During the transition period until 31 December 2020 while the UK and EU negotiate additional arrangements. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. Some important considerations are going to influence the data protection and business activity after the transition period is over. You may be exposing your business to risk and damages. Seers can help you eradicate these with a complimentary consultation. Redeem the free consultation at the end of the blog.
You may be exposing your business to risk and potential damages. Seers can help you mitigate these challenges with a 30 minutes complimentary consultation with a leading privacy expert that you can book here
Meanwhile, in the privacy world: fines, new regulations, bans on apps & businesses and tougher constraints across the world.
So, let’s get into the top stories of the week.
Impact of Brexit on privacy compliance for businesses:
The UK has 30 days to become fully compliant with the Brexit data protection policies and data transfer measures under the GDPR. All requirements must be met before 1st of January 2021, which is a month from today.
Read more here.
CNIL fines Carrefour £2 million for breaching cookie consent under EU privacy rules
French watchdog CNIL has fined two of Carrefour’s subsidiaries a total of £2 million for breaching European Union data privacy rules, it said on Thursday.
The watchdog said Carrefour France and Carrefour Banque, the French retailer’s financial services subsidiary, had failed to properly inform internet users about loyalty programmes and credit card applications on their respective websites.
Read more here
Vodafone Italy fined more than £10 million under GDPR for telemarketing tactics
The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than £10 million under the GDPR for aggressive telemarketing practices.
This is not one of the first complaints from the service providers. The GDPR and PECR place limits on the scope of telemarketing to the end users unless legitimate interest is shown.
Read more here.
WhatsApp Ireland reserves £68 Million for potential GDPR fine
The Irish arm of WhatsApp has set aside £68 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.
Read more here.
Facebook to pay Illinois users £485 million to settle a privacy case.
Based on a tally filed in court after Monday’s claims deadline, some 1.57 million people will probably pocket more than £200 each. This is about a third of the £485 million settlement fund that is set aside for their attorneys and administrative costs.
In a lawsuit the social network was accused of collecting biometric images from its photo-tagging feature without consent. Now this is a serious breach and can cause further damages if more cases surface.
Read more here
Canadian CPPA: What you need to know
Canada will be launching its own privacy protection framework. Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’) will be tweaked to meet these new emerging needs.
Key changes that will impact businesses include:
- modernised consent rules;
- data interoperability and algorithmic transparency provisions;
- modified privacy policy requirements;
- establishment of rights to erasure and data portability;
- expanded enforcement and oversight powers for the Office of the Privacy Commissioner of Canada (‘OPC’);
- increased penalty provisions;
- establishment of sector-specific codes and practices; and
- the creation of a tribunal system.
Read more here.
WHO’s Statement on data protection and privacy during COVID-19
The United Nations and all bodies support the adoption of the following joint statement, in line with the UN Personal Data Protection and Privacy Principles adopted by the UN System Organizations. This is to support its use of data and technology during the ongoing COVID-19 pandemic. The right to privacy and other human rights promotes economic and social development.
- Legitimate collection and usage
- Ensure appropriate confidentiality, security, time-bound retention and proper destruction or deletion of data in accordance with the aforementioned purposes;
- Ensure that any data exchange adheres to applicable international law, data protection and privacy principles, and is evaluated based on proper due diligence and risks assessments;
- Be subject to any applicable mechanisms and procedures to ensure that measures taken with regard to data use are justified by and in accordance with the aforementioned principles and purposes, and cease as soon as the need for such measures is no longer present; and
- Be transparent in order to build trust in the deployment of current and future efforts alike.
Read more here.
Amazon’s Pharmacy venture exposes users to privacy risks
Amazon’s new online pharmacy business will sell brand and generic prescription medications that consumers can purchase through Amazon Prime for a discount.
Collecting the sensitive patient data required means Amazon will have to navigate its way through various overlapping federal and state privacy and data security laws. The company’s sizable footprint puts it squarely in several enforcement agencies’ sights. It’s efforts to protect privacy are concealed at the moment.
Read more here.
Understanding the new California Privacy Rights Act
California voters have spoken: in November 2020, they voted to enact the California Privacy Rights Act (CPRA), which will mark a significant expansion of California’s existing privacy laws when it takes effect on January 1, 2023.
While the CPRA maintains the core framework of the predecessor California Consumer Privacy Act (CCPA), it introduces a number of substantive changes to the CCPA, in many ways inspired by the EU’s broad General Data Protection Regulation.
As a result, compliance will necessitate a careful review of existing practices and thoughtful changes to contracts, privacy notices, individual rights, response procedures and other privacy operations.
Read more here.
Complimentary Brexit privacy compliance consultation
As we move towards the end of the Brexit transition period, organisations need to ensure that they have the relevant policies, processes and procedures in place to remain compliant with data privacy regulations including data sharing agreements, data transfer strategy, EU/ UK Representative and more.
Seers is offering 30 minutes free consultation with a leading Privacy Expert to help you prepare for Brexit and become compliant with data privacy regulations. You can use this free consultation to reduce any chances of litigation, fines and reputational damage by identifying any key gaps/ risks and implementing strategies to mitigate these risks and any potential threats to the bare minimum.