Hello Friends,
Indian Parliament withdraws Personal Data Protection Bill.
Parliament plans to draft fresh legislation and identifies four key clauses to be either dropped or fine-tuned to facilitate ease of doing business and achieve regulatory simplicity.
This news and more, in this fortnights' Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Privacy Enforcement
CNIL Fines AdTech Company for GDPR Consent Breaches
France’s data protection authority the Commission National de l’informatique et des Libertes issued a 60 million euro fine to advertising technology company Criteo over EU General Data Protection Regulation violations. The fine stems from the investigation of a 2018 complaint into Criteo's data processing practices related to targeted advertising and user profiling.
Google LLC to Pay $60M to Australian Competition and Consumer Commission for Misleading Representations
Google agreed to pay an AU$60 million fine to the Australian Competition and Consumer Commission. A federal court found Google misled Australian consumers into believing the company was not collecting their location data with Android devices. At the center of the case was if it was understood by consumers that Google would collect their data even if the location history was turned off while their web activity was turned on or if mobile applications were in use.
Data Breach
University of Western Australia’s Student Record System Breached
Officials at the University of Western Australia discovered a data breach that potentially compromised the personal data of current and former students. The breach affected the university’s Callista student database. The university’s Vice Chancellor said the breach was discovered after an unauthorized user logged into Callista. The data in the system included student names, addresses, phone numbers, emails, and photos.
1M Kashmir University Students’ Data Stolen
A hacker named “ViktorLustig” claims to have stolen data belonging to 1 million students from the University of Kashmir’s database. The hacker declared the data he stole included student registration numbers and email passwords. He offered to sell the data for USD 250.
Privacy in Spotlight
British Parliament Deactivates its TikTok Account
British Parliament deactivated its TikTok account after several MPs were sanctioned by the Chinese government. MPs wrote a letter to the speakers of the Commons and Lords that called for the account to be taken down. In their letter, the MPs underscored the requirement for companies to turn over data to the government when requested under China’s National Intelligence law. TikTok officials denied turning data over to the Chinese government, despite its ownership by ByteDance.
Google Asks Judge to Deny Class-Action Status in Data Collection Lawsuit
Google asked a federal judge to deny class-action status to a group in a lawsuit against the company for collecting data from Chrome users browsing in “incognito” mode. The plaintiffs alleged Google failed to properly inform users about how their data is collected while incognito, in violation of U.S. and California state privacy laws. According to court filings, Google argued while some users may be “confused” as to how incognito collects their data, a “substantial number" of users are aware of how the feature collects data.
Regulations
Indian Parliament Cites Areas of Refinement for Next Data Protection Bill Draft
The government mapped out four topics to consider dropping or fine-tuning in its fresh data protection proposal. The topics include regulation of hardware and devices, data localization requirements, regulatory authorization for every cross-border data transfer, and penalties on global turnover for any violation. Parliament is expected to run public consultations on each topic before arriving at final provisions.
Datatilsynet Publishes Cloud Services Questionnaire for Data Controllers
Denmark's data protection authority, Datatilsynet, published a questionnaire for data controllers using the cloud. The questionnaire comes amid inspections conducted by Datatilsynet regarding the use of the cloud by public and private entities. The inspections followed recent guidance issued by the Norwegian DPA for using cloud services. In the Danish DPA’s questionnaire, data controllers are surveyed in four areas: knowing their services, knowing their cloud services supplier, understanding the supervision of suppliers, and transferring data to third countries.
Data Protection Authorities of Moldova and Poland sign Data Protection Agreement
Data Protection Authorities of Moldova and Poland signed the bilateral Personal Data Protection Cooperation Agreement, according to Moldova’s National Center for Personal Data Protection (NCPDP). The agreement calls for developing relations between Moldova’s NCPDP and the Office for Data Protection of the Republic of Poland to promote good practices to safeguard citizens' data.
California Children’s Privacy Bill on the Verge of Final Passage
Assembly Bill 2273, the California Age-Appropriate Design Code Act, includes provisions for children’s data protection and limits to online exposure for minors under age 18 that are comparable to the U.K. Age Appropriate Design Code. The California Privacy Protection Agency will receive exclusive enforcement powers.
Big Tech Prepares Response Plan for EU Digital Markets Act
U.S.-based Big Tech companies are planning efforts to comply with or challenge the EU Digital Markets Act. European Commission Directorate-General for Communications Networks, Content and Technology Gerard de Graaf said “There will be litigation, no doubt,”. He added that he and the Commission's San Francisco office “would like a constructive discussion with the platforms rather than an adversarial discussion" while acknowledging that "some of these concerns may need to be tested in court."