The final text of the EU Digital Markets Act is scheduled to be presented to the Council of the European Union’s competition working group on April 28. The changes include issues with default settings on devices, third-party applications, fair, reasonable, and non-discriminatory terms in search engines and other online services, amongst other things. Access the final text here →
The European Data Protection Board (EDPB) published a new version of its Rules of Procedure on 6 April 2022. The Regulation will enter into force on the date of its adoption by the EDPB.
Article 1 of the Rules reiterates that the EDPB is an EU body with a legal personality that acts independently.
Article 2 of the Regulation outlines that the EDPB shall ensure the consistent application of Regulation (EU) 2016/679).
Article 3 sets out independence, impartiality, transparency, and proactivity principles.
The IAPP has released a new book on children’s privacy and safety problems in preparation for the IAPP Global Privacy Summit 2022. The book explains how to manage some of the most difficult components of the Children’s Online Privacy Protection Act (COPPA) in the US, such as obtaining parental consent, age gating, privacy policy language, and assessing how the law applies to emerging technologies. IAPP publishes “Children’s Privacy and Safety” book →
2) Notable Case Law
A corporation was fined €5,000 by the Garante for communications to obtain marketing consent. The Garante indicated in the decision that:
it is not possible to obtain consent to the processing of data for promotional purposes on the occasion of the first phone call to the data subject, as it is to be considered “commercial communication”;
it is not possible to collect personal data from the internet to promote services and products for a purpose different from and incompatible with the original purpose for which the data were made public, and thus not within the legitimate expectations of the data subjects.
Hungarian Data Protection Authority fined €670,000 for the illegal use of artificial intelligence. The case concerned the processing of personal data by a bank as a data controller, which automatically analyzed the recorded audio of customer service calls. In the Authority’s view, the bank’s privacy notice referred to these processing activities only in general terms, and no material information was available regarding the voice analysis itself. More details on this story can be found here →
3) New and Upcoming Legislation
The Virginia Consumer Data Protection Act (VCDPA) has been finalized ahead of January 1, 2023. The law will take effect on July 1, 2022. Virginia became the second state to pass a consumer data privacy law, the VCDPA, last year. Reported here →
4) Strong Impact Tech
A former employee downloaded customer information, potentially exposing the data of over 8 million Cash App users. Block owns Cash App Investing, an equities trading platform. According to Block’s admission, the former employee had access to the information during office hours and downloaded it for consumers using Cash App’s stock investment function. Although the investigation is still ongoing, Block has warned that the eventual cost of the data breach is difficult to anticipate. Read more on this story here →
Other key information from the past weeks
The European Data Protection Board (EDPB) welcomed the announcement of a political agreement in principle between the European Commission and the United States on 25 March on a new Trans-Atlantic Data Privacy Framework.
The French Data Protection Authority (CNIL) has released a series of resources for evaluating artificial intelligence (AI) systems in light of the GDPR, aimed at both the general public and specialists.
New EU data-sharing rules aim to spur innovation and assist start-ups and enterprises in using big data. The Data Governance Act, passed by Parliament on April 6, 2022, proposes to increase data sharing in the EU so that businesses and start-ups can access more data to build new goods and services.
