TikTok facing $29M fine over U.K. children’s privacy violations
The Information Commissioner’s Office warned social media platform TikTok it could be fined £27 million (U.S. $29 million) for failing to protect children’s data in line with the U.K.’s version of the General Data Protection Regulation.
Ireland interpretations of GDPR criticized again in Instagram case
In fining Instagram a record €405 million (U.S. $405 million) for General Data Protection Regulation violations regarding the safeguarding of teenage users’ data, the Irish Data Protection Commission took some heat of its own.
CPE Webcast: Data discovery and compliance with data protection legislation
There is an increasing need for effective data discovery in the worldwide push toward data protection and privacy legislation. Data privacy laws have been passed in 71 percent of countries, and a further 9 percent have draft legislation in progress.
South Korea data regulator fines Google, Meta combined $72M
South Korea’s data regulator fined Google and Meta a total of ₩100 billion (U.S. $72 million) for violating the country’s personal data collection law, which forbids the collection and use of personal information without user consent.
Dems seek stronger HIPAA privacy for abortion patients
Democratic senators are urging the Department of Health and Human Services to strengthen federal health privacy protections for abortion patients by updating the HIPAA Privacy Rule.
Experts: Europe’s AI Act to push companies to confront technology’s use
The Artificial Intelligence Act, along with upcoming EU rules addressing digital markets and services, should have companies considering their use of AI and other emerging technologies to determine how the laws might impact their business.
Instagram facing record $401M fine over children’s privacy violations
Instagram is set to be fined €405 million (U.S. $401 million) by Ireland’s data protection regulator for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation.
FTC sues Kochava for collecting, selling mobile phone user data
Data broker Kochava has been sued by the Federal Trade Commission for selling geolocation data on hundreds of millions of mobile phone customers that could unveil sensitive personal information without their knowledge or consent.
Accor fined $600K under GDPR after EDPB intervention
French hotel chain Accor had its initial fine for cross-border data privacy violations increased sixfold after one data regulator involved in the decision-making process complained an original penalty of €100,000 (U.S. $99,900) was too low.
Sephora fined $1.2M in first public CCPA enforcement
Cosmetics retailer Sephora agreed to pay $1.2 million in the first public enforcement action under California’s landmark consumer privacy law.
Snap agrees to $35M settlement in Illinois biometric data lawsuit
Social media company Snap reached a $35 million settlement in principle to resolve an Illinois class-action lawsuit alleging violations of the state’s Biometric Information Privacy Act through the collection of “facial biometric identifiers” without users’ consent.
Google fined $42M for misleading Australian customers on data collection
Google was ordered to pay 60 million Australian dollars (U.S. $42 million) to resolve charges levied by Australia’s competition regulator it misled its Australian customers about how to opt out from the collection of their personal location data.
FTC seeks to expand authority on data breaches, commercial surveillance
The Federal Trade Commission is seeking comment on potential rules that would penalize companies that suffer data breaches due to lax cybersecurity protocols and punish firms that engage in abusive commercial surveillance practices.
Adtech firm Criteo facing $61M GDPR fine in France
Adtech firm Criteo faces a proposed fine of €60 million (U.S. $61.4 million) from France’s data protection authority for noncompliance with the European Union’s General Data Protection Regulation.
CPE Webcast: Is your retention program ready for a penetration test?
As organizations continue to collect and manage data, it is critical they understand the data retention requirements within their jurisdictions and the periods in which the data needs to be retained and respond to data subject access requests efficiently and defensibly.
Proposed NIST cybersecurity guide incorporates HIPAA Security Rule
The National Institute of Standards and Technology is seeking comment on proposed guidance intended to help healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s Security Rule.
One year later, Amazon GDPR fine details remain clouded
It’s been one year since online retailer Amazon announced it was on the receiving end of a record €746 million (U.S. $758 million) fine under the General Data Protection Regulation, but details about the decision—as well as the actual complaint—remain sketchy.
