The world of privacy legislation and the protection of personal data is constantly changing. Our bi-weekly Privacy Alerts keep you informed of the latest news and developments in the privacy field.
EDPB harmonises policy rules for privacy fines
The European Data Protection Board has drafted a set of new GDPR fine policy rules in an attempt to correct the current situation of all EU Data Protection Authorities operating within their own individual fine regimes. In the new system, one overall set of policy rules will determine the setting of fine amounts across the (European) board. Initially, as not all EU member states allow for sanctioning of national government agencies, the new guidelines will only apply to commercial organisations. Public institutions will be covered in additional provisions to be published at a later date. The new rules will be available for consultation until June 27 2022.
Twitter settles privacy case
As reported in a press statement by the U.S. Department of Justice, Twitter has agreed to a 150 million dollar settlement in resolution of a privacy dispute that had been dragging on for multiple years. “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” says the director of FTC, the American Federal Trade Commission. “This practice affected over 140 million Twitter users.” With this settlement, Twitter has now removed the threat of criminal prosecution in the United States.
Dutch ACM: Online sales to be governed by more stringent rules
As of May 28 2022, in the Netherlands additional rules will apply to online sales as a way of offering consumers better protection in the digital economy. Some of the new provisions involve an explicit ban on posting “fake reviews” and the requirement for sellers to provide transparency on offers being based on user profiles or a specific consumer’s purchase history. The new rules, to be enforced by the ACM (Autoriteit Consument & Markt, the Authority for Consumer and Market), will also apply to online services or digital content for which personal information, not actual currency, is the transactional compensation. In these scenarios as well, consumers have the right to previous information, plus a period of reflection.
European DPA concerns on new money laundering legislation
Serious modifications are required to proposed new European legislation aimed at the prevention of money laundering by making it mandatory for banks and other financial institutions to run more extensive customer checks. In their current form, the proposals may result in account applications being refused for invalid reasons, while also leading to the unnecessary processing of potentially sensitive personal data, including religion- and health-related information. This is the position taken by the European privacy supervisors organised in the European Data Protection Board (EDPB).
While appreciating the proposed legislation’s intention of extending the scope of checks to be carried out by financial institutions, the EDPB is nevertheless concerned that the new requirements will also have undesirable side effects. These concerns have now been expressed in a letter to the European Parliament and the Council of the European Union.
European Commission publishes Q&A on SCCs
The European Commission has published a Q&A document on Standard Contractual clauses (SCCs) for data transfers under the GDPR. As of December 27, all existing SCCs for international data transfers will cease to be validly applicable, being at that point definitively replaced by the new clauses. As communicated by the Commission, the Q&A document now published includes practical instructions on the use of SCCs and guidance in complying with the new standards. The EC adds that the document is intended as a ‘dynamic’ source of information, to be updated when new questions call for additional discussion.