What happened in privacy last week (week 35)

Another fine issued by the Norwegian Data Protection Authority


Another enforcement action against a public entity has been issued by the Norwegian Data Protection Authority Datatilsynet. Datatilsynet imposed a fine of 400.000 Norwegian Krones (around 40.000€) against the Norwegian Public Roads Administration for processing of personal data for purposes that were incompatible with the original purpose and not deleting camera recordings in accordance with the original retention times.


The cameras were used to monitor employees, contractors, sub-contractors and their employees to demonstrate a breach of agreement. The DPA however found that such processing was not compatible with the original purpose of the CCTV cameras (security). It was therefore not possible to use the recordings for a new purpose without additional measures.


Read more here: Vedtak om overtredelsesgebyr til Statens vegvesen


Anu Talus has been appointed as the new Data Protection Ombudsman of Finland


Anu Talus has been appointed as the new Data Protection Ombudsman of Finland as of 1st of November 2020 when the current Ombudsman Reijo Aarnio retires. Previously Talus has served as a Deputy Data Protection Ombudsman since August 2019.


Read more here: Anu Talus appointed as the new Data Protection Ombudsman of Finland


The US Department of Justice has charged the former CISO of Uber with felony obstruction of justice


The former Chief Security Officer for Uber Technologies has been criminally charged with trying to cover up the 2016 hacking that exposed personal information of about 57 million customers and drivers. The US Department of Justice charged the former CISO with felony obstruction of justice, saying that he took "deliberate steps" to keep the Fedetal Trade Commission FTC from learning about the hack while the FTC was monitoring Uber's security in the wake of an earlier data breach.

German DPA provides first clues about the addional safeguards needed for Standard Contractual Clauses


On 25th of August, the DPA from Baden-Württemberg published guidelines on the CJEU case C-311/18 ("Schrems II") The guidelines provides first clues on what could be the additional safeguards when using EU Commission's Standard Contractual Clauses ("SCC's") as a transfer mechanism. The guidelines contain recommended amendments to SCC's.


Read more here: Baden-Württemberg's guidelines for transfers


Google's own engineers consider the company's privacy settings confusing and misleading


Newly unsealed documents from a consumer fraud lawsuit filed against Google show that Google's own employees knew that the location settings were confusing and potentially misleading. In May 2020, the state of Arizona sued Google alleging that the company violates the Arizona Consumer Fraud Act. Newly released documents related to the case includes employee emails and chat logs highlighting the employees' own frustration with the privacy settings:


"The current UI feels like it is designed to make things possible, yet difficult enough that people won't figure it out."


Read more here: Unredacted suit shows Google’s own engineers confused by privacy settings


Finnish DPA started sending RFI letters requestions companies to provide information on data transfers to the US.


The Finnish Data Protection Authority has started sending 'request for information' -letters to companies regarding the recent CJEU ruling in case C-311/18 ("Schrems II"). The DPA requests companies to answer the following questions:


#1 Does your organisation either as a controller or a processor, transfer personal data to the United States using Privacy Shield or EU Commission's Standard Contractual Clauses as a transfer mechanism?


#2 If yes, what measures, if any, your organisation has taken due to the CJEU ruling in case C-311/18 ("Schrems II")?


#3 In addition to already published statements by the Finnish DPA, what kind of general guidance does your organisation expect to receive from the DPA regarding the recent ruling?