Further to the Irish DPC’s record fine against Meta, IAB in conjunction with several other leading industry associations are now urging EU leaders to reach a transatlantic agreement with the US. Read here →
The French, Belgian and Saxxon data protection authorities have all published their annual reports for 2022. The respective reports look into among others the complaints handled and fines meted out over the previous year.
The Bavarian State Commissioner for Data Protection has issued guidelines concerning International Data Transfers which take into consideration among others the legal developments further to the “Schrems II” decision that led to the invalidation of the EU-US Privacy Shield. Access here → (in German)
The Hamburg Commissioner for Data Protection and Freedom of Information has released a manual to better assist website operators in their compliance with the TTDSG and GDPR by providing information on cookie banner designs and the attainment of consent, technical aspects and third-party content integration. Access here → (in German)
The Agencia Española de ProtecciĂłn de Datos (AEPD) has joined forces with the European Association for Digital Transition’s initiative to raise awareness on the risks faced by minors whilst surfing the internet and Brazil’s Autoridade Nacional de Proteção de Dados has published a statement regarding the interpretation of the processing of children and teens’ personal data in terms of the Lei Geral de Proteção de Dados Pessoais (LGPD).
The Biden administration has taken steps to protect children’s mental health, safety, and privacy online. They have established an interagency Task Force on Kids Online Health and Safety, led by the Department of Commerce, to prioritize the well-being and privacy of minors on the internet. Read the press release here →
2) Notable Case Law
The NL Times has reported that the Dutch consumers’ associations Stichting Bescherming Privacybelangen and Consumentenbond are preparing to file a class-action claim against Google “for tracking, collecting and selling consumers’ data without consent.” Reported here →
The injunction issued by the CNIL against Microsoft Ireland Operations Limited (Microsoft) back in December 2022, has been lifted since Microsoft has complied with the terms of the injunction by responding “within the allotted timeframe” of three months and making the necessary “technical modifications so that tracking linked to the fight against advertising fraud would be inactive in the absence of specific consent from French users.” The Authority’s decision can be found here →
The Belgian data protection authority (APD) has declared the transfer of tax data by the Belgian Federal Public Service Finance (FPS Finance) to the USA under FATCA unlawful and prohibited. This violates GDPR, as it lacks adequate safeguards for data protection outside the EU. Press release →
Finland’s Office of the Data Protection Ombudsman has issued a notice to the Finnish Meteorological Institute ordering it to cease data transfers to the US via Google Analytics and Google’s reCAPTCHA since it held no legal basis for carrying out such transfers. Access the press release here → (in Finnish)
3) New and Upcoming Legislation
The UK Information Commissioner attended the European Parliament’s Committee in Civil Liberties, Justice and Home Affairs and highlighted the ICO’s support for the ongoing UK privacy law reforms and encouraged greater cooperation with the EU together with a declaration that the ICO takes the responsibility of protecting the data of Europeans in the United Kingdom “very seriously.” Reported here →
US Law Updates
California: Assembly Bill 947 on the California Consumer Privacy Act sensitive personal information passes third reading and had been ordered to the California Senate; Senate Bill 721 to establish the Interagency AI Working Group has been ordered to Assembly
The Canadian Office of the Privacy Commissioner (OPC) together with other provincial authorities have announced their investigation into ChatGPT. This follows the investigation opened back in April by the OPC single-handedly into OpenAI’s generative artificial intelligence chatbot ChatGPT. Reported here →
Amazon’s palm-scanning technology will be able not only to substitute one’s credit card, but will also enable age verification. This is carried out through the use of photos provided to the service and palm-scanning technology cameras which serve to match multiple aspects of one’s palm. Read more here →
According to documents obtained by The New York Times, TikTok employees allegedly shared user information, including driver’s licenses and disturbing content like child sexual abuse materials, on an internal messaging platform called Lark. Read more here →
Other key information from the past weeks
Meta faces a significant ruling from the Irish Data Protection Commission (DPC). The decision entails a hefty fine of €1.2 billion and the suspension of European personal data transfers to the United States.
The Governor of Montana has official signed the TikTok Ban into legislation, and TikTok has responded by filing a first amendment lawsuit against Montana for banning the app.
The Transparency and Consent Framework Version 2.2 was released by IAB Europe.
