#PrivacyNews
💬Автор: Олег Блинов
Lots of news this time around!
🔸 Meta’s reliance on contract as lawful basis for targeted ads found invalid (https://www.linkedin.com/pulse/metas-privacy-fine-plain-english-avishai-ostrin/, https://noyb.eu/en/breaking-meta-prohibited-use-personal-data-advertising, https://www.nytimes.com/2023/01/04/technology/meta-facebook-eu-gdpr.html, https://edpb.europa.eu/news/news/2022/edpb-adopts-art-65-dispute-resolution-binding-decisions-regarding-facebook-instagram_it): Essentially, this is further to news from December that EDPB found reliance on contract invalid. Now the same is confirmed by the Irish DPA (DPC). Interestingly, they (the DPC) do not disclose the decision to the public, including noyb who initiated the complaint. Accordingly, we do not have the source material. NOYB predicts that the decision shall come into effect in 3 months (i.e. around April 4th). Maybe Meta can appeal the decision and postpone its time of implementation. If consent is to be sought, the efficiency of Meta ads will be severely limited.
🔸 The European Commission published its draft of US Adequacy Decision (https://ec.europa.eu/commission/presscorner/detail/en/IP_22_7631, https://commission.europa.eu/system/files/2022-12/Draft adequacy decision on EU-US Data Privacy Framework_0.pdf): the EC seems to be moving in time to push the US adequacy as soon as possible. Seemingly the March-April timeline will be upheld.
🔸 APPLE DISTRIBUTION INTERNATIONAL fined 8 million euros (https://www.cnil.fr/en/advertising-id-apple-distribution-international-fined-8-million-euros, https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046907077): The French regulator fined Apple for use of DSID and iAsId identifiers for ads targeting/optimization purposes when using the App Store. While these did not allow third party targeting, Apple’s own targeting were enough. This is one of the first big decision concerning mobile ids. Interestingly, the fact that Apple fixed the issue later in iOS 15 did not free them from liability.
🔸 1M fine for Italian energy provider for inaccurate data (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9834373): one of the rare applications of the accuracy principles, which in my mind is underutilized. Specifically, due to error’s in controllers data storages, the consumer was not able to switch contract to another energy supplier. The error affected 47k other people as well, which makes the fine about EUR 22 / person, which is massive. Additionally, the DPA noted that storage of data for 10 years after contract termination was excessive. An appropriate storage period was not suggested by the DPA.
🔸 Twitter leaks 235M email addresses; 2018 breach under investigation (https://apnews.com/article/twitter-inc-technology-social-media-business-ce4567176ed1824bb6e3e4376708c12d, https://www.dataprotection.ie/en/news-media/data-protection-commission-launches-inquiry-twitter-concerning-datasets): nothing interesting here, just FYI.
💬Автор: Олег Блинов
Lots of news this time around!
🔸 Meta’s reliance on contract as lawful basis for targeted ads found invalid (https://www.linkedin.com/pulse/metas-privacy-fine-plain-english-avishai-ostrin/, https://noyb.eu/en/breaking-meta-prohibited-use-personal-data-advertising, https://www.nytimes.com/2023/01/04/technology/meta-facebook-eu-gdpr.html, https://edpb.europa.eu/news/news/2022/edpb-adopts-art-65-dispute-resolution-binding-decisions-regarding-facebook-instagram_it): Essentially, this is further to news from December that EDPB found reliance on contract invalid. Now the same is confirmed by the Irish DPA (DPC). Interestingly, they (the DPC) do not disclose the decision to the public, including noyb who initiated the complaint. Accordingly, we do not have the source material. NOYB predicts that the decision shall come into effect in 3 months (i.e. around April 4th). Maybe Meta can appeal the decision and postpone its time of implementation. If consent is to be sought, the efficiency of Meta ads will be severely limited.
🔸 The European Commission published its draft of US Adequacy Decision (https://ec.europa.eu/commission/presscorner/detail/en/IP_22_7631, https://commission.europa.eu/system/files/2022-12/Draft adequacy decision on EU-US Data Privacy Framework_0.pdf): the EC seems to be moving in time to push the US adequacy as soon as possible. Seemingly the March-April timeline will be upheld.
🔸 APPLE DISTRIBUTION INTERNATIONAL fined 8 million euros (https://www.cnil.fr/en/advertising-id-apple-distribution-international-fined-8-million-euros, https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046907077): The French regulator fined Apple for use of DSID and iAsId identifiers for ads targeting/optimization purposes when using the App Store. While these did not allow third party targeting, Apple’s own targeting were enough. This is one of the first big decision concerning mobile ids. Interestingly, the fact that Apple fixed the issue later in iOS 15 did not free them from liability.
