In light of the Vienna Declaration on Cooperation in Enforcement, the European Data Protection Board (EDPB) published on July 14, 2022, the criteria for determining which cross-border cases may require closer cooperation between DPAs. In particular, EDPB adopted a procedure that outlines the steps for cooperative action after identifying a strategic case. Read here →
On July 13, 2022, The Privacy Commissioner of Canada made a statement highlighting the fact that non-Canadian data subjects now have the same access rights as Canadian citizens under Privacy Act Extension Order No. 3. Users will now have access to personal data maintained by federal government organizations and will be able to file a complaint with the Privacy Commissioner of Canada if they feel that their rights have been violated. Access here →
According to two government announcements, the U.K. government revealed a pair of post-Brexit data reform measures aimed at promoting responsible data usage and economic innovation on Monday. The bills proposed, in particular, a post-Brexit strategy to reform data processing regulations and a detailed artificial intelligence framework. Reported here →
2) Notable Case Law
Google LLC is the focus of an investigation by the Italian Antitrust Authority into whether it has abused its dominant position in violation of Article 102 of the Treaty on the Functioning of the European Union. The Authority specifically outlined how Google hindered data sharing between platforms, particularly with the Weople app run by Hoda s.r.l., a company that created an investment database. Read about the decision here → (in Italian)
A Danish law firm was fined around € 67.000,000 for failing to put in place suitable security measures in connection with its data processing activities, the Danish DPA said on July 14, 2022. The law firm specifically reported a data breach in March 2020 following a hack that allowed unauthorized users to access and encrypt the servers’ data on the firm’s clients and competitors. The Authority’s summary can be found here → (in Danish)
TotalEnergies Electricité et Gaz France was fined €1 million by the CNIL for violating laws regarding direct email marketing, according to a statement. TotalEnergies neglected to give consumers the option to decline to receive marketing communications and to give data subjects important information about how their personal data was being used. Reported here → (in French) or read about it on our blog
3) New and Upcoming Legislation
On July 12, 2022, the European Data Protection Board and the European Data Protection Supervisor (EDPS) released a joint opinion on the recently announced project, the European Health Data Space (EHDS). In order to fully comply with the high data protection standards of the E.U., the EHDS will be required to adopt guidelines for a regulatory framework for the use of health data for research, innovation, policy-making, and regulatory activities (for example, by promoting a single market for electronic health record systems, relevant medical devices, and high-risk artificial intelligence systems). Read here →
4) Strong Impact Tech
According to research done by the nonprofit organization Fairplay, not all operating marketplaces for TikTok, WhatsApp, and Instagram provide children with the same privacy and safety safeguards. The study looked at the platforms’ default options and terms of service in 14 different nations and found considerable regional variations. Read the full story on our blog here →
Other key information from the past weeks
Following TikTok’s announcement that the processing of personal data for targeted advertising would be based on legitimate interests rather than on the consent of data subjects, the Spanish DPA announced on Twitter on July 12, 2022, that it had opened an investigation on its own office against TikTok. This response is similar to the warning from the Italian DPA.
