Issue 104 - Privacy Desk

Enforcement updates

Belgian Data Protection Watchdog proposes to fine IAB Europe over consent pop-ups

The Belgian data protection authority notified a draft ruling against the Interactive Advertising Bureau(‘IAB’) Europe, where it held that operations by IAB has resulted in infringement of the GDPR. Specifically, the authority noted that IAB’s Transparency & Consent Framework under which ‘TC Strings’ are sent to online users in order to record their choices and consent for processing data for advertising purposes violates GDPR. The authority noted that choices recorded by pop ups or TC strings is personal data under GDPR and IAB is the data controller in this regard. Following the notification of the draft ruling IAB is eying a large fine for GDPR violations.

Health Service Provider found in violation of Israel’s Privacy Law

Israel’s data protection authority announced that it has finalized investigation against a health service provider company, Maccabi Health Services, and found it to be in violation of the Israel’s Protection of Privacy Law. The authority noted that Maccabi Health had sent SMS based questionnaire on diabetes to individuals, wherein personal and health information of these subjects was revealed to incorrect recipients. Findings of the authority also revealed several other compliance lapses in Maccabi Health Service’s privacy program and ordered it to cure all the privacy defects at the earliest.

Norwegian municipality and auto parts company faces enforcement action by Danish Data Protection Authority

The Danish data protection authority (‘Datatilsynet’) recently published an order disparaging data privacy and protection practices of an auto parts company T.Hansen Gruppen A/S and ordered it to cure defects in its GDPR compliance at the earliest. The inquiry was initiated basis a compliant where it was alleged that personal data of the customer was unauthorizedly accessed and processed erroneously. The inquiry by the authority further revealed that company’s data protection and processing activities were not in compliance with GDPR. Consequently, the authority ordered the company to make rectifications in its data protection and privacy compliance.

Datatilsynet also fined, Oster Toten municipality NOK 4 million, for failing to maintain appropriate technological and organizational security measures as required under GDPR. It was reported that the IT servers of the municipality suffered a ransomware attack whereby the threat actor gained access to personal data of municipality residents and put it on dark web. Consequently, the authority noted the municipality failed to take appropriate steps to secure IT servers. In addition to fine, the authority also asked the municipality to record and documents its measures and carry out risk assessment exercises.

Guidance updates

The Ibero-American Data Protection Network releases guidance on adopting model contractual clauses.
Philippines National Privacy Commission releases mark of certification for data protection compliance.
Portuguese Data Protection Authority publishes opinion on draft law on the use of surveillance by security forces. Highlights issues with data privacy.

Regulatory updates around the globe

Notice regarding extensive territorial applicability and scope of Personal Information Protection Law published by Macau’s data protection authority.
Discussions on draft personal data protection bill resumes in Indonesia. Law likely to be passed in next session of parliament.
New York bill requiring employers to notify employees regarding electronic monitoring activities signed into law.

French updates

Guidance on role of Data Protection Officer released by CNIL.
CNIL adopts new standard on the processing of data within health data warehouses.
Recommendation on data logging tools adopted by CNIL.

China updates

Cyberspace Administration of China released Network Data Security Management Regulations for Public Comments.
National Information Security Standardization Technical Committee requests comments on guidelines for the identification of personal information on instant messaging platforms.

US updates

Federal Trade Commission to strengthen enforcement action on ‘dark patterns’ as part of new policy.
National Institute of Standards and Technology released a report on Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management.
Federal Trade Commission publish guide on steps to be taken by small businesses to protect themselves against ransomware risks.

EU updates

Advocate General of European Court of Justice argues that bulk data retention of personal data by European authorities is illegal.
EDPB issues clarification detailing interplay between Article 3 and Chapter 5 of the GDPR.

India updates

Government proposes unified data base to record births and deaths and link it with Aadhaar. Sparks privacy concerns.
UIDAI chief summoned by standing committee on IT over privacy and data security concerns. Reports Business Standard.
Draft report on Personal Data Protection Bill, 2019 adopted by the Joint Parliamentary Committee. Reports India Today. Few members file dissent notes.

News around the globe

Mozilla adopts Global Privacy Control mechanism for its browser.
UK Government proposes to remove requirement of appointing data protection officers as part of privacy reforms.
US Court denies access to personal data of consumers to automotive companies. Upholds ruling under Arizona privacy law.

Big tech updates

US Consumer Financial Protection Bureau orders inquiry into payment data handled by big tech companies.
Apple’s privacy changes have forced companies to overhaul their data collection and handling practices.
Facebook continues to misuse and harvest children’s data claims research.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.