal basis for processing data. The authority in its decision also stated that, privacy notices by Facebook are fragmented and users in order to obtain a true and accurate picture of Facebook’s data processing activities have to switch back and forth between various privacy sections. As a result, the DPC found Facebook in violation of multiple provisions relating to transparency, legal basis for processing, and data subject rights under the GDPR and proposed fine between the range of EUR 28 million and EUR 36 million. The draft decision will be put up before other supervisory authorities and the EDPB before being finalized.

Spanish Privacy Authority Fines Bank for illegal data processing

The Spanish data protection authority (‘AEPD’) published its decision to fine Caixabank Payments & Consumer EFC for failing to process personal data legally. The authority notes, that bank engaged in processing and profiling of personal data belonging to customers, without sufficient notice and also did not lay down the complete legal basis for certain kind of its processing and profiling activities. The decision was a result of 3-year long investigation following a 2018 complaint. The authority in its decision also listed out certain aggravated factors which ultimately led to a fine of EUR 3 million for violating provisions of the GDPR.

For issue of administrative fines, not necessary that data is processed – Belgium Supreme Court

The Belgium supreme court in case concerning violation of the GDPR ruled that, data protection authorities can act on complaint and hand out administrative fines notwithstanding processing of personal data belonging to data subject or the complainant. The case related a to compliant filed by a resident, whose employer company had asked to produce and record in the company’s data base his Belgian electronic identity card, as a prerequisite for issue of loyalty card. The complainant found this excessive and disproportionate to the cause and refused to give his identity card for the purpose of processing. The lower court had ruled that since the data subject refused processing of his personal data and did not submit his card, no administrative fine could be issued in this case. However, overturning the decision, the supreme court held that regardless of data processing, the act of the employer company violated provisions of data minimization and proportionality.

UK Tax authority sued for sharing personal data to US

An American born UK citizen has filled a case against the tax authority for infringing his privacy and violating provisions of the GDPR. The complainants law team stated that the UK HM Revenue & Customs department processed and transferred sensitive financial personal data to the US, as part of an inter-governmental agreement, this caused infringement of her privacy, personal damage and distress. Since, the data transfers are pre-Brexit era, the lawsuit entails violation of the GDPR and the Scherms II judgment.

Guidance Updates

  • German Authority LfDI Baden-Wurttemberg launches tool for formulating data protection notice.
  • Luxembourg’s National Commission for Data Protection publishes cookie guidelines.
  • Chinese Provincial Cyberspace Administration launches management work to ensure data minimization.

Regulatory Updates around the globe

  • The Brazilian data protection authority launches new procedure for investigation and enforcement of the countries data protection law.
  • Bill to obligate telecommunications network to store correspondence data, forwarded by Russian Parliamentary committee on security to the parliament. 
  • Draft Bill amending privacy legislation introduced in Australia. Contains provision for enhanced fines and penalties as well as measures to improve children’s privacy.

US Updates

  • Bill titled “Justice Against Malicious Algorithms Act” introduced in US.
  • US Consumer Financial Protection Bureau orders big tech companies to provide information on their payment systems operations. – Reports Reuters.
  • Six of the largest internet service providers secretly harvesting consumer data. – FTC Report

EU Updates

  • First coordinated enforcement action by EDPB launched against use of cloud service providers by public sector.
  • Council of Europe launches toolbox to raise awareness about data protection and privacy among youths.
  • Belgian data protection authority notifies Interactive Advertising Bureau (IAB) of its draft decision concerning GDPR violations by IAB.

India Updates

  • MP Rajeev Chandrasekhar endorses creation of single regulatory authority for personal and non-personal data laws. 
  • FAQ on IT Intermediary Rules 2021, released by Ministry of Electronics and Information Technology
  • Telangana Government planning to introduce Facial Recognition Technology in their Public Distribution System. – Reports Medianama

News around the Globe

  • Location data vendor app continued receiving location data of users, even after they had opted-out from sharing it. – Reports Vice
  • Global Privacy Assembly adopts resolution supporting limited access of government agencies to personal data.

Big Tech Updates

  • Google Chief, Sundar Pichai bats for federal privacy framework in US.
  • WhatsApp will now provide end-to-end encryption for backups.
  • Facebook to shut down its facial recognition system.

Read our digital newsletter here.