Issue 103

Enforcement updates

Company providing facial recognition solutions breaches Australian privacy law

Australian Information and Privacy Commissioner found Clearview AI Inc. in violation of Australian residents’ privacy by scraping their biometric data from the internet and disclosing it with the use of a facial recognition tool. The company further breached the Australian Privacy Act, 1988 by collecting the citizens sensitive information by unfair means without consent, notice, or implementation of practices to ensure compliance with the Australian Privacy Principles. Accordingly, Clearview AI has been ordered to cease the collection of and destroy existing facial images and biometric templates belonging to individuals in Australia.

French watchdog raises fines of EUR 400,000 for GDPR violation

French Data Protection Authority (CNIL) has fined state-owned public transport company, RATP Group EUR 400,000 for violating GDPR principle of data minimization and collecting information of workers on strike to make promotion-related decisions. Further, the company violated data retention rules by storing data for longer than the necessary 18 months and provided all workers access to this data which could lead to its misuse.

Dutch Tax Office blacklisted for violation of GDPR

The Dutch DPA found the Tax and Customs Administration in violation of the GDPR for storing personal data of nearly 270,000 individuals without a purpose. The data was stored for an excessive amount of time from 2003 to 2020 for creating a blacklist. The data was processed in the Fraud Signalling Facility without a valid legal basis. The data collected was not kept up to date and for a period longer than required.

Guidance updates

Chile’s Information Security Incident Response Team publishes cybersecurity guidelines for small and medium sized enterprises.
Spain’s Official Gazette publishes instruction on advisory functions of Spanish DPA.
New Zealand announces compliance monitoring program for rental accommodation industry.
CNIL publishes guide on the role of Data Protection Officer under GDPR.

Regulatory updates around the globe

Israel Ministerial Committee approves proposal to amend the Protection of Privacy Law.
German Federal Parliament amends Infection Protection Act permitting collection of employees COVID-19 vaccination data.
Belarus Law on Personal Data Protection comes into effect from 15^th November 2021.

US updates

Cybersecurity and Infrastructure Security Agency announces Directive to reduce vulnerability on government information systems.
Vice President announces collaborations with France to tackle cybersecurity issues.
POTUS reiterates plan on addressing cyber crime.

EU updates

European Commission adopts Delegated Act to strengthen cybersecurity.
European Data Protection Board clarifies interplay between territorial scope and international data transfer under GDPR.
European Commission gives reasoned opinion to Belgium on its Data Protection Authority.

India updates

UIDAI now empowered to penalize Aadhar Act violators.
International NGO objects to use of intrusive facial recognition technology in Hyderabad.
Expert Committee suggests single authority for personal and non-personal data. Reports Money Control.

News around the globe

U.S. FTC announces updated rules for financial institution.
Danish Business Authority decides to increase supervision in online communication services.
Law Enforcement Authorities’ use of biometric recognition system in investigations sparks fundamental rights concern.

Big tech updates

Apple and Google asked for parameters used to assign age ratings to apps.
Meta decides to stop ad targeting related to religion, politics, sexual orientation.
Facebook asks LA Police to quit spying on user with fake profiles.

Read our digital newsletter here.