Issue 99 - Privacy Desk

Enforcement updates

Company fined in Italy for making illicit promotional calls

Garante, the Italian data protection authority imposed a fine of EUR 3.3 million on Sky Italia S.r.l. for violating the provisions of GDPR. The company had been processing personal data, which was obtained indirectly from third-party companies, in order to carry out promotional activities. The users who consented to communicate their data to third parties did not authorize their data to be used promotional purposes. The data protection authority thus imposed a fine and prohibited them from processing data for promotional purposes made with lists acquired from other companies.

Norwegian toll company faces fine for illegal transfer of personal data

Ferde AS, a Norwegian toll company, was fined NOK 5 million, by the Norwegian data protection authority. The authority, upon becoming aware of information related to passages in toll rings being transferred to a data processor in China, initiated an audit into the companies procedures and measures to ensure adequate security for transferring information to China. Upon concluding the audit, the authority stated that Ferde AS has breached various provisions of GDPR, such as lack of valid legal basis for transferring personal data to China. Thus, the Norwegian data protection authority imposed a fine on the company.

Court orders surrender of personal data in course of pre-litigation dispute

The Munich Higher Regional Court ordered the defendants of a case to surrender copies of all personal data, such as telephone notes, file notes, minutes, e-mails, letters and subscription documents for investments to the plaintiff. The court held such instance as a valid right to information under the provisions of the GDPR. The court held that letters and emails from the plaintiff to the defendant are to be regarded as personal data under the provisions of the GDPR, by understanding the term of personal data broadly.

Settlement against TikTok of USD 92 million gets early approval

The United States District Court for The Northern District of Illinois releases opinion on the settlement against TikTok, giving it a go ahead. The members of the class action suit had accused TikTok of unlawfully collecting their biometric and other personal data. Along with the settlement the court also has asked the social media company to refrain collecting users’ biometric data, nor collect geolocation or GPS data, or transmit user data outside the U.S or store user data in databases outside the U.S, unless it makes a disclosure in its privacy policy in compliance with privacy laws.

Guidance updates

CNIL, the French data protection authority, released white paper on data protection in payment transactions.
The Consumer Affairs Agency released commentary on their whistleblowing guidelines.
South Africa’s Information Regulator released a guide on how to use the Promotion of Access to Information Act (PIPA) for access to any rights provided under PIPA and the Protection of Personal Information Act, 2013.
CNIL publishes Q/A’s regarding the collection of personal data in the workplace and on the use of the COVID health pass and conditions for verifying vaccination status.

Regulatory updates around the globe

The Kids Internet Design and Safety (KIDS) Act has been reintroduced.
Decree Law, amending the Italian data protection law, has been published in the Official Gazette and has entered into force.
Florida’s Protecting DNA Privacy Act has come into effect, from 1^st October 2021.

US updates

The Electronic Privacy Information Center published its comments on the newly formed National Artificial Intelligence Research Resource Task Force, advises the force to focus on privacy.
New Jersey based fertility clinic reaches settlement of USD 495,000 with the Acting Attorney General of New Jersey over cybersecurity lapses and data breach.
The Homeland Security and Governmental Affairs Committee introduce the bipartisan legislation requiring critical infrastructure owners and operators to report cyber-attacks.
The U.S. Senate Committee on Commerce, Science and Transportation convened two hearings namely, “Protecting Consumer Privacy” and “Protecting Kids Online” on how to better protect consumer and children privacy.

India updates

The Department of Telecommunications issued guidelines of storing customer application data.
India’s Personal data protection bill may become a business risk for the app, Truecaller. Reports Business Insider.
New draft report on the personal data protection bill, likely to be circulated by November 6. Reports Hindustan Times.

News around the globe

Germany’s Federal Office for Information Security establishes the German National Coordination Center for Cybersecurity in Industry, Technology and Research.
GDPR fines hit a total of EUR 984.47 billion in the 3rd quarter of 2021. Almost three times higher than fines imposed in 2020. Reports Finbold.
Syniverse, a company which routes text messages of USA carriers, declares a hack of its internal systems. Reports Vice.

Read our digital newsletter here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.