Weekly Privacy News Update – Episode 02


Operation cookie complaints: EDPB has a new cookie banner task force

Following the influx of complaints about non-compliant cookie banners filed by NOYB, the European Data Protection Board (the independent European body that contributes to consistent application of data protection rules throughout the EU) established a cookie banner task force.

The task force aims to get Supervisory Authorities across the EU on the same page, and will:

  • Collaborate on legal analysis and possible infringement
  • Provide support to manage responses to these complaints on a national level
  • Streamline communication in those efforts

Sources: IAPP, EDPB

The Interactive Advertising Bureau in Europe cracks down on consent collection framework

The Interactive Advertising Bureau in Europe conducted reviews of website consent management systems. As a result, the IAB issued warning letters to approximately 10 companies and that provide consent management solutions and temporarily suspended a couple of consent management platforms (CMPs) for noncompliance with the IAB’s voluntary Transparency and Consent Framework (TCF). IAB’s TCF (i) sets standards for managing the flow of data tracking consent throughout the digital ad supply chain, and (ii) requires consent management platforms to present notices in a specific manner

Sources: IAPP, Digiday

Drop the mic: Garante turns its focus to apps accessing phone mics for ad purposes

Have you ever seen a targeted ad on your phone after having a conversation about that topic? This doesn’t sit right with many, including Italy’s data protection authority, Garante. The Garante observed an increase in the number of apps that ask permission to use your microphone at the time of download, in addition to other permissions. Many accept without thinking about it. Further, not much thought goes to what will be done with data collected from accessing your microphone.

Because of this, the Garante is launching an investigation looking at some of the most commonly downloaded apps that access users’ microphones to collect and sell data without express consent. As part of the investigation, the Garante is looking to verify these apps are (i) providing clear and transparent information (like in privacy policies and just-in-time notices) and (ii) getting free and informed consent. This investigation comes on the heels of work by this DPA aiming to simplify the provision of information about data processing activities using symbols and images.

Sources: IAPP, Garante

Secure your revenue by securing your data: Singapore’s PDPC issues fines for insufficient security of personal data.

Singapore’s Personal Data Protection Commission issued fines to three companies for violations of Singapore’s Personal Data Protection Act for failure to implement reasonable security arrangements to protect personal data (resulting in unauthorized disclosure & ransomware attacks).

  • Senmadtech was fined $9,000 as a result of unauthorized access to data stored on AWS.
  • SAP Asia was fined $13,500 when former employees’ personal data was disclosed
  • Seriously Keto was fined $8,000 as a result of a ransomware attack on its servers

Sources: IAPP, PDPC

French DPA’s EUR 3000 fine emphasizes the importance of making the DSR process easy.

France’s DPA (CNIL) fined a joint-stock company called New Company of the French Directory (SNAF) EUR 3000 following complaints of difficulties encountered when requesting erasure and/or rectification of personal data. CNIL had previously reviewed the companies practices following 16 complaints from data subjects. As a result of that review, CNIL had ordered the company to comply with GDPR within two months. The company failed to do so.

Sources: IAPP, CNIL

Paying the ultimate toll: Norwegian Data Protection Authority fines toll company–Ferde, NOK 5 million, for transfers to a data processor in China

Norway’s Data Protection Authority, Datatilsynet, fines Ferde, a toll company, NOK 5 million (just over half a million USD), for issues around transfers of data to a data processor in China without adequate security and legal basis

  • This does not come entirely by surprise. Ferde received a notice of a fee of the same amount earlier this year
  • Datatilsynet questioned whether Ferde has implemented appropriate technical and organizational measures to ensure adequate security for the information transferred
  • Datatilsynet also determined no Ferde had no legal basis for transferring the data to China

Sources: IAPP, Datatilsynet

Take another look: Italy & Ireland’s DPAs want Facebook to do more to ensure transparency with its newly released wearables.

UPDATE: Following Italy’s urging of Ireland’s DPA to look into Facebook’s new wearable technology, the Irish and Italian DPAs published a joint statement. The joint statement calls on Facebook to provide assurances that their newly released product sufficiently informs individuals when they are being recorded. The statement emphasized that the LED indicator light on the wearables might not be sufficient notice, and the mechanism does not seem to have been sufficiently tested, as it is still unfamiliar to the public and less obvious recording of images. Further, the statement urged Facebook to conduct further testing on the product and ensure public awareness of the tech.

Sources: IAPP, DPC, Huffpost

Quebec leads the way for modern privacy legislation in Canada by adopting Bill 64

Last week, Quebec adopted Bill 64. This new legislation aims to modernize legislative provisions for the protection of personal information  Will go into effect one year from adoption, in September 2022. Key updates include:

  • Clarification on consent requirements for the processing of personal information
  • Establishing new data subject rights to access personal information
  • Increased potential fines for violations

Businesses can look out for additional information and tools from Quebec’s Commission on Access to Information to help them comply with new obligations.

Sources: IAPP, BLG

California Privacy Protection Agency kicks off preliminary information gathering for CPRA regulations

California Privacy Protection Agency seeks input from stakeholders in developing regulations to guide entities in complying with the CPRA (similar to how CCPA has the CCPA regulations) The Agency is particularly interested in comments addressing new and undecided issues not covered by the CCPA regulations, like:

  • High-risk processing cybersecurity audit and risk assessment requirements
  • Automated decision making
  • Audits performed by the Agency
  • Consumer rights to delete, correct, and know, including information that must be provided in response to a request to know
  • Consumer rights to opt-out of the selling of sharing of their personal information and to limit the use and disclosure of their sensitive personal information
  • Definitions and categories

Sources: IAPP, CPPA, CA.gov

New EU SCCs are in effect as of September 27! What does that even mean?

Many businesses scrambled this September to update any data transfer agreements (including many data processing agreements with provisions about data transfers outside the EEA) relying on Standard Contractual Clauses (SCCs) for European transfers to meet the September 27 deadline. Going forward, all new agreements that rely on SCCs will need to have the new version of the SCCs to satisfy GDPR data transfer requirements. In an effort to help with the complexity, law firms published resources to help businesses make these updates. Orrick shared tips in a blog post, and EU law firm Bird & Bird released a Standard Contractual Clauses Generator Tool.

Sources: IAPP, Alston&Bird, Orrick

FYI: Privacy Tech

Fundraising news for Osano, OneTrust, Ketch, etc. (IAPP)

Microsoft’s new enterprise data governance solution (IAPP, Microsoft)

Further reading from this week:

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources