back

Last week in Privacy (week 37)

Google faces yet another lawsuit - this time in UK for allegedly harvesting childrens’ personal data without consent

 

A class action lawsuit has been filed against Youtube in the UK’s High Court. The class action alleges that Youtube exploited 5 million British kids under 13 years old by collecting childrens’ personal data without any consent and sold it to 3rd party advertising companies.

 

It is expected that Google will strongly dispute the claims by arguing that the main Youtube platform is not intended for children under 13 years of age and Google is not selling the data to third parties.

 

Read more here.

 

UK’s Information Commissioner’s Office introduces its Accountability Framework aiming to help companies with their data protection obligations

 

The Accountability Framework aims to help any organisation, whether small or large in demonstrating their compliance to data protection obligations. The Framework is launched as a ‘beta’ product, as ICO is expecting to receive feedback and develop it further.

 

The Accountability Framework is divided into 10 different privacy management categories providing the key ICO’s expectations and ways organisations can meet these expectations. The categories are ‘leadership and oversight’, ‘training and awareness’, ‘transparency’, ‘contracts and data sharing’, ‘records management and security’, ‘policies and procedures’, ‘individual’s rights’, ‘records of processing and lawful basis’, ‘risks and data protection impact assessments’ and ‘breach response and monitoring’.

 

Stay tuned, as PrivacyAnt will take a closer look into each of these categories and will provide further information on this blog within the coming weeks.

 

Take a closer look into the ICO's Accountability Framework

 

The EDPB published its long waited guidelines on the concepts of controller and processor in the GDPR

 

The European Data Protection Board (“EDPB”) published the long waited guidelines on the concepts of controller and processor in the GDPR (Guidelines 07/2020 on the concepts of controller and processor in the GDPR). The guidelines are not yet final and are open for public feedback until 19th of October 2020.

 

The concepts play a crucial role in the application of the GDPR as they determine who shall be responsible for different GDPR obligations. Therefore each organisation should take a closer look into these concepts and make sure they are sufficiently understood.

 

Read more from our ealier blog post.

 

The EDPB published draft guidelines on using social media platforms to target end users

 

In it’s 37th plenary meeting, the European Data Protection Board (“EDPB”) adopted also new guidelines on using social media platforms to target end users (Guidelines 08/2020 on the targeting of social media users). The guidelines are also open for public feedback until 19th of October 2020.

 

The main aim of the guidelines is to clarify the roles and responsibilities when using social media platforms to target end users, identify risks for the rights and freedoms of the individuals caused by social media targeting and clarify the key data protection requirements such as lawfulness of processing and transparency.

 

See the draft guidelines here.

 

Irish DPC sent Facebook a preliminary order to suspend its data transfers to United States

 

The Wall Street Journal reported on 9th of September 2020 that the Irish Data Protection Commission (“DPC”) has issued a preliminary order for Facebook to suspend its EU-US data transfers. After the report, Facebook published its response where it confirms of receiving the order and that the DPC had told Facebook that EU Commission’s Standard Contractual Clauses could not be used.

 

According to NOYB’s commentary on the issue, it seems that Facebook has switched its transfer mechanism into Article 49(1)(b) and that this new mechanism would be outside of the scope of the DPC’s order. Launching yet another investigation into the new transfer mechanism would mean further delays to this matter that has been pending for more than 7 years already.

 

See Wall Street Journal's original report here.

See Facebook's response here.

See NOYB's commentary on the issue here.