Category: Regulatory News

The fate of Meta’s data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland’s Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. “We haven’t been able to resolve the objections raised on our draft decision and have to…

The largest companies across the technology sector have been hit by tens of thousands of layoffs in recent months. Unable to maintain major growth experienced during the height of the COVID-19 pandemic, many such companies look to cut back and privacy professionals have not been immune. Just last week, Google announced it is laying off 12,000 employees and Amazon notified employees of a second round of layoffs as part of a plan to reduce staff by 18,000 people. Earlier this…

With 2022 behind us, what will companies need to address for U.S. privacy laws in the first half of 2023? New regulations. The latest regulation drafts for California and Colorado have a number of requirements that differ from the statutes and may require changes to privacy operations and business practices. Here are nine areas that may require changes: 1. Adjusting individual rights receipt and response processes Both drafts specify how companies must receive individual rights requests, and when multiple methods…

Data anonymization is an important tool for organizations to protect the personal data of individuals, while averting the onerous requirements of the EU and U.K. General Data Protection Regulations. Unfortunately, guidance on this subject is often unclear, with standards for anonymization differing among jurisdictions. This article provides privacy practitioners with a concise guide to understanding these divergent approaches. It further discusses ways in which the European Data Protection Board, due to adopt anonymization guidelines as part of its 2021/2022 work programme,…

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s…

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers.  In the case in the Circuit Court of Cook County, Illinois, Chancery Division, the plaintiffs alleged that, by requiring them to use…

The U.S. Supreme Court has rejected a bid by NSO Group to block a WhatsApp lawsuit accusing the Israeli tech firm of allowing mass cyberespionage of journalists and human rights activists. The Supreme Court denied NSO’s plea for legal immunity and ruled that the case, which targets the company’s Pegasus software, can continue in a California federal court, a court filing showed. Pegasus gives its government customers — which have allegedly included Mexico, Hungary, Morocco and India — near-complete access…

Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram platforms lacked proper legal grounds for processing millions of Europeans’ personal data for targeted advertising. In addition to posing challenges for Meta’s business model, the DPC’s two decisions reflect growing disagreement among European data protection authorities (DPAs) on two fronts.  The first relates to the use of ‘contractual necessity’ as an appropriate…

A US jury has ordered Bayer subsidiary Monsanto to pay $857 million (£676 million) to seven people – including former students and parent volunteers at a school in Washington state – who said they were sickened by exposure to polychlorinated biphenyls (PCBs) that the company sold. The PBCs were apparently used in fire safety fluid in the school that leaked from its light fixtures, and the plaintiffs reported neurological, endocrine and other health problems. Monsanto explains that the claims in…

On December 29, 2022, the French Data Protection Authority (the “CNIL”) announced that it imposed an €8,000,000 fine on Apple for violations of the French rules on targeted advertising and the use of cookies and similar tracking technologies. Background The CNIL received a complaint concerning Apple’s ad personalization practices on the App Store and carried out several investigations between 2021 and 2022. The CNIL’s investigations concluded that Apple was collecting the identifiers of users that visited the App Store using…

An internal investigation by parent company ByteDance confirms that employees obtained personal data from reporters who were probing Beijing’s influence on the app’s activities ByteDance, the Chinese technology giant that owns TikTok, admitted Thursday that several employees of the social network spied on journalists from Forbes magazine who were investigating the link between the company’s US branch and China. The information first came to light in October but was confirmed on December 23 by Forbes, which had access to an…

Meta Platforms Inc CEO Mark Zuckerberg’s Chan-Zuckerberg Initiative-backed Byju’s —​​India’s largest online education firm — has been accused of bullying parents to buy courses. What Happened: India’s National Commission for Protection of Child Rights, or NCPCR, said the edtech company is targeting first-generation learners and forcing parents to buy courses after purchasing their phone numbers, ANI reported. Priyank Kanoongo, the chairperson of NCPCR, said that the body has initiated action and will send a report to the government. “We came…

The Department of Justice, together with the Federal Trade Commission (FTC), today announced a settlement that, if approved by a federal court, will require Epic Games Inc. (Epic Games) to pay $275 million in civil penalties as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. Epic Games will also be subject to a permanent injunction regarding children’s personal…

On 2 November 2022, the Portuguese Data Protection Authority (“CNPD”) issued a Decision imposing a fine of € 4,300,000 (four million three hundred euros) to the National Institute of Statistics (“INE”) for multiple violations in the processing of data subjects’ sensitive data during the Census 2021 operation. Background On the 27th of April 2021, after launching an investigation into the transfer of personal data from INE to Cloudflare (a U.S. service provider engaged by INE for the operation of the…

Ocenture LLC, a privately held company headquartered in Jacksonville, Florida, and its subsidiary, Carelumina LLC (collectively, “Ocenture”), have agreed to pay $3 million to resolve allegations that they caused the submission of false claims to Medicare by paying and receiving kickbacks in connection with genetic testing samples. The United States alleged that Ocenture participated in a genetic testing fraud scheme with other marketers and clinical laboratories. As part of the alleged scheme, Ocenture solicited genetic testing samples from Medicare beneficiaries…

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide. In the decision, the DPC argued that Meta failed to comply with the GDPR’s requirement of providing privacy “by design and default” when it failed to prevent the disclosure of users’ phone numbers, email addresses, full names, dates of birth and other personal information on…