Issue 101 - Privacy Desk

Enforcement updates

Ireland’s data protection watchdog publishes draft decision to fine Facebook

The Irish GDPR supervisory authority, the Data Protection Commission published a draft decision to fine, Facebook Inc. for violating transparency obligations under the GDPR. The authority acting pursuant to a complaint filed by ‘Nyob’, noted that Facebook was not transparent in providing information regarding its legal basis for processing data. The authority in its decision also stated that, privacy notices by Facebook are fragmented and users in order to obtain a true and accurate picture of Facebook’s data processing activities have to switch back and forth between various privacy sections. As a result, the DPC found Facebook in violation of multiple provisions relating to transparency, legal basis for processing, and data subject rights under the GDPR and proposed fine between the range of EUR 28 million and EUR 36 million. The draft decision will be put up before other supervisory authorities and the EDPB before being finalized.

Spanish Privacy Authority Fines Bank for illegal data processing

The Spanish data protection authority (‘AEPD’) published its decision to fine Caixabank Payments & Consumer EFC for failing to process personal data legally. The authority notes, that bank engaged in processing and profiling of personal data belonging to customers, without sufficient notice and also did not lay down the complete legal basis for certain kind of its processing and profiling activities. The decision was a result of 3-year long investigation following a 2018 complaint. The authority in its decision also listed out certain aggravated factors which ultimately led to a fine of EUR 3 million for violating provisions of the GDPR.

For issue of administrative fines, not necessary that data is processed – Belgium Supreme Court

The Belgium supreme court in case concerning violation of the GDPR ruled that, data protection authorities can act on complaint and hand out administrative fines notwithstanding processing of personal data belonging to data subject or the complainant. The case related a to compliant filed by a resident, whose employer company had asked to produce and record in the company’s data base his Belgian electronic identity card, as a prerequisite for issue of loyalty card. The complainant found this excessive and disproportionate to the cause and refused to give his identity card for the purpose of processing. The lower court had ruled that since the data subject refused processing of his personal data and did not submit his card, no administrative fine could be issued in this case. However, overturning the decision, the supreme court held that regardless of data processing, the act of the employer company violated provisions of data minimization and proportionality.

UK Tax authority sued for sharing personal data to US

An American born UK citizen has filled a case against the tax authority for infringing his privacy and violating provisions of the GDPR. The complainants law team stated that the UK HM Revenue & Customs department processed and transferred sensitive financial personal data to the US, as part of an inter-governmental agreement, this caused infringement of her privacy, personal damage and distress. Since, the data transfers are pre-Brexit era, the lawsuit entails violation of the GDPR and the Scherms II judgment.

Guidance updates

German Authority LfDI Baden-Wurttemberg launches tool for formulating data protection notice.
Luxembourg’s National Commission for Data Protection publishes cookie guidelines.
Chinese Provincial Cyberspace Administration launches management work to ensure data minimization.

Regulatory updates around the globe

The Brazilian data protection authority launches new procedure for investigation and enforcement of the countries data protection law.
Bill to obligate telecommunications network to store correspondence data, forwarded by Russian Parliamentary committee on security to the parliament.
Draft Bill amending privacy legislation introduced in Australia. Contains provision for enhanced fines and penalties as well as measures to improve children’s privacy.

US updates

Bill titled “Justice Against Malicious Algorithms Act” introduced in US.
US Consumer Financial Protection Bureau orders big tech companies to provide information on their payment systems operations. – Reports Reuters.
Six of the largest internet service providers secretly harvesting consumer data. – FTC Report

EU updates

First coordinated enforcement action by EDPB launched against use of cloud service providers by public sector.
Council of Europe launches toolbox to raise awareness about data protection and privacy among youths.
Belgian data protection authority notifies Interactive Advertising Bureau (IAB) of its draft decision concerning GDPR violations by IAB.

India updates

MP Rajeev Chandrasekhar endorses creation of single regulatory authority for personal and non-personal data laws.
FAQ on IT Intermediary Rules 2021, released by Ministry of Electronics and Information Technology
Telangana Government planning to introduce Facial Recognition Technology in their Public Distribution System. – Reports Medianama

News around the globe

Location data vendor app continued receiving location data of users, even after they had opted-out from sharing it. – Reports Vice
Global Privacy Assembly adopts resolution supporting limited access of government agencies to personal data.

Big tech updates

Google Chief, Sundar Pichai bats for federal privacy framework in US.
WhatsApp will now provide end-to-end encryption for backups.
Facebook to shut down its facial recognition system.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.