August 2, 2021
BCLP Global Data Privacy FAQs: How do the new Article 28 clauses fit with the new SCCs? Are both needed for a non-EU processor?
[#SCCs #GDPR #EuropeanCommission]
“In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time.
Whilst the European Commission’s new standard contractual clauses (“SCCs”) for transfers to third countries (the “new SCCs”) received most of the fanfare when published on 4 June 2021, that date also saw the publication of a set of model processing clauses for use between controllers and processors (the “Article 28 SCCs”). […]
The Article 28 SCCs are only relevant to use in a controller-processor relationship that does not involve any outbound transfers of personal data to third countries. When data export to third countries is involved, the new SCCs offer the benefit of incorporating Article 28 GDPR compliant language within the controller – processor module, meaning that EEA based controllers may transfer personal data to a third country based processor without any need to enter into a separate data processing agreement or the Article 28 SCCs.”
To read more: Click here
More fines issued by the French and Dutch DPA
[#CNIL #TikTok #GDPRfines]
– “The Dutch Data Protection Authority […] imposed a fine of €750,000 on TikTok “for violating the privacy of young children”. More specifically, TikTok failed to provide a privacy statement in the Dutch language, making it difficult for young children to understand what would happen to their data. […] “
Read the full article here
– “French DPA issues 1.75m euro GDPR [fines] against multinational insurer[…] The CNIL discovered that the Mutual Insurance Group company AG2R La Mondiale kept the data of millions of people for an excessive period of time and failed to comply with information obligations in connection with canvassing campaigns.”
Read the full article here
Menu Codes Are Everywhere—and Tracking You More Than You Think
That’s according to a new analysis by the New York Times, that found these QR codes have the ability to collect customer data—enough to create what Jay Stanley, a senior policy analyst at the American Civil Liberties Union, called an “entire apparatus of online tracking,” that remembers who you are every time you sit down for a meal. While the data itself contains pretty uninteresting information, like your order history or contact information, it turns out there’s nothing stopping that data from being passed to whomever the establishment wants.”
VPN servers seized by Ukrainian authorities weren’t encrypted
The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that had occurred a year earlier.
The servers, which ran the OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data. […]
The seizure of the Windscribe servers underscores the importance of the kind of basic VPN security hygiene that the company failed to follow. That, in turn, emphasizes the risks posed when people rely on little-known or untested services to shield their Internet use from prying eyes.”
Whether You Like it or Not, Cookies are Back on the Menu and UK and EU Data Protection Authorities are Taking Enforcement Action
This latest focus on cookies and tracking technologies from the CNIL is part of a wider trend, and this area of data processing is under siege from a variety of national data protection regulators. The UK’s ICO has recommenced its investigation into the Adtech industry […] and has begun to exercise its broad powers of “audit” to assess compliance with data protection laws in this space.
Many organizations have been waiting for the new “E-privacy Regulation” to be finalised prior to reviewing their cookie compliance, however, the new regulation continues to move at a glacial pace through the European legislative machine.”
To read more: Click here
EDPB adopts Art. 65 decision regarding WhatsApp Ireland
The CSAs issued objections pursuant to Art. 60 (4) GDPR concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures. The IE SA was unable to reach consensus, having considered the objections of the CSAs, and consequently indicated to the Board it would not follow the objections. […]
Today, the EDPB adopted its binding decision. The decision addresses the merits of the objections found to be “relevant and reasoned” in line with the requirements of Art. 4 (24) GDPR. “
Cookies: 50,000 euro penalty against SOCIÉTÉ DU FIGARO
The CNIL, after receiving a complaint, carried out several checks between 2020 and 2021 on the news website lefigaro.fr. These checks revealed that when a user visited this site, cookies were automatically placed on his/her computer by the company’s partners, without any action on his/her part or despite his/her refusal. Several of these cookies were used for advertising purposes and should have been subject to the user’s consent.
On the basis of these elements, the restricted formation – the body of the CNIL in charge of imposing sanctions – considered that the company had failed to comply with its obligations because it did not systematically guarantee the collection of users’ consent before placing advertising cookies or respect their refusal to place these cookies. (Unofficial translation)
Link to the decision here (only available in french)
Moscow court fines Google over $40,000 for refusing to localize users’ data in Russia
This is the first punishment for the refusal to localize the databases of Russian users in the country for the company. Previously the court fined Google for the refusal to delete banned information. […]
The regulator noted that “as of today around 600 representative offices of foreign companies in Russia have localized the storage of personal data of Russian users.””
UK DATA PROTECTION – WILL WE OR WON’T WE DIVERGE?
” What are the thoughts from the coalface, from data protection professionals who’ve grappled with implementing and maintaining measures to comply with GDPR? Will we or wont we diverge? What’s in store for the new head of the ICO? […]
The UK has newfound legislative freedoms post-Brexit and that’s a great thing, but the UK must not make the mistake of thinking that it now has an obligation to use those powers, just because it can. Yes, ministers and advisers will see an opportunity to ‘shake up’ the data protection space and ‘cut red tape’ but the reality is that by reducing the issue down to political soundbites they risk throwing away years of hard work by industry and regulators to nurture a data protection framework that (more often than not) empowers data subjects and fosters innovation. […]
In general, though, my view is that sweeping reform in the UK data protection space is entirely unnecessary and risks missing the point that data protection law in the UK actually works pretty well already.”
Amazon fined €746M for violating privacy rules
“Luxembourg’s data protection authority (CNPD) fined Amazon €746 million for not complying with EU’s privacy rules, according to the company’s latest filings. […]
Asked about the ruling, an Amazon spokesperson said: “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The data protection authority is also asking for “practice revisions,” which are not detailed in the document. The fine is higher than previously reported.”