Volkswagen fined $1.1M under GDPR for unauthorized data collection
Volkswagen has agreed to pay €1.1 million (U.S. $1.1 million) to resolve allegations of violating the General Data Protection Regulation when a camera on one of its test vehicles recorded nearby drivers without their knowledge.
EDPB adopts criteria for GDPR cross-border cooperation cases
The European Data Protection Board adopted a set of criteria to assess whether a cross-border matter might qualify as a case of “strategic importance” for closer cooperation—and how to proceed if it does.
Clearview AI fined third time for GDPR violations
The Hellenic Data Protection Authority in Greece fined controversial facial image aggregator Clearview AI a record €20 million (U.S. $19.9 million) for unlawfully processing the biometric data of Greek citizens.
EDPS: U.K. GDPR reforms could create friction with EU
The United Kingdom’s keenness to agree to its own data adequacy decisions with countries like the United States could become a contentious issue with the European Union, according to European Data Protection Supervisor Wojciech Wiewiórowski.
Facebook fate in EU thrusts transatlantic data flows back in spotlight
Reports of a potential shutdown of Meta services Facebook and Instagram in the European Union that could take place as soon as this summer underscore what’s at stake as the region works with the United States to finalize a new agreement on how to handle transatlantic data flows.
U.K. data reform plan seeks to reduce ‘unnecessary burdens’ of GDPR
The U.K. government announced plans to reform the country’s data privacy laws to simplify procedures for businesses and reduce red tape, but the proposals might clash with certain elements of the EU’s General Data Protection Regulation.
Experts: How to move forward with the GDPR
Data privacy experts speaking at an industry event believe the mechanisms in place under the General Data Protection Regulation to ensure compliance, enforcement, and redress need revisiting—and quickly.
European Commission assessing GDPR improvements, not overhaul
Three key members of the European Commission believe the General Data Protection Regulation should be enhanced by targeting aspects of data privacy through other laws rather than revamping the GDPR itself.
GDPR blame game: Who’s at fault for spotty enforcement record?
Regulators and privacy experts speaking at the European Data Protection Supervisor’s conference homed in on the flaws of the General Data Protection Regulation and what improvements need to be made to ensure more consistent enforcement of the law.
Google fine in Spain prompts revisit of GDPR effect on tech
Google’s latest fine for violations of the General Data Protection Regulation reignites the discussion around why Big Tech firms have not been more frequently penalized under the EU’s stringent privacy law.
California privacy board moves forward with draft CPRA regulations
The California Privacy Protection Agency unveiled draft rules for the soon-to-be enacted California Privacy Rights Act at its board meeting.
Bipartisan data privacy bill seeks to break through Congressional logjam
A bipartisan bill attempting to end the gridlock in Congress over crafting a federal data privacy law was introduced by a pair of Republicans and a Democrat.
Twitter agrees to $150M settlement with DOJ, FTC over data privacy lapses
Twitter agreed to a $150 million settlement with the Department of Justice and Federal Trade Commission for violating a 2011 administrative order by “misrepresenting” how it used nonpublic user information.
GDPR enforcement roundup: Spain stays on Vodafone, record fine in Poland
Vodafone running up its fine total in Spain and a record-setting action against a marketing firm in Poland highlight a roundup of notable enforcements announced under the General Data Protection Regulation during the first five months of 2022.
Four years of GDPR: New tech testing data privacy law’s longevity?
It has been four years since the European Union’s flagship data privacy legislation came into force, but concerns are already being raised about whether the General Data Protection Regulation is being outpaced by technological developments and their use of data.
Oct. 25 | Why your CPRA compliance strategy is broken and how to fix it
It is critical for organizations to carefully assess their CPRA compliance programs to identify gaps, avoid pitfalls, and minimize risks. Even organizations that have implemented a CCPA compliance program will need to consider enhancements to meet CPRA requirements.
