We bring you a round up of articles and updates in the data sphere.
In its Opinion published on the European Commission’s Proposal for a Directive on recovery and confiscation of assets, the EDPS recognises that processing personal data in this context is liable to have a significant impact on the individuals concerned and constitutes an interference with individuals’ rights guaranteed by the EU Charter of Fundamental Rights, including the right to data protection.
The Department of Health has been formally reprimanded, and the government warned that its use of WhatsApp has “the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled”. The Information Commissioner’s Office (ICO) has called for a review into the way government officials use private messaging channels to conduct official business. The private messaging channels include apps like WhatsApp as well as personal email accounts which have been tied to MoD security breaches, and Russian hackers stealing trade talk papers. It comes as the ICO publishes the results of a year-long investigation into how ministers at the Department of Health behaved during the pandemic which found there was “extensive use of private correspondence channels by ministers, and staff”.
IAPP reports that Authors of the proposed American Data Privacy and Protection Act released an amended version of the bill ahead of the U.S. House Committee on Energy and Commerce’s July 20 mark up session. Notable updates include changing the private right of action’s effective date from four years to two years post-adoption, enforcement tweaks related to the authority of the U.S. Federal Trade Commission and the California Privacy Protection Agency, and technical changes to the definitions for “covered entity” and “service provider.” Committee members also offered several additional amendments ahead of the mark up.
Find out more on the full Story
As well as providing more details about how and what types of information is collected, shared and used. It offers users the option to manage their privacy using settings and options if they do not wish to accept the Terms of Service.
They state plainly that ‘We do not sell and will not sell your information’.
The policy is intended to be clearer and easier to understand and provides links to the necessary settings to set preferences.
It also provides more specifics about the types of partners that the information is shared with, and where they receive information from.
Further explaining in more detail how and why the information is shared across products and companies to help people understand how practices apply, including up to date information about the newer products, such as Shops and Facebook View.
Following a six month long listening exercise in early 2022 to reach out to businesses, organisations and individuals about their experiences of working with the ICO the new strategic plan – ICO25 was published this month.
Further describes our purpose, objectives and values and the shift in approach we aim to achieve through the life of this plan, the ICO25 gives clarity about the risks and opportunities needing most urgent attention to focus efforts for the long-term in terms of priorities for the next 12 months.
The plan sets out:
EDPB adopted a set of criteria to assess whether a cross-border case may qualify as a case of “strategic importance” for closer cooperation. The Board also adopted a procedure detailing the steps to be taken following identification of a strategic case.
At a high level meeting in Vienna in May 2022, EDPB members agreed to further enhance cooperation on strategic cases, and to diversify the range of cooperation methods used. In particular, it was decided that EDPB members will collectively identify cross-border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and supported by the EDPB. More information can be found in the EDPB’s Statement on Enforcement Cooperation.
ICO and NCSC stand together against ransomware payments being made and have released a joint letter, NCSC and the ICO ask the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.
Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.
The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will however consider early engagement and co-operation with the NCSC positively when setting its response.
Spain: In Spain a pilot for a Regulatory Sandbox on Artificial Intelligence is launched. By the end of the year, it will open a call for organizations to participate in the sandbox, focusing on high-risk AI across various verticals. Companies’ solutions will be tested in three-month iterations over the course of one year.
Luxembourg: Luxembourg becomes the first country to introduce a certification mechanism according to the GDPR criteria. The National Data Protection Commission (CNPD) has adopted its certification mechanism GDPR-CARPA which is the first certification mechanism to be adopted on a national and international level under the GDPR with a view to allow data controllers and processors to demonstrate compliance of their personal data processing operations with the requirements of the GDPR.
EU: The European Data Protection Board (EDPB) adopts guidelines on certification as a tool for transfers.
US: Roe v. Wade’s overturn: The impact on data protection and law enforcement
UK: Impact of fines on the public sector to be reduced – An open letter from UK Information Commissioner John Edwards to public authorities