Issue 79 - Privacy Desk

Enforcement updates

Data privacy settlements in USA

The US Federal Trade Commission announced that it had finalized terms of settlement with Everalbum, Inc. The company was using its facial recognition technology illegally and stored personal photos of deactivated customers. The FTC reached a final settlement which requires, among other things, Everalbum to obtain express consent from customers before using its facial recognition technology on their photos.
The New York State Department of Financial Services also entered a USD 1.8 million settlement with First Unum Life Insurance Company of America and Paul Revere Life Insurance Company. The insurance companies had failed to secure sensitive personal data of customers due to cyber-attacks.

Hamburg’s watchdog bans data processing of WhatsApp users

The Hamburg Commissioner for Data Protection and Freedom of Information issued emergency order, banning Facebook Ireland Ltd. from further processing personal data of WhatsApp users. The decisions came in light of the updated WhatsApp Privacy Policy, which stated that WhatsApp will share personal data with Facebook. The Authority found no basis for such further processing by Facebook and also noted that there is no clarity on seeking user consent.

Fine for failing to appoint EU representative.

A fine was issued by the Dutch Data Protection Authority (DPA) against an international website named Locatefamily.com. Several EU citizens had complained to the Dutch DPA that they wanted their personal details to be removed from the website but were unable to do so, as there was no GDPR representative appointed. Pursuing these complaints, the DPA issued a fine of EUR 525,000 against the website. GDPR mandates that companies, located outside of EU and offering goods and services in the EU, must appoint a GDPR representative.

Noyb files complaint against Google’s AAID

Privacy activist group noyb, filled a formal complaint before the Austrian Data Protection Authority against Google LLC. Noyb claimed that Google’s Android Advertising ID (AAID), which is used by Google and other third parties associated with Google to track and monitor users of android devices is illegal and violates the GDPR. The complaint also stated that Google neither provided an opt-in consent mechanism nor it demonstrated any sufficient legal basis for the use AAID.

Regulatory updates around the globe

Two bills titled Children and Teens’ Online Privacy Protection Act and Clean Slate for Kids Online Act of 2021, seeking to amend the Children’s Online Privacy Protection Act tabled in US senate.
Law ratifying the amending protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data (Convention 108) passed in Italy.
Ecuador notifies the Organic Law on the Protection of Personal Data.

India updates

Ministry of Electronics and Information technology sends second notice to WhatsApp, asks the company to withdraw its privacy policy update. Report’s TechCrunch
Dominos India’s data base suffers breach. 13 tera byte worth of personal data stolen.
Guidelines for integration of Co-Win App with third party applications released by Government of India.

EU updates

Resolution urging European Commission to reconsider its draft UK adequacy decision passed in the European Parliament.
EU Parliament and European Council arrives at an agreement for digital COVID19 certificate with data protection safeguards.
European Data Protection Supervisor launches investigations against Amazon Web Services and Microsoft following the Schrems II judgment.

Guidance issued

Office of the Privacy Commissioner of Canada issues statement on vaccine passports.
Turkish antitrust authority issues press release on its investigation of WhatsApp – Facebook data transfer.
Guide on implementing GDPR in the social and medico-social sector, published by French data protection authority.

News around the globe

US president’s account on a peer-to-peer payments app accessible, raises privacy concerns. – Report’s Buzzfeed
“GDPR successfully withstood 2020 pandemic test” says president of CNIL, the French Data Protection Authority. Report by EURACTIV.
Mobile app developer’s exposed personal data of 100 million users. – Research by Check Point

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.