Issue 79

Enforcement Updates

Data privacy settlements in USA

The US Federal Trade Commission announced that it had finalized terms of settlement with Everalbum, Inc. The company was using its facial recognition technology illegally and stored personal photos of deactivated customers. The FTC reached a final settlement which requires, among other things, Everalbum to obtain express consent from customers before using its facial recognition technology on their photos.
The New York State Department of Financial Services also entered a USD 1.8 million settlement with First Unum Life Insurance Company of America and Paul Revere Life Insurance Company. The insurance companies had failed to secure sensitive personal data of customers due to cyber-attacks.

Hamburg’s watchdog bans data processing of WhatsApp users

The Hamburg Commissioner for Data Protection and Freedom of Information issued emergency order, banning Facebook Ireland Ltd. from further processing personal data of WhatsApp users. The decisions came in light of the updated WhatsApp Privacy Policy, which stated that WhatsApp will share personal data with Facebook. The Authority found no basis for such further processing by Facebook and also noted that there is no clarity on seeking user consent.

Fine for failing to appoint EU representative.

fine was issued by the Dutch Data Protection Authority (DPA) against an international website named Locatefamily.com. Several EU citizens had complained to the Dutch DPA that they wanted their personal details to be removed from the website but were unable to do so, as there was no GDPR representative appointed. Pursuing these complaints, the DPA issued a fine of EUR 525,000 against the website. GDPR mandates that companies, located outside of EU and offering goods and services in the EU, must appoint a GDPR representative.

Noyb files complaint against Google’s AAID

Privacy activist group noyb, filled a formal complaint before the Austrian Data Protection Authority against Google LLC. Noyb claimed that Google’s Android Advertising ID (AAID), which is used by Google and other third parties associated with Google to track and monitor users of android devices is illegal and violates the GDPR. The complaint also stated that Google neither provided an opt-in consent mechanism nor it demonstrated any sufficient legal basis for the use AAID.

Regulatory updates around the globe

India updates

  • Ministry of Electronics and Information technology sends second notice to WhatsApp, asks the company to withdraw its privacy policy update. Report’s TechCrunch
  • Dominos India’s data base suffers breach. 13 tera byte worth of personal data stolen.
  • Guidelines for integration of Co-Win App with third party applications released by Government of India.

EU updates

  • Resolution urging European Commission to reconsider its draft UK adequacy decision passed in the European Parliament.
  • EU Parliament and European Council arrives at an agreement for digital COVID19 certificate with data protection safeguards.
  • European Data Protection Supervisor launches investigations against Amazon Web Services and Microsoft following the Schrems II judgment.

Guidance issued

  • Office of the Privacy Commissioner of Canada issues statement on vaccine passports.  
  • Turkish antitrust authority issues press release on its investigation of WhatsApp – Facebook data transfer.
  • Guide on implementing GDPR in the social and medico-social sector, published by French data protection authority.

News around the globe 

  • US president’s account on a peer-to-peer payments app accessible, raises privacy concerns. – Report’s Buzzfeed
  • “GDPR successfully withstood 2020 pandemic test” says president of CNIL, the French Data Protection Authority. Report by EURACTIV.
  • Mobile app developer’s exposed personal data of 100 million users. – Research by Check Point

Read our digital newsletter here.