🔸 1M fine for Italian energy provider for inaccurate data (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9834373): one of the rare applications of the accuracy principles, which in my mind is underutilized. Specifically, due to error’s in controllers data storages, the consumer was not able to switch contract to another energy supplier. The error affected 47k other people as well, which makes the fine about EUR 22 / person, which is massive. Additionally, the DPA noted that storage of data for 10 years after contract termination was excessive. An appropriate storage period was not suggested by the DPA.
🔸 Twitter leaks 235M email addresses; 2018 breach under investigation (https://apnews.com/article/twitter-inc-technology-social-media-business-ce4567176ed1824bb6e3e4376708c12d, https://www.dataprotection.ie/en/news-media/data-protection-commission-launches-inquiry-twitter-concerning-datasets): nothing interesting here, just FYI.
Linkedin
Meta's Privacy Fine (in Plain English)
I've read a lot of posts and articles about the €390m fine that was announced yesterday against Meta in Ireland, including headlines such as "Meta's Ad Practices Ruled Illegal Under E.U.
👍2
👍6
Перекличка. Кто да Где сейчас и далее?
Anonymous Poll
61%
Россия, не планирую менять локацию
21%
Россия, в раздумьях
2%
СНГ
12%
Европа
0%
США
1%
Азия
1%
Африка
1%
Восточные страны
2%
Иные редкие направления
RPPA PRO: Privacy • AI • Cybersecurity • IP pinned «Перекличка. Кто да Где сейчас и далее?»
#materials #EDPB
🔆Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”.
🔆А здесь от ирландского ркн разборчик.
🔆Вот реакция NOYB
🔆А в закрытом чате RPPA уже второй день идёт наинтереснейшая дискуссия по этому кейсу, присоединяйся!
🔆Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”.
🔆А здесь от ирландского ркн разборчик.
🔆Вот реакция NOYB
🔆А в закрытом чате RPPA уже второй день идёт наинтереснейшая дискуссия по этому кейсу, присоединяйся!
Data Protection Commission
Data Protection Commission announces conclusion of two inquiries into Meta Ireland | Data Protection Commission
The Data Protection Commission (DPC) has today announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland…
CNIL fine.pdf
456.2 KB
#fines #gdpr
Французики, тем временем, штрафуют TikTok на 5млн евро.
1. За куки - отказаться не так легко, как принять
2. Нет информирования об обработке разных типов кук
Французики, тем временем, штрафуют TikTok на 5млн евро.
1. За куки - отказаться не так легко, как принять
2. Нет информирования об обработке разных типов кук
🔥8
#PrivacyNews
💬Автор: Олег Блинов
Hi people! Latest news:
🔷 EDPB published its decision on Meta & Instagram (https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-42022-dispute-submitted_en): While I did not have time to read the entire EDPB decision yet, you can read a brief (but not impartial) summary from noyb: https://noyb.eu/en/meta-advertising-ban-decision-published. It seems that the Irish DPA considered itself to be incompetent to challenge the “necessity” of contract for purposes of assessing whether a valid legal basis exists. EDPB disagreed with this stance and found contract to be inappropriate as a legal basis.
🔷 CJEU: Every person has the right to know to whom his or her personal data have been disclosed (https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230004en.pdf): According to the CJEU, a response to an access request necessarily has to include the exact names of counterparties who received your data.
🔷 CJEU: Administrative and civil remedies under GDPR may be exercised concurrently (https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230003en.pdf): The court and DPA routes for protecting one’s rights are available independently from one another.
🔷 Processing of employee medical absence data for 20 years results in EUR 230k fine (https://edpb.europa.eu/news/national-news/2023/finnish-sa-administrative-fine-viking-line-unlawful-processing-employees_en): The company stored sick leave clarifications longer than necessary. Under Finnish Employment Data Protection Act, such data shall also be kept separately from other employee data, an obligation the company violated as well.
🔷 German critique against Google’s conditions for data processing from fair competition perspective (https://www.bundeskartellamt.de/SharedDocs/Meldung/DE/Pressemitteilungen/2023/11_01_2023_Google_Datenverarbeitung.html): The German Bundeskartellamt notified Google of its assessment that Google services do not offer people enough choices whether and to what extent they agree with this extensive cross-service processing of their data.
🔷 The Litigation Chamber of the Belgian DPA approves IAB Europe’s action plan (https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr): In 2022, the Belgian DPA fined IAB Europe 250k euro for its role as focal point of the TCF framework. Now, the DPA approved IAB’s remediation plans, however, without disclosing any details due to pending litigation.
💬Автор: Олег Блинов
Hi people! Latest news:
🔷 EDPB published its decision on Meta & Instagram (https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-42022-dispute-submitted_en): While I did not have time to read the entire EDPB decision yet, you can read a brief (but not impartial) summary from noyb: https://noyb.eu/en/meta-advertising-ban-decision-published. It seems that the Irish DPA considered itself to be incompetent to challenge the “necessity” of contract for purposes of assessing whether a valid legal basis exists. EDPB disagreed with this stance and found contract to be inappropriate as a legal basis.
