We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The organization NOYB has launched a new round of complaints against a select group of website owners who it claims have disregarded or failed to fully acknowledge earlier requests to update their cookie consent banners to comply with EU legal standards for consent. Read more on this here →
• The Dutch Ministry of Justice and Security (NCSC) released a legal memorandum highlighting how the CLOUD Act’s reach extends to data processed by sub-contractors and cloud processors. Access here →
• The Brazilian Data Protection Authority (ANPD) released a draft resolution on its application of administrative sanctions under the provisions of articles 52 and 53 of the LGPD to provide the necessary instruments for the exercise of the Authority’s sanctioning powers. The draft resolution contains specific sanctions, such as warnings, small fines, daily fines, the blocking and deletion of personal data relevant to the offense, and the banning of engaging in data processing-related activities. Read the draft resolution here → (in Portuguese)

2) Notable Case Law

• The Spanish Supreme Court ruled that data subjects can file complaints with DPA without exercising their rights (Articles. 15 to 22 of the GDPR) beforehand. Access here → (in Spanish)
• The Italian Data Protection Authority (Garante Privacy) imposed a fine of €70,000 on UniCredit S.p.A. for violating Articles 12 and 15 of the General Data Protection Regulation (GDPR) following the receipt of a complaint submitted by an individual. Find out more → (in Italian)
• The Danish Data Protection Authority (Datatilsynet) upheld its decision in Case No. 2020-431-0061, in which it found the Municipality of Helsingør in violation of three Articles of the General Data Protection Regulation (GDPR) and banned the use of Google Workspace for the Municipality. Read here → (in Danish)
• The French Data Protection Authority (CNIL) imposed a fine of €600,000 on Accor SA, for violations of Articles 12, 13, 15, 21, and 32 of the General Data Protection Regulation (GDPR) and Article L. 34-5 of the Postal and Electronic Communications Code (last amended in 2016), following complaints received by various European data protection authorities. Access the decision here → (in French)
• The European Data Protection Board (EDPB) published a binding decision under Article 65(1)(a) of the General Data Protection Regulation (GDPR). See here for the press release →

3) New and Upcoming Legislation

• The Brazilian Chamber of Deputies announced Bill 1515/22, which regulates the application of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (LGPD) for purposes of state security, national defense, public security, and investigation and prosecution of criminal offenses. Access the press release →

4) Strong Impact Tech

• Multiple employees of Microsoft have exposed sensitive login credentials to the company’s infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Reported here →
• The top Internet regulator in China (Cyberspace Administration of China, CAC) has for the first time published a list of information on algorithms in some apps of internet giants, including Tencent, Alibaba, and ByteDance. Read about this story here →
• Twitch, a video game streaming platform owned by Amazon, has admitted to a significant data breach. According to Twitch, a hacker breached the service’s servers. Read about this story on our blog here →
• In a harsh whistleblower complaint, Twitter’s former head of security charged that the firm had handled user data and spam bots with “extreme, egregious deficiencies.” Full story here →

Other key information from the past weeks

• Google has been ordered to pay a fine of AUD 60 million to the Australian Competition and Consumer Commission for misleading consumers.
• The French DPA issued a €60 million preliminary warning of a fine against the advertising technology company “Criteo” for violations of the GDPR rules regulating processing practices through targeted advertising and user profiling.
• On 9 August 2022, the European Data Protection Supervisor recommended that the Council of the European Union enter into further negotiations with Japan to find an agreement on cross-border data flows.