Issue 102 - Privacy Desk

Enforcement updates

Company faces class action lawsuit for violation of Illinois privacy law

Ancestry.com, upon its acquisition by Blackstone, has disclosed genetic and personal information of the residents of Illinois, without their consent. The privacy laws of Illinois, prohibit any disclosure of its residents’ genetic information such as genetic tests, family members’ genetic tests, the manifestation of a disease or disorder in their family members to anyone other than the individual or those specifically authorized in writing. Since Ancestry.com failed to obtain such consent, the residents of Illinois have filed a class action law suit against the company.

Municipality fined for data security and internal control failures following a ransomware attack

The Norwegian Data Protection Authority (Datatilsynet) has raised a fine on the Ostre Toten municipality for deficiencies in personal data security and associated internal control after being hit by a ransomware attack in January 2021. The attack received control of the database municipality containing personal information about the municipality’s residents and employees, which they subsequently published on the dark web. The authority thus assessed the attack and highlighted the lack of technical and organisational measures to secure data processing and imposed a fine of NOK 4 million.

Company fined for discarding personal documents in the public trash bins

The Kansas Attorney General’s Office has fined a company, SearchTec for dumping documents in a public trash bin without removing any personal information from such documents or shredding such documents. The company manages business documents and performs searches for law firms, service companies and lenders. The documents contained personal details such as social security numbers, driver’s license numbers, financial account numbers, or credit or debit card numbers. The company was thus fined USD 500,000 for such disposal of documents.

Guidance updates

‘Good Machine Learning Practice for Medical Device Development: Guiding Principles’ released by FDA, MHRA, and Health Canada to provide users with clear and essential information.
U.S. Department of Labor Occupational Safety and Health Administration issues emergency temporary standards to protect workers from COVID-19.
The Cyberspace Administration of China releases ‘Draft Measures on Security Assessment of Cross-border Data Transfer’. Open for public comment.
Singapore’s government releases two new programs as a part of their National AI Strategy to improve the lives of our citizens, and help businesses seize new opportunities.

Regulatory updates around the globe

China’s Personal Information Protection Law comes into force from November 1.
‘Protecting Sensitive Personal Data Act, 2021’ bill introduced by US Senator, to supervise transactions involving Americans’ sensitive personal data.
Smaller Financial Institutions face cyber-attacks and data breaches. Urge Congress to implement law. Reports Roll Call.

US updates

USA’s Federal Trade Commission (FTC) updates rules to better protect citizens from data breaches and cyberattacks.
FTC issues new enforcement policy against employing illegal patterns to trap customers into subscription services. Urges companies to provide upfront information and obtain customer consent.

EU updates

European Parliament released draft law to strengthen cybersecurity obligations in terms of risk management, reporting obligations and information sharing.
The Council of Europe implements recommendations on profiling to better protect personal data and private life of individuals.

India updates

Hyderabad City Police goes through WhatsApp chats as a measure to prevent usage of drugs in the city. Raises privacy concerns. Reports Medianama.
Government agencies urge JPC to exempt them from the Data protection Bill. Reports The Hindu.
Central Depository Services Limited, India’s largest securities depository faces security vulnerability. Exposes sensitive data of 4.39 crore people. Reports CyberX9.
Government starts a project ‘Indian Citizens Assistance for Mobile Privacy & Security’ to identify privacy issues and prevent cyber frauds from mobile applications. Reports Economic Times.

China updates

Chinese government orders 38 applications to stop collecting excessive data.
Yahoo pulls its operations in China due to increasing legal and business challenges due to the introduction of the Chinese privacy law.
The People’s Bank of China urges fairer use and stronger regime of personal data protection. Reports Ecns.cn.

News around the globe

The Danish Business Authority is increasing supervision of communications over apps and services, to ensure better protection of data.
Mozilla has begun experimenting in implementing Global Privacy Control to protect the rights of website users under California privacy laws.

Big tech updates

The Australian Competition & Consumer Commission urges choices in search engines rather than retaining Google as a default search engine.
Google will remove pictures of children and teens from search results upon raising request. Implements control policy to protect their digital footprints.
Alternative billing system to be added to Google Play-store in South Korea.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.