Privacy Roundup: Top 10 Stories of August

The world of data privacy is changing constantly. Many countries are bringing their laws in line with the standards set by Europe’s GDPR, including recently China. Meanwhile, the UK is set out to move away from the GDPR as part of its post-Brexit shake-up. The month also saw the biggest GDPR fine slapped on Amazon, as Big Tech continues to attract privacy fines from regulators worldwide. 

Read the important stories in this Privacy Roundup for August. We will be back with the top stories next month!

We had written in July about how the UK may scrap GDPR, now the UK government has unveiled a plan to ditch the EU data protection laws as part of a post-Brexit privacy overhaul that would allow companies to sell customer data to foreign countries. Culture Secretary Oliver Dowden said the UK would move away from GDPR and allow data to be treated like “oil”. He added that the new framework will help cut costs for businesses and enable “greater innovation”.

The UK Government is also set to appoint John Edwards as the new Information Commissioner who will be in charge of the post-Brexit changes to the data protection rules.

Read more about UK’s planned divergence from GDPR.

Forrester collaborated with Campaign Asia-Pacific and the World Federation of Advertisers (WFA) to survey marketers, publishers and media agencies in APAC. The report noted that while 88% of marketers understand the importance of privacy, the adoption of privacy-friendly practices is low:

• Only 59% of marketers in APAC fulfil the minimum requirements to comply with data privacy regulations. 
• 30% have a dedicated strategy to communicate with consumers about data privacy. 
• 43% of marketers rely on third-party cookies for their marketing
• 55% of media agencies say they’re concerned or very concerned about the third-party cookie phaseout. 

Read the Forrester report on the state of privacy in the Asia Pacific.

More than 1,000 web applications using Microsoft’s Power Apps have collectively leaked millions of records containing sensitive personal information, a cybersecurity firm has revealed. UpGuard, the company which first raised the alarm, warned 47 organisations including Ford, American Airlines, the New York Metropolitan Transportation Authority, Maryland’s health department and the entire state of Indiana (US), that they had been exposed.

The data leak led to the exposure of at least 38 million records, including sensitive personal data such as data related to Covid-19 vaccinations, contact tracing and testing appointments.

Read Upguard’s report on Microsoft’s data leak.

Apple has announced three changes that will roll out in 2021. The first is a parental control option for the iMessage app that will obscure sexually explicit pictures for users under 18 and alert parents if a child under 12 sends/views such images. 

The second is feature scans iCloud Photos to find child sexual abuse material, or CSAM, and reports it to Apple moderators. And third, is an update of Apple’s Search app and Siri for parents and children if they encounter unsafe content. 

Privacy and security advocates have raised concerns that government and law enforcement agencies can use these updates for creating surveillance systems and criticized Apple for compromising on end-to-end encryption.

Read more about the Apples’ new image-scan update here.

Luxembourg’s National Commission for Data Protection, or CNPD, has slapped a €746 million or $887 million fine on Amazon Europe Core claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The fine seems to have been imposed for using consumer’s personal data for targeted advertising. 

Luxembourg’s €746 million fine is by far the highest fine under GDPR and has a huge margin with the €50 million fine imposed on Google, which held the record for the highest GDPR fine. The fine amount was revealed in Amazon’s Q2 earnings report. Amazon has raised their objection and noted that it would appeal in court.

Read more about the whopping fine here.

South Korea’s government data protection watchdog, the Personal Information Protection Commission (PIPC) has fined Facebook $5.5 million for creating and storing facial recognition data of 200,000 users without proper consent between April 2018 and September 2019. Facebook has been ordered to destroy facial information and is prohibited from processing identity numbers without a legal basis.

​​This is the second-largest fine ever issued by the regulator. The largest fine of  $5.7 million also went to Facebook for sharing the personal data of users to other operators without their permission. Netflix also received a fine of $188,000 for collecting personal data from 5 million people without their consent and another $2,700 for not disclosing about international data transfer.

Read more about South Korea’s privacy fines here.

Germany’s lead data protection authority has noted that Zoom’s data transfer violates the Schrems II decision of July 2020. The Schrems II judgement invalidated the EU-US agreement on data transfers, known as the Privacy Shield, due to concerns over US state and law enforcement agencies using it for surveillance. As a result, companies must take additional steps to justify their use of Standard Contractual Clauses (SCCs), including conducting additional risk assessments, which the watchdog claims Zoom has failed to implement.

In a new press release, the acting Hamburg Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, warned members of the German government not to use the video-conferencing tool. 

Take a look at the press release here. 

On August 20, 2021, China passed its first comprehensive data privacy law,  Personal Information Protection Law, which is set to take effect on November 1. The law requires companies to adhere to certain data protection principles, including data minimization, purpose limitation and requires businesses to give users the option over how their information is or isn’t used, such as the ability to opt-out of targeted advertising. 

The PIPL applies to organizations that do business in China or outside of China, that collect, store, use, transmit, provide, or otherwise handle personal information belonging to individuals residing in China. Violators can be fined up to 50 million Yuan (≈ $7.7 million) or 5% of annual revenue. 

Here’s a detailed guide to PIPL and how it applies to businesses. 

Google will no longer allow ad targeting of children based on their age, gender, or interests. The search engine announced that it will turn off its location history feature, which tracks location data, for users under 18. It will expand safeguards to prevent age-sensitive ad categories for teens and will make SafeSearch the default for existing users under 18.

Google is also introducing a new removal option for all under-18s which will enable them and their parents/guardians to request the removal of their images from Google image results. The changes are similar to Facebook’s recently introduced feature which sets Instagram accounts for kids under 16 to private by default.

Learn about Google’s new privacy-friendly updates on their blog. 

Colorado passed the Colorado Privacy Act (CPA), which is set to take effect on July 2023. The CPA gives consumers the right to access and control certain types of personal data that businesses collect and also adopts GDPR’s concept of data processors and data controllers. The law gives consumers in Colorado five specific data rights – the right to access, correct, delete their personal data, the right to data portability and the right to opt-out of targeted advertising, sale of personal data, or “profiling”.

CPA is the third state-level data privacy law in the US, similar in scope to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA). Although similar in structure and obligations to the CDPA and CPRA  (amendment to CCPA), CPA does not exempt non-profit organizations and also does not apply to an employee or business-to-business data. 

Read the official text of the Colorado Privacy Act.