September Newsletter

News

1.TikTok may be fined ￡27,000,000 in the UK for failing to protect the privacy of children on its platform.

The Information Commissioner’s Office said the app may have processed the data of children under 13 without ‘appropriate parental consent. Additionally, the investigation revealed that TikTok doesn't provide proper information to users in a “concise, transparent and easily understood way”. It also notices TikTok may have processed special category data “without legal grounds to do so”. Special category data covers areas such as race, religion, political beliefs, and sexual orientation. The ICO will consider any input from TikTok before making a final decision. The company now has 30 days to respond.?Read more here.

2. Proper functioning of the EDBP at risk

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), and Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), wrote in an Open Letter to the European Parliament and the Council expressed their concerns that “the 2023 budget, if not substantially increased, will be significantly too small to allow the EDPB and the EDPS to fulfill their tasks appropriately.” The letter highlights that budget allocated to the EDPB for the year 2023, although increased by 14% compared to 2022, remains 17% below the ceilings of the EDPS contribution to the Multi-Annual Financial Framework, which was adopted in 2020. Moreover, the EDPB Secretariat, the letter continues, is currently understaffed and at risk of no longer being able to fulfill its legal duties, warning that should this happen, the enforcement of individuals' data protection rights would be weakened and the credibility of the GDPR undermined. Jelinek and Wiewiórowski call upon President Metsola support to fulfill perform correctly as the GDPR requires.?Read letter here.

3. Danish DPA renders the decision against Google Analytics transfers

Denmark's data protection authority, Datatilsynet, became the latest EU authority to order a halt on the use of Google Analytics for data transfers to the U.S. without supplementary measures. Authority made a review on the basis which, concludes that the tool cannot be used legally without further ado. Legal use requires the implementation of several additional measures in addition to the settings provided by Google. Organizations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool is within the framework of the data protection rules. If this is not the case, the organization must either legalize its use of the tool or, if necessary, cease using the tool.?Read more here.

Decisions

1.The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram).

Well-known company - Meta Platforms which is the owner of Facebook and Instagram was fined for violations of the EU General Data Protection Regulation’s rules on the processing of children’s personal data. The investigation began in 2020 and focused on children between 13 and 17 who could have accounts on Instagram. As a result, DPA discovered that public illegal disclosure of email addresses and/or phone numbers of children using the Instagram business account feature took place. The publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest. DPA put on Meta The fine is the second-largest fine imposed by an EU regulator for GDPR violations.t is also the first EU-wide decision on children’s data protection rights?Read more.

2. The French SA fines the economic interest group INFOGREFFE EUR 250000

CNIL carried out an online investigation after the complaint and checked the infogreffe.fr site for GDPR violations. During the registration process users was informed that their personal data (bank details, first and last names, postal and e-mail addresses, phone and mobile phone numbers, secret question, and its answer) would be kept for 36 months from the last order for a service and/or document. However, the investigation revealed that 25% of data was kept beyond the decided retention periods. The manual anonymisation implemented, only on request from users, concerned a very small number of accounts. The CNIL also found that the organisation did not require the use of a strong password when creating an account on its website and that it was impossible for the 3.7 million accounts to enter a secure password due to their limited size. Moreover, they kept members’ password, secret questions, and their answers used by users in the password reset procedure in clear text in its database. On the basis of these findings, the restricted committee issued a fine of 250,000 euros on INFOGREFFE and decided to make it public. Read more?here.

3. The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group.

An investigation found an alleged conflict of interest concerning the DPO's employment status and decision-making responsibilities that violated Article 38(6) of the GDPR. The company received a warning from the regulator in 2021. The person was at the same time managing director of two service companies, which processed personal data on behalf of the company for which he was acting as a data protection officer. These service companies are also part of the group; they provide customer service and execute orders. The DPA saw a conflict of interest in this case and thus a violation of the General Data Protection Regulation. The supervisory authority therefore initially issued a warning against the company in 2021. A new inspection this year showed that the violation continued despite the warning, so DPA put a fine of EUR 525,000.?Read more.