Weekly Newsletter: 15 February – 19 February 2021
GDPR EU Representative

February 22, 2021

CNIL fines controller and processor for security violations under GDPR

[#GDPRfines #GDPRsanctions #CNIL #FrenchDPA]

French Data Protection Authority finds that data processors can also be sanctioned for data breaches

“On 27 January 2021, the CNIL announced that it levied administrative fines of €150.000 on a data controller and €75.000 on its data processor for failure to ensure data security. […]

The e-commerce platform had notified several dozens of data breaches to the CNIL between June 2018 and January 2020. In this context, the CNIL decided to carry out an inspection […]

According to the CNIL, “the data controller must decide on the implementation of measures and give documented instructions to its processor. But the processor must also seek the most appropriate technical and organisational solutions to ensure the security of personal data and put them forward to the controller.””

To read more: Click here.

Brussels to allow data to continue to flow to UK

[#Adequacydecision #UKAdequacy #EUComission]

BREAKING NEWS: Adequacy decision expected this week

“Brussels is set to allow data to continue to flow freely from the EU to the UK after concluding that the British had ensured an adequate level of protection for personal information. A draft decision by the European Commission, seen by the Financial Times, is expected to be approved this week.

[…] A positive decision by Brussels on data sharing had been widely expected and would benefit the EU and the UK. It would be periodically reviewed by the commission and is open to legal challenges at the European Court of Justice, such as the one that led to parts of the EU-US “Privacy Shield” data transfer arrangements being struck down last year. The decision to grant data adequacy to the UK will face scrutiny by the European Data Protection Board before it can be implemented, but the body does not have the power to block the move.”

To read more: Click here

Commission publishes study on Assessment of the EU Member States’ rules on health data in the light of GDPR

[#EUCommission #Healthdata]

“[…] the Commission published a study on the “Assessment of the EU Member States’ rules on health data in the light of GDPR”. The study finds that while the […] GDPR lays down horizontal directly applicable rules in all Member States, there remains variation in the range of national-level legislation linked to its implementation in the area of health. This […] has led to a fragmented approach in the way that health data processing for health and research is conducted in the Member States. This can negatively impact cross-border cooperation for care provision, healthcare system administration, public health or research.

[…] The study identified potential future EU level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific EU level legislation.”

To read more: Click here

BEUC files complaint against TikTok for multiple EU consumer law breaches

[#GDPRinvestigation #EUcommission #BEUC #TikTok #consumer #consumerprotection #gdpr #Childrenrights]

“The European Consumer Organisation BEUC has today filed a complaint with the European Commission and the network of consumer protection authorities against TikTok, a video sharing platform extremely popular with children and teenagers. […]

BEUC contends that TikTok falls foul of multiple breaches of EU consumer rights and fails to protect children from hidden advertising and inappropriate content […]

TikTok’s practices for the processing of users’ personal data are misleading. TikTok does not clearly inform its users, especially in a way comprehensible to children and teenagers, about what personal data is collected, for what purpose and for what legal reason. […]

We consider that some of these, as well as other, practices are potentially in breach of the General Data Protection Regulation and have brought them to the attention of Data Protection Authorities in the context of their ongoing investigations into the company.”

To read more: Click here

Italy: AGCM fines Facebook €7M for non compliance with order concerning consumer rights violations

[#Dataprotection #Facebook #AGCM #facebookireland #Datafines]

“The Italian Competition Authority (‘AGCM’) announced, on 17 February 2021, that it had fined Facebook Ireland Ltd. and Facebook Inc. €7 million for not complying with an order issued in November 2018 regarding the unlawful processing of consumer data. In particular, the AGCM found that Facebook had been misleading consumers to register on the platform without informing them in a timely and adequate manner about the data that would be collected from them for commercial purposes.”

To read more: Click here.

Tracker pixels in emails are now an ‘endemic’ privacy concern

[#Spypixels #GDPR #cybersecurity #BBC #Emailaccounts #email security #hacking]

“This week, the Hey messaging service analyzed its traffic following a request from the BBC and discovered that roughly two-thirds of emails sent to its users’ private email accounts contained what is known as a “spy pixel.”

[…] when an email is opened, the tracking pixel is automatically downloaded — and this lets a server, owned by a marketer, know that the email has been read. Servers may also record the number of times an email is opened, the IP address linked to a user’s location, and device usage.

[…] GDPR demands that organizations tell recipients of the use of such pixels. However, the water has been muddied surrounding the transparency necessary to implement pixel tracking, as consent is not always required — and when it is, this could be ‘obtained’ automatically when a user signs up to an email service and is asked to read a privacy notice published on a website.”

To read more: Click here

Coming Soon: Canada’s New Privacy Law – What You Need to Know

[#Canada #CPPA #Privacylaw #Dataprivacyregulation #Canadaregulations] Key aspects of the newly proposed Canadian privacy law

“Stricter data privacy regulations and enforcement is no longer a new trend, it’s the known future. ¨[…] If Canada’s CPPA is adopted, it will be one of the strictest privacy laws in the world and is comparable to the GDPR and California’s privacy regulation.

[…] The bill is still in the early phases of development and will likely gain more traction as 2021 ensues. It is important for organizations that would become subject to Canada’s CPPA to monitor all developments going forward, including whether provisions are altered or removed. This is necessary to stay on top of future compliance obligations. While some of these responsibilities may overlap with other laws like the GDPR, there will be variances.”

To read more: Click here.

Draft decision on the adequate protection of personal data of personal data by the UK GDPR

[#Adequacydecision #EuropeanComission #UKAdequacy] First draft of the UK Adequacy Decision is out

“Today, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.”

To read more: Click here.