Operation cookie complaints: EDPB has a new cookie banner task force
Following the influx of complaints about non-compliant cookie banners filed by NOYB, the European Data Protection Board (the independent European body that contributes to consistent application of data protection rules throughout the EU) established a cookie banner task force.
The task force aims to get Supervisory Authorities across the EU on the same page, and will:
- Collaborate on legal analysis and possible infringement
- Provide support to manage responses to these complaints on a national level
- Streamline communication in those efforts
The Interactive Advertising Bureau in Europe cracks down on consent collection framework
The Interactive Advertising Bureau in Europe conducted reviews of website consent management systems. As a result, the IAB issued warning letters to approximately 10 companies and that provide consent management solutions and temporarily suspended a couple of consent management platforms (CMPs) for noncompliance with the IAB’s voluntary Transparency and Consent Framework (TCF). IAB’s TCF (i) sets standards for managing the flow of data tracking consent throughout the digital ad supply chain, and (ii) requires consent management platforms to present notices in a specific manner
Drop the mic: Garante turns its focus to apps accessing phone mics for ad purposes
Have you ever seen a targeted ad on your phone after having a conversation about that topic? This doesn’t sit right with many, including Italy’s data protection authority, Garante. The Garante observed an increase in the number of apps that ask permission to use your microphone at the time of download, in addition to other permissions. Many accept without thinking about it. Further, not much thought goes to what will be done with data collected from accessing your microphone.
Because of this, the Garante is launching an investigation looking at some of the most commonly downloaded apps that access users’ microphones to collect and sell data without express consent. As part of the investigation, the Garante is looking to verify these apps are (i) providing clear and transparent information (like in privacy policies and just-in-time notices) and (ii) getting free and informed consent. This investigation comes on the heels of work by this DPA aiming to simplify the provision of information about data processing activities using symbols and images.
Secure your revenue by securing your data: Singapore’s PDPC issues fines for insufficient security of personal data.
Singapore’s Personal Data Protection Commission issued fines to three companies for violations of Singapore’s Personal Data Protection Act for failure to implement reasonable security arrangements to protect personal data (resulting in unauthorized disclosure & ransomware attacks).
- Senmadtech was fined $9,000 as a result of unauthorized access to data stored on AWS.
- SAP Asia was fined $13,500 when former employees’ personal data was disclosed
- Seriously Keto was fined $8,000 as a result of a ransomware attack on its servers
French DPA’s EUR 3000 fine emphasizes the importance of making the DSR process easy.
France’s DPA (CNIL) fined a joint-stock company called New Company of the French Directory (SNAF) EUR 3000 following complaints of difficulties encountered when requesting erasure and/or rectification of personal data. CNIL had previously reviewed the companies practices following 16 complaints from data subjects. As a result of that review, CNIL had ordered the company to comply with GDPR within two months. The company failed to do so.
Paying the ultimate toll: Norwegian Data Protection Authority fines toll company–Ferde, NOK 5 million, for transfers to a data processor in China
Norway’s Data Protection Authority, Datatilsynet, fines Ferde, a toll company, NOK 5 million (just over half a million USD), for issues around transfers of data to a data processor in China without adequate security and legal basis
- This does not come entirely by surprise. Ferde received a notice of a fee of the same amount earlier this year
- Datatilsynet questioned whether Ferde has implemented appropriate technical and organizational measures to ensure adequate security for the information transferred
- Datatilsynet also determined no Ferde had no legal basis for transferring the data to China
Take another look: Italy & Ireland’s DPAs want Facebook to do more to ensure transparency with its newly released wearables.
UPDATE: Following Italy’s urging of Ireland’s DPA to look into Facebook’s new wearable technology, the Irish and Italian DPAs published a joint statement. The joint statement calls on Facebook to provide assurances that their newly released product sufficiently informs individuals when they are being recorded. The statement emphasized that the LED indicator light on the wearables might not be sufficient notice, and the mechanism does not seem to have been sufficiently tested, as it is still unfamiliar to the public and less obvious recording of images. Further, the statement urged Facebook to conduct further testing on the product and ensure public awareness of the tech.
Quebec leads the way for modern privacy legislation in Canada by adopting Bill 64
Last week, Quebec adopted Bill 64. This new legislation aims to modernize legislative provisions for the protection of personal information Will go into effect one year from adoption, in September 2022. Key updates include:
- Clarification on consent requirements for the processing of personal information
- Establishing new data subject rights to access personal information
- Increased potential fines for violations
Businesses can look out for additional information and tools from Quebec’s Commission on Access to Information to help them comply with new obligations.
California Privacy Protection Agency kicks off preliminary information gathering for CPRA regulations
California Privacy Protection Agency seeks input from stakeholders in developing regulations to guide entities in complying with the CPRA (similar to how CCPA has the CCPA regulations) The Agency is particularly interested in comments addressing new and undecided issues not covered by the CCPA regulations, like:
- High-risk processing cybersecurity audit and risk assessment requirements
- Automated decision making
- Audits performed by the Agency
- Consumer rights to delete, correct, and know, including information that must be provided in response to a request to know
- Consumer rights to opt-out of the selling of sharing of their personal information and to limit the use and disclosure of their sensitive personal information
- Definitions and categories
New EU SCCs are in effect as of September 27! What does that even mean?
Many businesses scrambled this September to update any data transfer agreements (including many data processing agreements with provisions about data transfers outside the EEA) relying on Standard Contractual Clauses (SCCs) for European transfers to meet the September 27 deadline. Going forward, all new agreements that rely on SCCs will need to have the new version of the SCCs to satisfy GDPR data transfer requirements. In an effort to help with the complexity, law firms published resources to help businesses make these updates. Orrick shared tips in a blog post, and EU law firm Bird & Bird released a Standard Contractual Clauses Generator Tool.
FYI: Privacy Tech
Fundraising news for Osano, OneTrust, Ketch, etc. (IAPP)
Further reading from this week:
- Children’s data: Facebook is pausing development of its Instagram Kids product to address concerns (IAPP)
- Children’s data: US Senate Committee will hold a hearing on September 30 about protecting kids online (IAPP)
- Data transfers: EU-US trade & technology counsel meeting going on as planned on September 29 meeting despite EU threats to cancel (IAPP)
- US Consumer Privacy: US Senate Committee will hold a hearing on September 29 on protecting consumer privacy (IAPP, Senate)
- Senate committee talks need for FTC resources, federal privacy law (IAPP)
- Data privacy tool: Microsoft’s open-sourced synthetic data showcase tool helps with complex issues like human trafficking (IAPP, Tech Republic)
- Drawing inspiration from CPRA in the regulation of dark patterns (IAPP, Georgetown Law)
- Irish DPC WhatsApp decision: What do you need to know? (IAPP)
- Standardizing data-processing agreements globally (IAPP)
- Norwegian Data Protection Authority will not use social media platforms following completion of a data protection impact assessment. (Datatilsynet, IAPP)
- The latest on Apple’s privacy updates (IAPP, WSJ, Facebook, Washington Post)
- India’s Proposed Data Protection Bill will increase compliance costs for small companies (thehindubusinessline, IAPP)
- FTC commissioner talks privacy legislation impasses, Dems urge privacy rulemaking and other updates (IAPP, FTC, Reuters, Verge)
- EDPB adopts opinion on EU Commission’s draft adequacy decision for South Korea (IAPP, EDPB, EDPB)
- EU Council agrees on Digital Governance Act proposal (IAPP, Europa.edu, Europa.eu)