What happened in privacy last week (week 35)
- Aug. 31, 2020
Another fine issued by the Norwegian Data Protection Authority
Another enforcement action against a public entity has been issued by the Norwegian Data Protection Authority Datatilsynet. Datatilsynet imposed a fine of 400.000 Norwegian Krones (around 40.000€) against the Norwegian Public Roads Administration for processing of personal data for purposes that were incompatible with the original purpose and not deleting camera recordings in accordance with the original retention times.
The cameras were used to monitor employees, contractors, sub-contractors and their employees to demonstrate a breach of agreement. The DPA however found that such processing was not compatible with the original purpose of the CCTV cameras (security). It was therefore not possible to use the recordings for a new purpose without additional measures.
Read more here: Vedtak om overtredelsesgebyr til Statens vegvesen
Anu Talus has been appointed as the new Data Protection Ombudsman of Finland
Anu Talus has been appointed as the new Data Protection Ombudsman of Finland as of 1st of November 2020 when the current Ombudsman Reijo Aarnio retires. Previously Talus has served as a Deputy Data Protection Ombudsman since August 2019.
Read more here: Anu Talus appointed as the new Data Protection Ombudsman of Finland
The US Department of Justice has charged the former CISO of Uber with felony obstruction of justice
German DPA provides first clues about the addional safeguards needed for Standard Contractual Clauses
On 25th of August, the DPA from Baden-Württemberg published guidelines on the CJEU case C-311/18 ("Schrems II") The guidelines provides first clues on what could be the additional safeguards when using EU Commission's Standard Contractual Clauses ("SCC's") as a transfer mechanism. The guidelines contain recommended amendments to SCC's.
Read more here: Baden-Württemberg's guidelines for transfers
Google's own engineers consider the company's privacy settings confusing and misleading
Newly unsealed documents from a consumer fraud lawsuit filed against Google show that Google's own employees knew that the location settings were confusing and potentially misleading. In May 2020, the state of Arizona sued Google alleging that the company violates the Arizona Consumer Fraud Act. Newly released documents related to the case includes employee emails and chat logs highlighting the employees' own frustration with the privacy settings:
"The current UI feels like it is designed to make things possible, yet difficult enough that people won't figure it out."
Read more here: Unredacted suit shows Google’s own engineers confused by privacy settings
Finnish DPA started sending RFI letters requestions companies to provide information on data transfers to the US.
The Finnish Data Protection Authority has started sending 'request for information' -letters to companies regarding the recent CJEU ruling in case C-311/18 ("Schrems II"). The DPA requests companies to answer the following questions:
#1 Does your organisation either as a controller or a processor, transfer personal data to the United States using Privacy Shield or EU Commission's Standard Contractual Clauses as a transfer mechanism?
#2 If yes, what measures, if any, your organisation has taken due to the CJEU ruling in case C-311/18 ("Schrems II")?
#3 In addition to already published statements by the Finnish DPA, what kind of general guidance does your organisation expect to receive from the DPA regarding the recent ruling?