The top story of the week: The ICO has concluded its report on the Data Broking Sector. In other news: the Swiss DPA has concluded that the Swiss-US privacy shield is not good enough, Google is becoming more stringent on the privacy front with the apps available on its Play Store, Apple is poking Google for privacy while it still struggles with its own faulty Privacy-Safe Mobile Attribution Solution.
Recap of the top privacy headlines:
The ICO report into the Data Broking Sector is out now.
The groundwork for the report revealed concerns around how data brokers were obtaining and using people’s data, as well as lawfulness, fairness and transparency. There were a tonne of non-complianct cases. Firms have been actively ignoring the “transparency” principle under the GDPR. The privacy information of the CRAs did not clearly explain their processing with respect to their marketing services.
Compliance is a legal necessity and companies need to undertake the necessary actions to become compliant within the given deadline. Those companies that are engaging in data broking activities must ensure individuals have the information required by Article 14 of the GDPR relating to the transparency factor. The CRAs were using personal data collected for credit referencing purposes for direct marketing purposes. This data must be recollected or the consent must be reobtained. Until then this is a legal violation.
To comply with the GDPR, CRAs must ensure that the consent is valid, if they intend to rely on consent obtained by a third party. Another valuable point made by the watchdog was that in an event where an objective LIA does not favour the interests of the organisation, the processing of that data must stop until that processing can be made lawful.
Read more here
Spanish AEPD guidance on Cookie Compliance
The Spanish Data Protection Authority’s (AEPD) guidance on cookie compliance must be Implemented by the 31st of October 2020. This guidance was published back in July. There are a lot of updates with respect to this guidance that all organisations must be aware of. These include the borrowed provisions from the EDBP guidance on cookie compliance and consent management as well.
Read more here
ICO’s simplified guidance on Subject Access Request
The guidance was published last year in December. It has now been implemented in a more refined shape. According to the guidance, the subject access request has been simplified and the case scenarios whereby the request is not valid have been explained as well. The ICO has also made many more changes and added additional content to the version that was previously published.
Read more here
Switzerland’s DPA concludes its verdict on the Swiss-US Privacy Shield
The broken privacy shield on the Schrems II judgment continued this week with the government deciding to announce that in Switzerland the Federal Data Protection and Information Commissioner (FDPIC) does not find the privacy shield to provide an “adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”
The EDPB and European Commission is expected to provide further guidance on cross-border data transfers in light of Schrems II in the coming months.
Read more here
Google kills three popular apps for children over privacy violations
The International Digital Accountability Council (IDAC) has highlighted three of Google’s apps that are designed for children to be in violation of the privacy law. They are violating the privacy of users which in this case are children.
After pointing out the data collection violations, Google removed three of these popular apps for children from the Play Store. This was Google’s attempt to win back the public and legal trust of the users. The three apps which were removed include Princess Salon, Number Coloring and Cats & Cosplay. They are no longer available for use until further notice.
Read more here
Apple’s Privacy-Safe Mobile Attribution Solution is faulty
Apple’s iOS 14 is probably the most privacy-safe mobile operating system on the planet. But a major part of the planned functionality was delayed until 2021. At the time, Apple said the reason was that mobile developers weren’t ready yet.
There were serious concerns for advertisers especially Facebook and Google in terms of the ad possibilities and marketing data collection through this potential update. However, the recent findings show that the update was never ready to go. It has had bugs all along.
This goes to show that the company’s delay in the full implementation of this solution to an unspecified date in 2021 is because Apple itself is not ready rather than what was being shaped as an ecosystem and industrial problem for advertisers.
Read more here
In light of recent developments, it is imperative that an organization should train its staff members on their obligations with respect to the GDPR.
Here is an interactive and flexible GDPR training solution that can help you!