🔷 CJEU: Every person has the right to know to whom his or her personal data have been disclosed (https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230004en.pdf): According to the CJEU, a response to an access request necessarily has to include the exact names of counterparties who received your data.
🔷 CJEU: Administrative and civil remedies under GDPR may be exercised concurrently (https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230003en.pdf): The court and DPA routes for protecting one’s rights are available independently from one another.
🔷 Processing of employee medical absence data for 20 years results in EUR 230k fine (https://edpb.europa.eu/news/national-news/2023/finnish-sa-administrative-fine-viking-line-unlawful-processing-employees_en): The company stored sick leave clarifications longer than necessary. Under Finnish Employment Data Protection Act, such data shall also be kept separately from other employee data, an obligation the company violated as well.
🔷 German critique against Google’s conditions for data processing from fair competition perspective (https://www.bundeskartellamt.de/SharedDocs/Meldung/DE/Pressemitteilungen/2023/11_01_2023_Google_Datenverarbeitung.html): The German Bundeskartellamt notified Google of its assessment that Google services do not offer people enough choices whether and to what extent they agree with this extensive cross-service processing of their data.
🔷 The Litigation Chamber of the Belgian DPA approves IAB Europe’s action plan (https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr): In 2022, the Belgian DPA fined IAB Europe 250k euro for its role as focal point of the TCF framework. Now, the DPA approved IAB’s remediation plans, however, without disclosing any details due to pending litigation.
noyb.eu
Meta Advertising Ban - Decision Published
You can now read the details of the DPC decision! It seems interesting times lie before us in the Courts!
👍1
GDPR LI.pdf
2.5 MB
#materials #legitimate
Investigating Deceptive Design in GDPR’s Legitimate Interest
💬Автор: Cristiana Santos
Investigating Deceptive Design in GDPR’s Legitimate Interest
💬Автор: Cristiana Santos
👍2
RPPA PRO: Privacy • AI • Cybersecurity • IP
#ЯрмаркаВакансий 🔆Chief Data Protection Officer в Qiwi Group🔆, только на RPPA.ru Если есть кандидаты на примете, пишите @krakozubla
Коллеги, очень актуально. Для оперативности и по вопросам пишите мне
#privacy #events
Когда: 16 января в 17:00 (по МСК)
Где: телеграм-канал ПРО Приватность
Тема: Защита персональных данных в ОАЭ на основе GDPR
Организатор: Data Privacy Office LLC
Ведущие: Денис Садовников, CIPP/E, CIPM, FIP, эксперт в сфере искусственного интеллекта и приватности, и Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, консультант и тренер по GDPR.
Язык: русский
Стоимость: бесплатно
Когда: 16 января в 17:00 (по МСК)
Где: телеграм-канал ПРО Приватность
Тема: Защита персональных данных в ОАЭ на основе GDPR
Организатор: Data Privacy Office LLC
Ведущие: Денис Садовников, CIPP/E, CIPM, FIP, эксперт в сфере искусственного интеллекта и приватности, и Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, консультант и тренер по GDPR.
Язык: русский
Стоимость: бесплатно
👍3
👍2
#news #cybersecurity
Вступила в силу European Union's Directive on Network and Information Security Systems (NIS2 Directive).
💡Использование: требования по ИБ для компаний из ЕС
Вступила в силу European Union's Directive on Network and Information Security Systems (NIS2 Directive).
💡Использование: требования по ИБ для компаний из ЕС
ENISA
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep…
👍1
CvsP.pdf
258.4 KB
#materials #GDPR
Рекрутинговые компании контролеры или процессоры?
Ответ найдёшь в разъяснениях испанского ркн. Кто переведёт, прочтёт и поделится ответом - благодарности😝
Рекрутинговые компании контролеры или процессоры?
Ответ найдёшь в разъяснениях испанского ркн. Кто переведёт, прочтёт и поделится ответом - благодарности😝
👍2
Out_of_the_shadows_CISOs_and_DPOs_in_the_spotlight_1673982462.pdf
5.1 MB
#materials #survey
Out of the shadows: 2022 CISOs’ and DPOs’ role and responsibilities survey by PWC
💬Источник: Андрей Прозоров
Out of the shadows: 2022 CISOs’ and DPOs’ role and responsibilities survey by PWC
💬Источник: Андрей Прозоров
#news #fines
European Commission officials on Tuesday warned TikTok's CEO to respect EU laws and work on "regaining [the] trust of European regulators”.
Помимо всего прочего и ирландский ркн расследования проводил ранее в отношении компании.
European Commission officials on Tuesday warned TikTok's CEO to respect EU laws and work on "regaining [the] trust of European regulators”.
Помимо всего прочего и ирландский ркн расследования проводил ранее в отношении компании.
POLITICO
EU leaders fire warning shots at TikTok over privacy
Brussels expects the platform to go the ‘extra mile in respecting EU law’ and regaining trust, says Commissioner Jourová.