January Data Protection Bulletin
Welcome to the latest edition of our Monthly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
This month, we will be diving into the latest developments and trends in data privacy, discussing how businesses and organisations can stay compliant with data protection laws, and exploring the consequences of non-compliance. Whether you’re a data privacy professional or simply interested in staying informed, this bulletin is your go-to source for all things data protection.
View December’s Data Protection Bulletin.
Categorised into:
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
KEY INSIGHTS
On 28 January 2023, the 17th edition of Data Protection Day was celebrated globally, although its often called ‘Privacy Day’ outside Europe. It started in 2006 when the Council of Europe decided to launch a Data Protection Day, to be celebrated each year on 28 January.
To commemorate the day, we made several informative posts to help organisations be more aware of how robust data protection and information security systems can improve the business and the experiences of staff, customers and other stakeholders. You can read our blog on practical steps businesses and public sector organisations can take to integrate data protection into their operations effectively.
We also released more free posters that can be distributed and shared around your homes and offices. Print them off, share them with your staff, and use them as a tool to start important conversations about data protection.
GOVERNMENT AND REGULATORY ACTIVITY
EU NIS Directive Takes Effect
On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) entered into force. The framework will replace the original NIS Directive, which was introduced in 2016 as the first EU-wide cybersecurity legislation.
The Directive on security of network and information systems (the NIS Directive) provides legal measures to boost the overall level of cybersecurity in the EU using measures such as broader reporting obligations for data incidents, and significant potential penalties including:
- For organisations defined as essential entities, of at least up to €10 million or 2% of the worldwide annual turnover.
- For organisations defined as important entities, of at least up to €7 million or 1.4% of the worldwide annual turnover
ENFORCEMENT ACTIONS
Google settles two more location tracking lawsuits worth $29.5 million in US
Google has settled two more location tracking lawsuits worth $29.5 million filed in Washington, DC and Indiana states in the US.The search giant is required to pay $9.5 million to Washington, DC and $20 million to Indiana after the states sued the tech giant for allegedly tracking users’ locations without their consent.
In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has also agreed to significantly improve its location tracking disclosures and user controls starting in 2023.
CEO Held Personally Liable for Data Breach
The Federal Trade Commission has finalised an order with online alcohol marketplace Drizly and its CEO over security failures by the company that the FTC said led to a data breach exposing the personal information of about 2.5 million consumers. The FTC said Drizly failed to implement basic security measures, stored critical database information on an unsecured platform, and neglected to monitor security threats.
The FTC’s order imposes several conditions on Drizly, and also mandates its CEO to implement an information security program at all future companies and where he is a majority owner, CEO, or senior officer, and where the operations involve collecting consumer information from more than 25,000 individuals.
Apple fined €8M in French privacy case
France’s data protection authority CNIL has fined Apple €8 million for privacy violations.
The regulator found that the U.S. tech giant did not “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals,” according to a statement released Wednesday. The case stems from a March 2021 complaint lodged by startup lobby France Digitale, which argued Apple did not respect data protection rules.
Ireland fines Meta €390m over Facebook and Instagram Breaches
On 04 January 2023, the data protection authority in Ireland, the Data Protection Commission (DPC) announced two new fines for Meta – €210m for its Facebook operation and €180m for Instagram for GDPR breaches. In addition with other enforcement actions, the DPC also ordered Meta to change its data protection practices within three months. Those changes may have more of a lasting effect on Meta than the fines. The two fines come in at fifth and sixth places respectively in the largest GDPR fines of all time – Meta also occupy places 2, 3 and 4.
Twitter In Data-Protection Probe After ‘400 million’ User Details Up For Sale
A watchdog is to investigate Twitter after a hacker claimed to have private details linked to more than 400 million accounts.
The DPC announced it was investigating that earlier breach on 23 December.
As Twitter’s European headquarters are based in Dublin, the commission is the lead authority supervising its compliance with EU data-protection rules.
To view our last bulletin, for any updates you may have missed, click here or check out the latest bulletin for February. If you need to get in touch for any enquiry; you can reach us at info@dataprivacyadvisory.com or call 0203 3013384.