We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

EU-US Data Privacy Framework UPDATE:

On Tuesday, 13th December, the European Commission began the process for the adoption of an adequacy decision for the EU-US Data Privacy Framework, which would promote safe trans-Atlantic data transfers.

Access the press release here →

1) Newly Published Documentation

• The European Data Protection Board (EDPB) adopted three dispute resolution decisions based on Article 65 GDPR concerning Meta Platforms Ireland Limited. The decisions (which have not been disclosed publicly) relate to whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising. More about this story on iubenda →
• Transparency in the online advertising market, dark patterns, and ‘cookie fatigue’ are all topics that the European Commission might regulate in the next mandate. Reported here →
• The UK data protection authority (ICO) launched a new direct marketing hub containing, among others, guidance and resources on direct marketing and a step-by-step guide specifically for small and medium businesses. Access here →
• The French data protection authority (CNIL) has published its guide for developers to build their functionality online in line with the requirements of the EU General Data Protection Regulation. Access the guide →

2) Notable Case Law

• The Court of Justice of the European Union (CJEU) decided that Google must remove inaccurate information from an online search if users can prove it wrong. Read about this on our blog →
• The CJEU also declared the action for annulment brought by WhatsApp Ireland Ltd against the binding decision 01/2021 of the European Data Protection Board (EDPB) on GDPR transparency obligations to both users and non-users of the service as inadmissible. The Authority’s summary can be found here →
• U.S. social media app Clubhouse, which became popular during the COVID-19 lockdowns, has been hit with a €2 million fine for violations of the GDPR. Reported here →
• The UK data protection authority (ICO) imposed five monetary penalty notices totaling £435,000 on five different companies for violations of Regulations 21 and 24 of the Privacy and Electronic Communications Regulations (PECR) regarding their marketing practices, following investigations by the ICO and the receipt of complaints by individuals. Read here →
• The French data protection authority (CNIL) imposed a fine of €300,000 against Free SAS, an internet service provider, for the violation of a number of General Data Protection Regulation’s Articles in relation to the failure to respect data subject rights and to ensure the security of user data, following audits conducted by CNIL. Access here → (In French)

3) New and Upcoming Legislation

• The Czech Presidency of the Council of the European Union adopted the framework scheme for the EU digital identity. The Council stated that the scheme would create digital wallets with ‘universal access for individuals and companies to secure and reliable electronic identification and authentication. The scheme brings, according to proponents, “a huge advancement in the way people use their identity and credentials” while users “retain control over their data”. Read the press release here →
• The Data Act section designed to make it easier to migrate from one cloud provider to another has undergone major revisions after the revised compromise text was circulated Thursday, December 8. Reported here →

4) Strong Impact Tech

• Apple has unveiled a number of security and privacy enhancements that the company is promoting as a means to assist users in protecting their data from hackers. Civil rights and privacy groups have long fought for one of these enhancements. Reported here →

Other key information from the past weeks

• The Information Commissioner’s Office (ICO) and Ofcom, the communications regulator, released a joint statement on their coordinated approaches to data protection and online safety.
• The “Privacy Legislation Amendment Bill 2022,” which changes the Privacy Act 1988, has received final approval from the Australian Parliament.
• The Italian Data Protection Authority (Garante Privacy) fined Douglas €1.4 million for improperly storing the data of almost 3 million clients without their permission.