CDP Institute

Australia’s Attorney-General has said the government will make “urgent reforms” to the country’s Privacy Act following the Optus breach, where the company was blamed for lax security, resulting in the theft of nearly 10 million customer records. Resulting fines for that could reach as high as 2 million Australian dollars ($1.3 million). Certainly, it has put increased pressure on the government, which has been in process reviewing its privacy laws for several years, and now stated it may move on this within the next month.

The Office of the Privacy Commissioner for Personal Data in Hong Kong plans to launch a compliance review following a data breach that may have impacted 290,000 Shangri-La hotel group customers. Concern is that customers were not notified until more than two months that a breach potentially affecting their data had occurred.

There are two important new laws in California. The first, related to AB-1242, is designed to protect companies from having to respond to out-of-state search warrants that look to obtain abortion data. This will be relevant to the many internet and telecommunications based in the state and is part of a move to establish California as a sanctuary for abortion seekers. The second, AB 2089, is meant to protect patient mental health data not covered by the Health Insurance Portability and Accountability Act (HIPAA), particularly via the 20,000 or more online apps offering services based on probable diagnoses. Many harvest and then sell sensitive data that patients provide, but this would no longer be allowed.

IAB’s Global Privacy Platform (GPP), which enables user consent signals to be communicated through the digital supply chain, is finalized and ready for industry adoption. This is a major development for ad tech companies and was developed with input from companies throughout the ad ecosystem. Specifically, the GPP provides details on privacy signals – including standard data types used for encoding privacy strings and standard mechanisms for senders and receivers of those strings. Right now, this includes information for US Privacy and IAB Europe TCF consent strings, but IAB has... Read More >

The U.K.’s Information Commissioner’s Office (ICO) have issued a Notice of Intent, covering a period between 2018-2020, to Chinese-owned TikTok, which means a likely significant fine. In this case that could be as high as £27 million ($29 million), depending on determinations about violation of privacy regulation. TikTok may have committed multiple infractions, including processing data of underage children without parental consent, accessing specially protected information on race or ethnicity, and collecting biometric data without legitimate cause to do so. Depending on the regulator’s determination, cost could be quite high.

This second, “Results About You” option has begun appearing in the Google app for Android.

This draft is expected to include expanded protections for European and American citizens, including on how US security agencies can access and use their data.

Then, operators judge their work. Sorry, not liking the sound of this…

After thorough review, the Danish DPA ruled against allowing use of Google Analytics, having determined that the tool’s settings and terms of use don’t comply with EU regulations. This follows like decisions earlier this year by Austria and Italy and is seen to represent a common position among EU regulators.

The US National Basketball Association (NBA) is accused, in a new class action lawsuit, of sharing digital information that combines personal information NBA allegedly collects on its video viewers with unique Facebook identifiers, rendering the personal data identifiable. The suit, brought by a California resident, claims the NBA profits substantially from sale of the data, and, since users have not been made aware of this use, this allegedly would be in violation of the 1988 Video Privacy Protection Act (VPPA), which disallows having viewing history without consent.

Germany’s controversial data-retention law pertaining to telecom has been found to be incompatible with EU law by the European Court of Justice (EJC), so is now overturned. The law, which had permitted user data storage for up to ten weeks and permitted German law enforcement authorities to request it from the telecommunication companies, was a revision of an earlier law rejected by a German court. The EJC’s decision is consistent with arguments it has made against Sweden, France, Belgium and the UK over what was deemed unnecessary data retention.

The European Data Protection Supervisor (EDPS) has taken the unusual step of suing Members of Parliament (MEPs) to prevent them from enacting legislation that would allow law enforcement agency, Europol, to sidestep stricter privacy rules the EDPS wants. EDPS had ordered Europol to erase data it was holding on individuals who had no proven crime record, but MEPs and national governments stepped with alternate legislation that would shield Europol and expand its ability to sell data.