Week in Review
This week, the Irish Data Protection Commission fined Meta €17M following an inquiry into 12 different data breaches over six months (June and December 2018).
According to the commission, Facebook has breached the EU data privacy laws and failed to have appropriate organisational and technical measures that would enable it to readily demonstrate the security measures that it implemented to protect EU users’ data.
The DPC is not unfamiliar with fining social media giants. For example, in September 2021, the commission fined WhatsApp $247M for failing to comply with GDPR transparency regulations and Twitter $547k in December 2020 for being too slow in notifying Android smartphone users of data breaches.
Top Stories and Updates
FTC accused Weight Watchers of illegally using kid’s sensitive data
US regulators have charged weight Watchers with illegally collecting information on children as young as eight years old through a diet app, including their personal information, and violating the Children’s Online Privacy Protection Act of 1998, which requires parents consent for collecting or using any personal data from users under the age of 13.” Read more here.
ICO publishes guidance on video surveillance in UK
The ICO published video surveillance guidance to assist organisations in the public and private sectors that utilise video surveillance systems to collect and process personal data in complying with the UK GDPR and Data Protection Act 2018. The recommendations in the advice are based on UK data protection law principles and are organised around the surveillance system’s life cycle and practical operation. Read more here.
CNIL provides practical advice for DPO role, tasks, and appointment
A new guidance from France’s Data Protection Authority, the CNIL, highlights critical factors when appointing an internal or external DPO. The majority of this advice applies to any country within the EU Economic Area when appointing a DPO. The DPO must, in general, be easily accessible to data subjects and the DPA. The CNIL thus recommends that the DPO be based in the European Union, regardless of whether the data controller or data processor is based there. Read more here.
COVID passport apps put users privacy at risk
Symantec (via Bleeping Computer) conducted a study that evaluated 40 digital vaccine passport applications and ten validation (scanners used by individuals verifying vaccine statuses) applications. The firm discovered that 27 poses some privacy and security risks, which should concern anyone who uses these apps for travel or access to places. Read more here.