Privacy Transformation - Issue 192

Curated privacy news, insights & resources, with a focus on Irish and EU developments.


PRIVACY

DPC unable to fine Facebook, Instagram on basis of profits earned from illegal data processing

The Data Protection Commission (DPC) was unable to fine Facebook and Instagram on the basis of profits earned from illegal data processing, a stance critics say may have deprived the Irish exchequer of a multibillion windfall.

RELATED:
- Data Protection Commission fines WhatsApp additional €5.5m over GDPR breach
- Meta’s ads being found unlawful in the EU is a warning to other ad-funded platforms
- Noyb: Irish Data Protection Authority gives € 3.97 billion present to Meta? Authority allegedly unable to take financial benefit from Meta's GDPR violations into account
- EDPB: Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”

Ireland tops EU league table for data fines

Ireland has topped a league table of EU countries with aggregate data breach fines imposed to date totalling more than €1 billion. According to the latest GDPR and Data Breach Survey from law firm DLA Piper, Luxembourg is in second position, with the highest individual fine of €746 million which was issued in 2021.

RELATED:
- Ireland responsible for third of GDPR fines issued last year
- DLA Piper GDPR Fines and Data Breach Survey: January 2023

Privacy by Design to become an ISO standard next month

Fourteen years after being introduced by a Canadian privacy commissioner, Privacy by Design (PbD) is about to become an international privacy standard for the protection of consumer products and services.

RELATED: Launch Event: ISO 31700 : Privacy By Design for Consumer Goods and Services

CJEU rules that controllers must disclose actual identity of data recipients in response to data subject access request

The CJEU delivered its judgment in Case C-154/21 which concerned the appropriate level of information to disclose when communicating recipients of personal data to data subjects requesting their information. The court held that controllers must disclose the actual identity of recipients, where requested by the data subject, unless the recipients are impossible to identify or the controller can prove that the request is manifestly unfounded or excessive.

RELATED: Judgement & Opinion

Five New US State Privacy Laws Take Effect in 2023: Are You Covered?

These laws share a lot in common. For example, they all impact online advertising and tracking, create new liabilities and regulatory risks, and give people new rights over their data. But there are important differences between each of the five laws, including which types of businesses they cover. This article explores how each of 2023’s new US state privacy laws applies.


SECURITY & TECH

Ransomware attackers simplify their tactics by ditching encryption

Criminal gangs are using a new method to guarantee a ransomware payout: They're ditching the part where they lock up a target firm's systems by encrypting them and are skipping straight to holding the company's precious data for ransom.

Roomba testers feel misled after intimate images ended up on Facebook

An MIT Technology Review investigation recently revealed how images of a minor and a tester on the toilet ended up on social media. iRobot said it had consent to collect this kind of data from inside homes—but participants say otherwise.

ICO: Addressing concerns on the use of AI by local authorities

When concerns were raised about the use of algorithms in decision-making around benefit entitlement and in the welfare system more broadly, we conducted an inquiry to understand the development, purpose and functions of algorithms and similar systems being used by local authorities. We wanted to make sure people could feel confident in how their data was being handled.

Microsoft will add AI to Office applications – they help with writing texts

It is believed that thanks to AI, users will be able to add fragments of automatically generated text to documents based on a note. Among other things, AI can be used to create emails that are automatically generated based on the information that the user chooses to convey to the recipient.

European carriers file to create joint venture for opt-in ad targeting of mobile users

European telcos are moving ahead with a plan to create a joint venture to offer opt-in “personalized” ad targeting of regional mobile network users following trials last year in Germany. Although it remains to be seen whether European Union regulators will sign off on their plan.

Severe API Security Flaws Affect Millions of Vehicles from 16 Car Manufacturers, Including BMW, Mercedes and Toyota

Hackers could remotely control, track, and transfer vehicles and leak personal information from over a dozen car manufacturers, including Mercedes-Benz, Ferrari, Porsche and Toyota, by leveraging new API security flaws.

Meta alleges surveillance firm collected data on 600,000 users via fake accounts

Meta has sued to block a surveillance company from using Facebook and Instagram, alleging the firm, which has partnered with law enforcement, created tens of thousands of fake accounts to collect user data.

UK NCSC: Weekly Threat Report

The NCSC's threat report is drawn from recent open source reporting.


DATA BREACH

Royal Mail ransomware attackers threaten to publish stolen data

Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online.The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia.

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.


ENFORCEMENT

Data Protection Commission announces conclusion of inquiry into WhatsApp

The Irish Data Protection Commission has announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland EUR5.5 million for breaches of the GDPR relating to its service. WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.

Mobile games: the CNIL fined VOODOO 3 million euros

The CNIL imposed a fine of 3 million euros on the company VOODOO, which publishes video games for smartphones, for using an essentially technical identifier for advertising without the user's consent.

Publication of DPC decision in an inquiry into Virtue Intrgrated Elder Care

The inquiry was commenced after VIEC, which operates five nursing homes, notified a personal data breach to the DPC in 2020. VIEC has been issued with a reprimand and an order to bring processing into compliance. A fine of EUR100,000 has also been imposed.

Publication of DPC decision in an inquiry into Airbnb Ireland

The inquiry was commenced on foot of a complaint that Airbnb failed to comply with an erasure request and a subsequent access request within the statutory timeframe. Further, when the Complainant submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their ID which they had not previously provided to Airbnb.


GUIDANCE & OPINIONS

EDPS Opinion on the Proposal for an Interoperable Europe Act

EDPS Opinion on the Proposal for an Interoperable Europe Act EDPS Opinion on the Proposal for an Interoperable Europe Act.


RESOURCES

The EDPB has adopted a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The EDPB underlines the need for public bodies to act in full compliance with the GDPR and includes recommendations for public sector organisations when using cloud-based products or services. In addition, a list of actions already taken by data protection authorities (DPAs) in the field of cloud computing is made available.

[Access Report]

DLA Piper GDPR Fines and Data Breach Survey: January 2023

2022 was another record year with an aggregate of EUR2.92bn GDPR fines issued across Europe. The aggregate value of fines issued in 2022 was more than double the value of fines issued in 2021.

Vicher have published a helpful flow-chart and checklist to help you consider whether you have thought of all the pitfalls under the ePrivacy Directive and GDPR.


CONTRIBUTE
Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!