ICO fines Clearview AI $9.4M over alleged data privacy lapses
The U.K. Information Commissioner’s Office fined Clearview AI more than £7.5 million (U.S. $9.4 million) for collecting people’s images from internet and social media sites without their knowledge or consent.
Spanish DPA fines Google $10.6M for GDPR violations
Spain’s data protection authority has issued a record fine of €10 million (U.S. $10.6 million) against Google for two “serious infractions” of the EU’s General Data Protection Regulation regarding its sharing information with U.S. legal database Lumen.
Connecticut fifth state to pass comprehensive data privacy law
Connecticut has joined four other states in passing a comprehensive data privacy law that requires companies to provide consumers with information about the personal data they collect.
CPE Webcast: Data: The ‘new gold’ or ‘new liability’?
If organizations can wrest new insights from the data they harvest and process it can be a valuable business asset, but it has some serious limitations and can become a huge liability if they aren’t ensuring they are protecting the data.
FTC chair: Agency reassessing rules amid current U.S. privacy landscape
The Federal Trade Commission is considering new rulemaking around commercial surveillance and lax data security practices while assessing whether other laws in place need to be updated, agency Chair Lina Khan said in a recent speech.
Bank of Ireland fined $504K for credit rating data breaches
Bank of Ireland was fined €463,000 (U.S. $504,000) after an investigation by the Irish Data Protection Commission found customer data was accidentally altered in a way that could have damaged credit ratings and prevented getting loans.
Danske Bank fined $1.5M for data processing failures under GDPR
The Danish Data Protection Agency has reported Danske Bank to the police and fined it 10 million Danish kroner (U.S. $1.47 million) over its failure to erase customers’ personal data in its systems in violation of the General Data Protection Regulation.
e-Book: How technology enables data protection
A Compliance Week and BRYTER survey analyzed 81 responses from compliance and legal practitioners who ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022.
Closing the data risk gap: How technology enables data protection
Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022. Further survey results reveal roadblocks to organizations’ proactive compliance.
New Utah privacy law ‘lighter’ than predecessors
Utah has become the fourth U.S. state to pass a comprehensive data privacy law, with others potentially on the way during this legislative session. Experts weigh in on how the Utah law compares to its counterparts in California, Colorado, and Virginia.
Experts optimistic, though wary, toward Privacy Shield successor
Legal and data privacy experts have expressed cautious optimism regarding the announcement that the United States and European Union have reached an agreement in principle to resume transatlantic data flows.
Third time’s the charm? Agreement in principle reached on U.S.-EU data flows
The United States and European Union have reached an agreement in principle on how to handle transatlantic data flows, a thorny issue that has resulted in two prior frameworks being scrapped by the EU’s top court.
New ICO head strives for reassurance in first speech
John Edwards, head of the U.K. Information Commissioner’s Office, said he wants to bring greater certainty for companies regarding their data compliance needs, especially if the government’s drive to reduce regulatory burdens results in the EU withdrawing its data adequacy decision.
Momentum building toward Privacy Shield replacement?
Recent comments by EU and U.S. lawmakers and insights from privacy experts suggest a new mechanism to replace the defunct Privacy Shield and ensure safe transatlantic data transfers might soon be introduced.
How EU regulators are warning of Russian data protection threats
Regulators in Norway, Germany, Lithuania, Estonia, Denmark, and Sweden address how companies can prepare for increased data protection and cybersecurity risks in the wake of Russia’s invasion of Ukraine.
Former CafePress owner to pay $500K in FTC settlement over data breach
Residual Pumpkin Entity, the former owner of CafePress, must pay $500,000 in redress under a proposed settlement with the Federal Trade Commission addressing allegations CafePress failed to secure personal data and covered up a data breach.
Meta fined $18.6M under GDPR for 2018 data breaches
The Irish Data Protection Commission fined Meta’s Irish subsidiary 17 million euros (U.S. $18.6 million) for a series of personal data breaches that took place nearly four years ago.