Data Protection News Update 11 July 2023

United States

TikTok goes to court to block Montana ban

  • Back in May, the state of Montana became the first US state to ban TikTok, which will make it unlawful for Google and Apple’s app stores to offer TikTok within the state.
  • It should be noted that individuals using the app will apparently not be fined or otherwise sanctioned.
  • Now, TikTok has filed a suit and has asked US District Judge to issue a preliminary injunction to block the state ban, relying on the First Amendment and free speech rights of both the company and the users.

Montana signs a bill into law on the use of facial recognition

  • The new bill establishes the right of state and local agencies, including law enforcement, to use facial recognition. It allows Montana’s law enforcement agencies to use facial recognition to look for suspects, victims and witnesses of serious crimes.
  • Simultaneously, the bill also restricts the use of the technology. For example, ‘real-time’ facial recognition is prohibited. Furthermore, human review and audit procedures are introduced to ensure that the use of technology is and remains compliant.


No Threads app in the EU

  • Last week, Meta has brought out its newest app called ‘Threads’ which is a direct rival to Twitter.
  • Already, there are a number of privacy issues discernable. For example, when setting up an account, it is indicated that Threads would collect user’s health data and other sensitive information. It is also held that the app will be able to share data about a user’s sexual orientation, religious and political beliefs, race and ethnicity with third parties.
  • Threads will not be rolled out in the EU, states the Irish DPA (DPC). It is claimed that Meta will refrain from rolling this app out in the EU because of the perceived ‘lack of clarity’ in the EU’s Digital Markets Act.

CJEU rules that national competition authorities can determine EU GDPR infringements

  • In a decision concerning Meta’s data collection practices, the CJEU has ruled that national competition authorities can determine EU GDPR infringements.

European Commission adopts new rules for stronger enforcement of the GDPR in cross-border cases

  • The new rules attempt to harmonise the procedural rules in cross-border cases, including the rights of complainants,  the rights of parties under investigation (controllers and processors), which includes the right to be heard at key stages, and streamlining cooperation and dispute resolution.
  • The European Consumer Organization released a statement saying that the proposal ‘falls short in boosting GDPR enforcement’ and that it ‘is unlikely to be of much help to consumers’


Brazil’s DPA issues first fine under the General Personal Data Protection Law

  • Brazil’s Data Protection Authority (ANPD) finds Telekall Infoservice in breach with Articles 5, 7 and 41 of the General Personal Data Protection Law and issues its first fine of BRL14,400 which is approximately £2,304.

Colombia’s DPA issues its largest fine

  • The fine in question is against Comunicacion Celular, who are required to pay COP1.3 billion for obtaining customer data without acquiring prior authorization. Converted to pounds, the fine is around £241,336. Furthermore, the company was fined for the same violation before. 

Supreme Court in British Columbia is against the release of Airbnb host names and addresses

  • British Columbia’s Supreme Court had to consider a decision made by the province’s Information and Privacy Commissioner which would allow the release of both names and addresses of Airbnb hosts in the area. This decision came after a freedom of information request back in 2019.
  • The Supreme Court held that the Information and Privacy Commissioner should reconsider its decision, where they incorrectly classified home addresses as business, denying them the ‘personal information’ status. The Court ruled that this was wrong and that ‘taken cumulatively, […] would enable the discovery of a treasure trove of personal information’.

Data Breach at Newfoundland’s fertility service

  • The names of about 125 people who had previously received in vitro fertilization (IVF) treatment were disclosed. An email was sent out in an attempt to conduct a survey with those who had received the service, which basically lead to the disclosure of a list of names of those receiving the treatment.
  • ‘It’s truly remarkable that they’ve found a way to make this experience worse for us’ says Kelsey Puddister.
  • The fertility service has issued a public apology and is in the process of contacting every recipient and requesting them to delete the email and the email addresses. They also note that the Information and Privacy Commissioner was notified.

United Kingdom

UK’s National Cybersecurity Center investigates breach concerning NHS Trust

  • A hacking group (ALPHV or BlackCat) claims that they managed to steal several terabytes of data from Barts Health NHS Trust which affected several London hospitals and asked for ransom.
  • UK’s National Cybersecurity Centre has started to investigate into the alleged breach and the ICO has confirmed that it received a report of the breach from Barts Health NHS Trust and that it will assess the issue.

ICO publishes code of practice for journalists

  • ICO released a code of practice about data protection considerations relevant for journalists and media outlets.
  • Information Commissioner John Edwards states that the code ‘strikes the right balance between supporting journalists’ work and protecting people’s personal information by providing clear and practical guidance on how to comply with data protection law.’


More Posts

Send Us A Message