Privacy Transformation - Issue 91
PRIVACY
Portugal’s plans to conclude ePrivacy saga
The Portuguese presidency of the EU has pitched a new text on the controversial ePrivacy regulation, focusing on the processing of communications metadata and data stored on end-user equipment, according to the latest proposal.
Passenger data not shared between Dublin and Belfast despite Covid deal
Passengers arriving from Britain into Irish airports and ports with the aim of travelling to Northern Ireland remain under no legal obligation to provide residence addresses or contact numbers, 10 months after authorities on both sides of the Border agreed to share data on Covid-19.
Opinion: After 20 years of debate, it’s time for Congress to finally pass a baseline privacy law
Jessica Rich revisits an FTC privacy legislation proposal from 2000 to see which considerations have and have not changed over two decades.
Austrian Court: Probabilities as personal data
The Federal Administrative Court of Austria confirmed by its decision of 26 November 2020 the stance of the Austrian Data Protection Authority that so-called “party affinity” data may not be processed without the data subject’s consent. Most importantly, the Court clarified that data about an individual fall within the scope of “personal data” even if they only reflect probable and not actual characteristics of individuals.
SECURITY & TECH
Study: Parental control applications often misbehave posing privacy threats for children and even parents
Parental control apps are used by parents to monitor the use that their children make of their mobile phones, and to block access to certain features. These apps are highly intrusive by definition, as they can track the actions and movements of the children’s phone (and thus of the child). Therefore, the use of parental control apps can have implications on the privacy of both children and parents.
Facebook faces new UK class action after data harvesting scandal
Facebook is facing a second London High Court class action over allegations it failed to protect the personal details of about one million people in England and Wales, in the latest lawsuit to spring from a scandal over data harvesting.
UK NCSC - Weekly Threat Report 5th February 2021
The NCSC's weekly threat report is drawn from recent open source reporting.
ENFORCEMENT
UCD fined €70k by data watchdog after email accounts' log-in details posted online
University College Dublin has been officially reprimanded and ordered to bring its processes up to GDPR standard.
Read the DPC Decision here.
No fine despite DPC finding against INM over 2014 data breach
INM will not be hit with a fine or other regulatory sanction despite the Data Protection Commission making a number of findings against the company in relation a 2014 data breach.
Norwegian DPA
The Norwegian DPA has been active in enforcement, and we give a spotlight to them this week, having issued the following fines:
A fine of EUR 10,000 to Lindstrand Trading AS for conducting a total of four credit ratings of individuals and sole proprietorships without a legal basis.
A fine of EUR 7,500 to a company for conducting a credit rating analysis without a legal basis. [Read More]
A fine of EUR 20,000 to a company for unlawfully setting up the automatic forwarding of a former employee’s e-mails. [Read More]
In a similar case, the DPA fined an organisation EUR 40,000 for setting up automatic forwarding of an employee's e-mails. [Read More]
A fine of EUR 40,000 for unlawful distribution of a camera recording from a shop. [Read More]
More on the latest GDPR enforcement news can be found on:
GUIDANCE
EDPS Opinions on the Digital Services Act and the Digital Markets Act
The EDPS published Opinions on the European Commission’s proposals for a Digital Services Act and a Digital Markets Act. Both Opinions aim to assist the EU legislators to shape a digital future rooted in EU values, including the protection of individuals’ fundamental rights, such as the right to data protection.
RESOURCES
EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research
EDPB's response to a request by the European Commission for clarification on the consistent application of the GDPR, fovussing on Health Research.
EDPB adopted documents - 45th plenary
During its 45th plenary, the EDPB adopted the following documents:
- Recommendations on the adequacy referential under the Law Enforcement Directive
- Opinion on the draft Administrative Arrangement for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB)
- Statement on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention)
- EDPB response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research
Podcast: Democratic Societies in the Digital Age - Mass Surveillance and Facial Recognition
To tackle some of these challenges that western democracies are facing right now, the trainees from the European Data Protection Supervisor and European Data Protection Board have prepared a 3-episode podcast series titled: Democratic Societies in the Digital Age.
In this first episode, with the help of Ella Jakubowska, Policy and Campaigns Officer at the European Digital Rights (EDRi), we will go deep on the concept of mass surveillance.
CONTRIBUTE
Have an interesting article, book, video, podcast or other data protection or privacy resource that you would like to share with fellow privacy practitioners? Feel free to drop me a note.