Data Protection News Update 14 February 2023

United States

Joe Biden Says Tech Needs Washington’s Parental Oversight in State of the Union

  • President Joe Biden took aim at Big Tech’s data collection practices, its targeting ads on young users and anti-competitive business practices during his State of the Union address.
  • The President highlighted a variety of tech-focused legislative proposals from surveillance advertising and antitrust reform.
  • President Biden said ‘it is time to pass bipartisan legislation to stop Big Tech  from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.’


EU and Singapore launch Digital Partnership

  • The EU-Singapore Digital Partnership has been launched. This is the third signed key partnership in Asia.
  • Both sides have agreed to work together on semiconductors, data flows, data innovation, digital trust, standards, digital trade facilitation, digital skills for workers, and the digital transformation of businesses and public services.
  • Following the signing of the Partnership a Digital Partnership Council was held to set out priorities for the year ahead: exploring common approaches in e-identification and in Artificial Intelligence governance as well as working on projects to facilitate digital trade and SME’s digital transformation.

Nothing Neutral about the New Swiss Federal Act on Data Protection

  • Switzerland is replacing the Federal Act on Data Protection of 1992. The new revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the GDPR.
  • The new legislation comes with increased obligations for companies doing business in Switzerland and it comes into effect on September 1, 2023.
  • While there are similarities to the GDPR, there are a few key differences as well.
    • There is no grace period for companies to get up to speed.
    • The revFADP does not impose civil penalties.
    • There is an assumption that adequate countries for data transfers will mirror the European Commission decisions but there is an expectation to use Swiss-specific SCCs for Swiss-only transfers.
    • There is an emphasis that the DPO should remain separate from the other business activities of the company.

CJEU issues ruling on DPOs and conflict of interest

  • In a ruling on February 9 that centred on Article 38 of the GDPR the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.”
  • The CJEU said that this is a matter for the national court to determine on a case by case basis.
  • The CJEU found that Article 38, which states DPOs cannot be dismissed or penalized for performing tasks, does not prevent national laws from establishing additional protections against dismissing DPOs. But these cannot go against the principal objectives of the GDPR.


Nigeria Data Protection Bureau delists 19 DPCOs

  • The Nigeria Data Protection Bureau (NDPB) has revoked the operating licence of 19 Data Protection Compliance Organizations (DPCOs).
  • DPCOs are licenced to provide compliance services and guide clients to adhere to privacy guidelines in the Nigerian Data Protection Regulation.
  • However, many of the DPCOs have lacked the requisite professionalism and capacity to carry through with these tasks.
  • The 19 DPCOs were delisted as licensed operators having failed to meet the minimum requirements of the NDPR including shoddy “filing of annual compliance audit returns” on behalf of their clients.
  • The NDPB warned more DPCOs would be delisted if they do not become more professional.

Privacy Office Probes Banks Giving Protesters’ Info to CSIS, RCMP Under Emergencies Act

  • The Office of the Privacy Commissioner is currently examining Trudeau’s invocation of the Emergencies Act last winter which included the order requiring financial institutions to send information on designated persons to security agencies.
  • The Act was invoked last year to deal with the cross-country protests and border blockades that demanded the lifting of COVID-19 restrictions. The financial accounts of the Freedom Convoy protestors were frozen.
  • It is known that the RCMP provided a list of Convoy supporters to banks and credit unions to take action against there is not a lot known about the flow of data from financial institutions to the RCMP.
  • The Emergency Economic Measures Order said that institutions must disclose without delay to CSIS and RCMP the property owned by a designated person.
  • A designated person could be an individual protester or organisation in activities deemed illegal.
  • The OPC is examining the scope and nature of the personal information that was received and disclosed, whether reasonable steps were taken to limit the sharing of personal information, and if the information was used or disclosed for other purposes beyond the purpose of collection.
  • There will be a report on the matter in the spring of 2023.

Meta fined for violating personal info protection law

  • Meta has be fined by South Korea’s data protection watchdog for disadvantaging its customers refusing to provide personal information.
  • The Personal Information Protection Commission (PIPC) decided to impose a penalty of 6.6 million won (about US$5,240).
  • The PIPC concluded that behavioural information is not the minimum personal information required to provide Facebook and Instagram services and therefore preventing people refusing to offer behavioural information from signing up and using the online services is a violation of the Personal Information Protection Act.

United Kingdom

UK PM overhauls government departments, including focus on innovation and tech

  • Prime Minister Rishi Sunak has announced four new government departments including a dedicated Department for Science, Innovation and Technology focused on technical innovations.
  • This will remove digital and data policy responsibility from the Department for Culture, Media and Sport.
  • This could lead to advances in reforming the UK GDPR and secure new international data bridges.

Former RAC employee fined for stealing data of victims of road traffic incidents

  • A former employee of services company RAC has plead guilty and been fined for the stealing of data of victims of road traffic accidents.
  • Asif Iqbal Khan was a Customer Solutions Specialist, when 21 customers complained they received calls from claims management companies following accidents in which the RAC had assisted.
  • After a review it was found that Mr Khan was the only employee that accessed all 21 customers.
  • The ICO executed a search warrant and seized two phones and a customer receipt for £12,000. The phones had photos of data relating to over a hundred road incidents.
  • Mr Khan pleaded guilty to two counts of stealing data in breach of Section 170 of the Data Protection Act 2018 and was fined £5,000 and ordered to pay a victim surcharge and court costs.


More Posts

Send Us A Message