Weekly Privacy News - Week #12
Published on 2023-3-21Austrian Website’s Use of Meta Business Tools Violates GDPR
The Austrian data protection authority (DPA) has found that a website’s use of Facebook Login and the Meta Pixel violated the GDPR’s rules on international data transfers.
The decision resulted from a complaint lodged by the privacy advocacy group “noyb” in August 2020. At the time, Meta had not implemented any international transfer safeguards and purported to be relying on the defunct “Privacy Shield” scheme.
UK Bans TikTok on Government Devices
The UK has banned the social media app TikTok on government devices. The UK’s policy mirrors that of several countries concerned about the potential for Chinese surveillance. Government ministers would still be allowed to use TikTok to promote government work.
The move follows revelations that TikTok’s parent company ByteDance surveilled several Western journalists. TikTok said the government’s decision was based on “fundamental misconceptions”.
Iowa Privacy Law Awaits Governor’s Signature
Iowa is set to become the sixth US state to comprehensive state privacy legislation after “SF 262” was approved by both the state’s legislative chambers. The bill now awaits the state governor’s signature before taking effect in January 2025.
The bill would provide new rights to Iowa residents but lacks features present in most other US state privacy laws, including a right to opt out of targeted advertising.
EU Advocate General Gives Opinion on Credit Rating Agencies
The EU Advocate General (AG) has given an opinion with major implications for credit rating agencies as part of a court case known as against credit reference agency Schufa.
The AG suggests that credit reference agencies can make an automated decision under Article 22 GDPR when they assess the creditworthiness of data subjects via profiling. A similar determination by the Court of Justice of the European Union (CJEU) could bring new rights to individuals subject to credit scoring.
UK Regulator Reduces GDPR Fine By Over 80%
The UK’s Information Commissioner’s Office (ICO) has agreed to reduce a monetary penalty against catalogue company Easylife from £1.35 million to £250,000.
The company received a fine in October 2022 after an investigation revealed it was profiling vulnerable people to sell health-related products. The ICO said it had reduced the penalty because Easylife proactively engaged with the government’s corrective orders.
Enforcement Tracker
Norway
- Argon Medical Devices received a €218,365 fine for a late data breach notification.
Spain
- Commify was fined €10,000 for unlawfully storing text messages.
- Orange received a €10,000 fine for photographing customer IDs when delivering phones.
Romania
- Modaone received a €2,000 fine for a late data breach notification.
- Tinmar Energy SA received a €3,000 fine for security violations leading to an email-related data breach.
- Union Save Romania was fined €4,000 for a data breach affecting an unsecured server.
- Alianța pentru Unirea Românilor was fined €10,000 for unlawful data collection via a web form.