The Italian Garante has released a guidance document for email management and metadata processing in the workplace, targeting both public and private sector employers. This follows investigations revealing that certain email management programs automatically collect and store comprehensive metadata from employee email accounts, including details like sender, recipient, and email size. The findings also highlighted instances where employers did not stop this data collection or reduce storage duration.Read more here → (in Italian)
IAB Europe has released it’s updated “Guide to Quality” for 2024 which provides guidance on how to improve digital advertising campaigns, by focusing on viewability, brand safety, user experience and privacy. IAB Europe will be holding a webinar on 7 March to discuss the guide and hear from contributors. Access here →
The Dutch data protection authority, Autoriteit Persoonsgegevens (AP), plans to target misleading cookie banners in 2024, ensuring they clearly request tracking consent. AP’s guidelines include offering clear purpose information, avoiding pre-ticked boxes, using straightforward language, consolidating choices, making all options visible, minimizing extra steps, avoiding hidden links, clarifying consent withdrawal, and not equating consent with legitimate interest. See here for more → (in Dutch)
France’s CNIL has outlined its regulatory focus areas which include monitoring data collection during the Paris Olympics and Paralympics, online personal data collection from minors, the management of loyalty programs and electronic receipts, and ensuring data subjects’ right of access. The Authority’s summary can be found here → (in French)
The U.K. Information Commissioner’s Office published a blog wherein app developers were reminded of their obligations to protect users’ privacy whilst also maintaining transparency in how they use personal information, obtain valid consent and establish a lawful basis for processing personal data. Accountability towards users was also highlighted in the blog. Access here →
Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, (ANPD) is seeking input from personal data holders and data processors until 4 March 2024, to draft a regulation concerning data subject access rights. Separately, the ANPD has launched guidance on the interpretation and practical application of the notion of legitimate interest. Press release →(in Portuguese)
2) Notable Case Law
Italy’s data protection authority, the Garante, has fined Nirvam Srl, the owner and operator of dating site nirvam.it for GDPR violations. A fine of €200,000 was issued due to failing to maintain an adequate data processing register, lacking a clear policy on data retention periods and missing a legal basis for processing activities. The company also failed to obtain explicit consent for the processing of sensitive personal data, such as one’s sexual orientation. Read more here →
The California Third District Court of Appeal has reversed a prior decision that paused the implementation of new CCPA regulations by the California Privacy Protection Agency (CPPA). Previously set for delay until March 29, 2024, from an initial start of July 1, 2023, the appellate court’s ruling now allows immediate enforcement of these extensive regulations.
Poland’s Urząd Ochrony Danych Osobowych (UODO) fined the e-commerce site Morele.net PLN3.8 million for GDPR breaches after a data breach impacted 2.2 million users due to insufficient cybersecurity. UODO found that Morele.net failed to encrypt certain data, lacked two-factor authentication, and did not perform a risk analysis for public network access, leading to unauthorized access and data compromise. Access here →
3) New and Upcoming Legislation
US law updates:
Nebraska: Legislative Bill 308 which concerns an Act to adopt the Genetic Information Privacy Act passed the final reading in the Nebraska State Legislature and was presented to the Governor of Nebraska for signature.
Virginia: House Bill 707 to amend Consumer Data Protection Act for children’s protections was passed by the Virginia House of Delegates.
West Virginia: House Bill 5338 which introduced the Consumer Data Protection Act was presented to the House of Representatives.
4) Strong Impact Tech
The U.K. Competition and Markets Authority has issued a report demanding that Google does “not design, develop or use the Privacy Sandbox proposals in ways that reinforce the existing market position of its advertising products and services, including Google Ad Manager.” Meanwhile, IAB Tech Lab has also published an assessment which analyzes the challenges that the advertising industry may be subjected to upon adopting Google’s Privacy Sandbox.
A 2023 ransomware activity analysis reported by the Record, revealed that companies paid more than USD1.1 billion to buy back data stolen during breaches. Hackers deployed “zero-day vulnerabilities” and sharpened “their operations and targeting high-profile institutions and critical infrastructure like hospitals, schools, and government agencies” throughout last year. Read the full story here →
Other key information from the past weeks
Meta is updating its platforms, including Facebook and Instagram, to empower users in the EU, EEA, and Switzerland with greater control over their data usage, in compliance with the EU’s Digital Markets Act (DMA). Read about it here →
IAB Europe, a key player in digital marketing, advertising, and media, has recently voiced significant concerns about the European Parliament’s draft report on the GDPR procedural regulation. Follow the news here →
Apple has just rolled out a series of significant updates for iOS, Safari, and the App Store, specifically tailored for the European Union (EU) region. These changes are a response to the new Digital Markets Act (DMA). Full story here →
