Data Protection News Update 06 February 2023

United States

FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising

  • Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against GoodRx Holdings Inc.
  • GoodRx operates a digital health platform that offers users prescription drug discounts, telehealth visits and other health services.
  • GoodRx failed to notify customers of its unauthorised disclosures of consumers’ health information to Google, Facebook and other companies infringing on the Health Breach Notification Rule.
  • The proposed order will prohibit GoodRx from sharing user health data with third parties for advertising and will pay a $1.5 million civil penalty for violating the rule. This order must be approves by the federal court to go into effect.


Big changes coming for GDPR enforcement on Big Tech in Europe?

  • The European Commission has committed to dial up its monitoring of data protection authorities at the EU Member State level.
  • They are committing to regular checks on a large scale for GDPR cases.
  • The EU’s executive says it will ask all national supervisory data protection authorities to share a report every two months which will provide an overview of large-scale cross-border investigations.
  • Large cases like these have always been in regulatory limbo as we have seen with Meta.
  • The Commission has committed to improving its GDPR enforcement by overseeing DPAs administration of their duties.
  • However, there is no timelines nor a decision if the enforcement will apply retrospectively so it remains to be seen if this measure will be effective.

Slovenia’s Personal Data Protection Act enters into force

  • Slovenia’s Personal Data Protection Act is now in force.
  • The law was adopted in December 15 2022
  • It includes transmission of personal data in the public and private sector, regulation of biometrics, and personal data processing.

Swedish presidency tries to close in on the Data Act

  • The Swedish presidency of the EU council put forth aa new compromise on the Data Act, which is a proposed law that regulates how data is accessed portered and shared.
  • Which type of data should be covered by the law has been a point of controversy. It has been decided that the focus should be on the functionalities of the data instead of products.
  • There is s focus on pre-processed data automatically generated by the sensors embedded in the connected products, rather than the actual products.
  • Additionally, the definition of data generated by a product or a related service was changed to exclude data generated for displaying content and data recorded using apps other than those strictly related to the product.


As Cookies Wane, Retargeting Protocol Fledge Emerges as Privacy Sandbox Favourite

  • Fledge is an acronym for first locally executed decision over groups experiment.
  • Fledge is a cookie-less solution for advertisers seeking to retarget.
  • With Fledge, visiting the shoe website places them in an interest group owned by the brand. It is more privacy safe as it targets groups rather than individuals.
  • It is a more viable cookie replacement because it mimics existing processes of digital advertising but cuts out an identifier that could link people and their browsing history.
  • Fledge live auction testing has more than tripled since October but it is still too early to tell of its success as there is no significant revenue during testing.

United Kingdom

Using FRT in schools – letter to North Ayrshire Council

  • The ICO issued a letter to North Ayrshire Council following their use of facial recognition technology to manage ‘cashless catering; in school canteens.
  • The story was brought to the ICO in October 2021, when the Council introduced FRT into nine schools.
  • FRT processes special category data and has risks.
  • The ICO directed the Council to ensure that there is lawful basis for processing children’s data, ensure that the processing is transparent and that a DPIA is completed that identifies, assesses, and mitigates the risks to the pupils.

Britain unlawfully issued surveillance warrants for nearly five years – tribunal

  • British spies unlawfully retained people’s data they intercepted for over five years.
  • The tribunal blamed widespread corporate failure at MI5 and the interior ministry.
  • In the judgement it is mentioned that there had been serious failings in compliance by MI5 from late 2014 to April 2019 and also failed to make adequate enquiries.
  • The tribunal found that the materials were held for too long. The tribunal also dismissed Liberty and Privacy International’s wider challenge to the effectiveness of safeguards under the Investigatory Powers Act and its predecessor.
  • The tribunal also refused to quash warrants that may have been unlawfully issued and did not direct MI5 to delete any unlawfully retained data.

JD Sports says 10 million customers hit by cyber-attack

  • JD, the sportwear chain said that stored data relating to 10 million customers might have been accessed by hackers. This information included names, addresses, email accounts, phone numbers, order details and final four digits of bank cards.
  • The data related to online orders between November 2018 and October 2020.
  • JD said it was contacting the affected customers.
  • JD has said it is working with leading cyber security experts and engaging with the UK ICO in response to the incident.


More Posts

Send Us A Message