Issue 105 - Privacy Desk

Enforcement updates

Singapore’s data watchdog fines hotel booking platform for data breach

Singapore’s Personal Data Protection Commission (PDPC) has issued a fine of SGD 74 thousand on Commeasure Pte Ltd, a travel company which operates the travel booking website – RedDoorz, that exposed 5.9 million customers data. PDPC reported that the penalty was imposed for failing to put in place reasonable security arrangements to prevent the unauthorized access and exfiltration of customers’ personal data hosted in a cloud database. The commission considered the company’s cooperative behavior and remedial actions all the while running a travel business during the pandemic before issuing the financial penalty and have also given them 30 days to pay the fine, post which interest rates will become applicable.

Apple and Google fined by Italian competition watchdog for aggressive data acquisition practices

The competition and market authority (AGCM) has sanctioned a fine of EUR 10 million each to Google Ireland Ltd. and Apple Distribution International Ltd. for two violations of the consumer code. One for lack of information, and another for aggressive practices regarding the acquisition and use of consumer data for commercial purposes. The Authority found that both Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes and accordingly held that there is a consumption relationship between the users and the two operators. Thus, a total fine of EUR 20 million was issued by the Italian watchdog.

Trial court of Massachusetts grants class action settlement on hospital’s cookie practices

The Suffolk Superior Court in the Commonwealth of Massachusetts approved a preliminary settlement of USD 18.4 million in a class action lawsuit against Mass General Brigham Incorporated, and its partners. It is alleged that the defendants used web analytics tools to track users’ behavior on its website domains to gather information about them and sold that information to third parties, without the user’s consent. A website built specifically for potential claimants to file their claims has published the settlement notice. The final approval hearing for the settlement will take place on 18 January 2022.

Guidance updates

Danish Data Protection Authority released new guidance on data responsibility between private suppliers and public authorities.
Finland’s Office of Data Protection Supervisor publishes guidance on data breach notification practices in social and healthcare sectors.
New Zealand’s Office of the Privacy Commissioner released insight report on mandatory privacy breach reporting.

Regulatory updates around the globe

UAE approves Federal Data Protection Law. To be effective from 2 January 2022.
Cabinet of Ministers of Sri Lanka have approved the draft bill on personal data protection.

China updates

China Academy of Information and Communication Technology issues whitepaper on personal information protection and governance for mobile apps.
Cyberspace Administration of China released its Network Data Security Management Regulation. Open for public comments up to 13 December 2021.
Ministry of Industry and Information Technology issued a notice containing a plan to strengthen network and data security assurance systems.

US updates

National Telecom Information Administration plans to hold listening sessions and seek comment on the intersection of privacy, equity and civil rights.
U.S. financial regulators have approved a new rule that requires banking organizations to report any significant cybersecurity incident within 36 hours of discovery.

EU updates

Irish Council for Civil Liberties filed a formal complaint against the European Commission for failing to properly monitor the application of GDPR.
European Data Protection Board issued guidelines clarifying the provisions on international transfer.

India updates

Additional Secretary of Ministry of Electronics and Information Technology, states consent framework of Aadhar will need to be examined once PDP bill is enforced. Reports Medianama.
Meghalaya government responds to Internet Freedom Foundation’s letter highlighting the use of facial recognition technology in the issuance of a pensioner’s life certificate on a mobile app.
National Health Authority publishes Consultation Paper on Health Data Retention Policy.

News around the globe

Singapore and the United Kingdom announce Signing of Three MOUs in the Areas of Digital Trade Facilitation, Digital Identities and Cyber Security.
Meta delays Facebook and Instagram’s messaging encryption plans till 2023 over concerns regarding online crimes against children. Reports BBC.
Security Exchange Commission announces GoDaddy’s data breach that may have exposed more than 1.3 million email addresses of active and past users.

Big tech updates

Whatsapp publishes a new privacy policy for its EU users after being fined for EUR 225 million.
Austrian privacy activist Max Schrems accuses Irish Data Protection Commissioner of preventing him from publishing documents related to Facebook complaint. Reports Irish Times.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.