Weekly Newsletter: 26 July – 30 July 2021
GDPR EU Representative

August 2, 2021

BCLP Global Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?

[#SCCs #GDPR #EuropeanCommission] 

“In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time.

Whilst the European Commission’s new standard contractual clauses (“SCCs”) for transfers to third countries (the “new SCCs”) received most of the fanfare when published on 4 June 2021, that date also saw the publication of a set of model processing clauses for use between controllers and processors (the “Article 28 SCCs”). […]

The Article 28 SCCs are only relevant to use in a controller-processor relationship that does not involve any outbound transfers of personal data to third countries. When data export to third countries is involved, the new SCCs offer the benefit of incorporating Article 28 GDPR compliant language within the controller – processor module, meaning that EEA based controllers may transfer personal data to a third country based processor without any need to enter into a separate data processing agreement or the Article 28 SCCs.”

To read more: Click here

More fines issued by the French and Dutch DPA

[#CNIL #TikTok #GDPRfines]

– “The Dutch Data Protection Authority […] imposed a fine of €750,000 on TikTok “for violating the privacy of young children”. More specifically, TikTok failed to provide a privacy statement in the Dutch language, making it difficult for young children to understand what would happen to their data. […] “

Read the full article here

– “French DPA issues 1.75m euro GDPR [fines] against multinational insurer[…] The CNIL discovered that the Mutual Insurance Group company AG2R La Mondiale kept the data of millions of people for an excessive period of time and failed to comply with information obligations in connection with canvassing campaigns.”

Read the full article here

Menu Codes Are Everywhere—and Tracking You More Than You Think

[#QRCodes NewYorkTimes #Restaurants #Tracking]
 “If you’ve returned to the restaurants and bars that have reopened in your neighborhood lately, you might have noticed a new addition to the post-quarantine decor: QR codes. Everywhere. And as they’ve become more ubiquitous on the dining scene, so has the quiet tracking and targeting that they do.

That’s according to a new analysis by the New York Times, that found these QR codes have the ability to collect customer data—enough to create what Jay Stanley, a senior policy analyst at the American Civil Liberties Union, called an “entire apparatus of online tracking,” that remembers who you are every time you sit down for a meal. While the data itself contains pretty uninteresting information, like your order history or contact information, it turns out there’s nothing stopping that data from being passed to whomever the establishment wants.”

To read more : Click here

VPN servers seized by Ukrainian authorities weren’t encrypted 

[#Cybersecurity #Encrypdata #ComputerSecurity #Windscribe #VPN]
“Privacy tools-seller Windscribe said it failed to encrypt company VPN servers that were recently confiscated by authorities in Ukraine, a lapse that made it possible for the authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them.

The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that had occurred a year earlier.

The servers, which ran the OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data. […]

The seizure of the Windscribe servers underscores the importance of the kind of basic VPN security hygiene that the company failed to follow. That, in turn, emphasizes the risks posed when people rely on little-known or untested services to shield their Internet use from prying eyes.”

To read more: Click here

Whether You Like it or Not, Cookies are Back on the Menu and UK and EU Data Protection Authorities are Taking Enforcement Action

[#Cookies #Tracking #ICO #CNIL #DataProtection] 
“According to a press statement by the CNIL, it has sent 40 formal notices to organizations including tech platforms, software and hardware companies and those delivering services online regarding cookie compliance. These notices demand that the recipient organizations make changes to their data protection practices surrounding cookies by September 6, 2021, or they may face fines of up to 2% of global turnover. […]

This latest focus on cookies and tracking technologies from the CNIL is part of a wider trend, and this area of data processing is under siege from a variety of national data protection regulators. The UK’s ICO has recommenced its investigation into the Adtech industry […] and has begun to exercise its broad powers of “audit” to assess compliance with data protection laws in this space.

Many organizations have been waiting for the new “E-privacy Regulation” to be finalised prior to reviewing their cookie compliance, however, the new regulation continues to move at a glacial pace through the European legislative machine.”

To read more: Click here

EDPB adopts Art. 65 decision regarding WhatsApp Ireland 

[#Whatsapp #GDPR #Persondaldata #DataprotectionAuthorities #EDPB] 
“During its latest plenary session, the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish (IE) SA as lead supervisory authority (LSA) regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs). […]

The CSAs issued objections pursuant to Art. 60 (4) GDPR concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures. The IE SA was unable to reach consensus, having considered the objections of the CSAs, and consequently indicated to the Board it would not follow the objections. […]

Today, the EDPB adopted its binding decision. The decision addresses the merits of the objections found to be “relevant and reasoned” in line with the requirements of Art. 4 (24) GDPR. “

To read more: Click here

Cookies: 50,000 euro penalty against SOCIÉTÉ DU FIGARO

[#CNIL #Cookies #GDPRfines] 
The CNIL has fined the SOCIÉTÉ DU FIGARO 50,000 euros for placing advertising cookies on the lefigaro.fr website without obtaining the prior consent of Internet users.

The CNIL, after receiving a complaint, carried out several checks between 2020 and 2021 on the news website lefigaro.fr. These checks revealed that when a user visited this site, cookies were automatically placed on his/her computer by the company’s partners, without any action on his/her part or despite his/her refusal. Several of these cookies were used for advertising purposes and should have been subject to the user’s consent.

On the basis of these elements, the restricted formation – the body of the CNIL in charge of imposing sanctions – considered that the company had failed to comply with its obligations because it did not systematically guarantee the collection of users’ consent before placing advertising cookies or respect their refusal to place these cookies. (Unofficial translation)

Link to the decision here (only available in french)

To read more: Click here

Moscow court fines Google over $40,000 for refusing to localize users’ data in Russia

[#Google #PersonalData #Russian #GDPR #DataLocalisation]  
“The Magistrates’ Court in Moscow has fined Google 3 mln rubles ($40,975) for refusing to localize its users’ data in Russia, a representative of the court’s press service told TASS. […]

This is the first punishment for the refusal to localize the databases of Russian users in the country for the company. Previously the court fined Google for the refusal to delete banned information. […]

The regulator noted that “as of today around 600 representative offices of foreign companies in Russia have localized the storage of personal data of Russian users.””

To read more: Click here


 [#UK #DataProtection #ICO]

” What are the thoughts from the coalface, from data protection professionals who’ve grappled with implementing and maintaining measures to comply with GDPR? Will we or wont we diverge? What’s in store for the new head of the ICO? […]

The UK has newfound legislative freedoms post-Brexit and that’s a great thing, but the UK must not make the mistake of thinking that it now has an obligation to use those powers, just because it can. Yes, ministers and advisers will see an opportunity to ‘shake up’ the data protection space and ‘cut red tape’ but the reality is that by reducing the issue down to political soundbites they risk throwing away years of hard work by industry and regulators to nurture a data protection framework that (more often than not) empowers data subjects and fosters innovation. […]

In general, though, my view is that sweeping reform in the UK data protection space is entirely unnecessary and risks missing the point that data protection law in the UK actually works pretty well already.”

To read more: Click here
 [#CNPD #DataProtection #Amazon #Luxemburg]

“Luxembourg’s data protection authority (CNPD) fined Amazon €746 million for not complying with EU’s privacy rules, according to the company’s latest filings. […]

Asked about the ruling, an Amazon spokesperson said: “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The data protection authority is also asking for “practice revisions,” which are not detailed in the document.  The fine is higher than previously reported.”

To read more: Click here