The French Data Protection Authority (the CNIL) has opened a consultation on the use of smart cameras. Read it here →
The CNIL has proposed to open a new sandbox on innovation in the sector of education. Read about it here →
The Dutch and Austrian Data Protection Authorities have published updated guidelines on the use of Google Analytics. They set that since IP addresses and cookie identifiers constitute personal data and are covered by the GDPR, a European company using Google Analytics could be at risk of non-compliance. Google has responded, stating that “it does not track people across the web or applications, and organizations control and own collected data.” The complainant has published a summary here. Read the Dutch guidelines here (in Dutch) →
2) Notable Case Law
After fining Google 150 million euros, the CNIL also fined Facebook 60 million euros on similar grounds. Indeed, the Authority found that data subjects could not reject as easily as they could accept cookies: several clicks were needed to reject while only one was needed to accept. This mechanism was considered to be complex and discouraging for data subjects. Read about the decision here (in French) →
The Maltese Data Protection Authority has issued a fine of 65,000 euros to an IT company for an important data breach of voter information. It was found that the company should have notified the Authority within 72 hours, as well as the individualsconcerned. They also lacked a proper legal basis for the data processing and did not inform the data subjects of the processing. Full details here →
The Italian Data Protection Authority has issued a 6,000 euro fine to a company, as health data was shared without consent. Although this transfer was accidental, the controller’s due diligence was found to be inadequate.
3) New and Upcoming Legislation
European Union – The Digital Services Act is being debated in this week’s plenary session of the European Parliament. Watch the plenary debates here →
United States – A Bill called Terms-of-service Labeling, Design and Readability Act (TLDR Act) was introduced before the US Senate. The Bill aims at making websites present short and clear notices summarising privacy policies and terms and conditions. For example, it could impose a graphic diagram of how consumer data is shared with third parties. Follow the Bill’s evolution here →
4) Strong Impact Tech
It was found that Federal investigators accessed encrypted messages on the messaging service Signal during the Capitol Riots in Washington, on January 6th, 2021. It is unclear how the messages were accessed. Read the complaint which was filed, here →
Other key information from the past weeks
The Italian Data Protection Authority has published an information page on its website, containing its latest Cookie Guidelines.
The French Data Protection Authority has fined Google a total amount of 150 million euros for the way its cookie banner was implemented. The Authority found that data subjects could not reject as easily as they could accept cookies.
