Privacy Roundup: Top 10 Stories of October

The EU adopts a new Digital Services Act and the long-awaited EU-US Privacy Framework is on its way as US President Biden signs the executive order to implement it. The state-level privacy laws are also taking a steady pace with draft regulations being published in Colorado and California. Here are all the top stories that we don’t want you to miss.

The Digital Services Act was signed into law on October 19 and formally published on October 27, 2022, and will start being enforced on February 17, 2024. The DSA aims to ensure the “proper functioning of the internal market” and protect EU citizens’ fundamental rights such as the protection of personal data and non-discrimination. The requirements have been adapted to the nature and size of a platform and large platforms and search engines will have to meet stricter requirements. Violations are punishable with a fine of up to 6% of the platform’s annual turnover. Read more

US President Joe Biden recently signed an executive order to allow for the transfer of personal data between the EU and the US. The new mechanism, called the EU-US Data Privacy Framework is intended to replace the defunct EU-US Privacy Shield. The Executive Order seeks to address the European Court of Justice’s concerns with the Privacy Shield and restricts US intelligence agencies from processing the personal data of EU citizens. Read more

Australia has confirmed privacy reforms to strengthen its online privacy laws in the wake of data breaches in recent months. Australia relies on the Privacy Act 1988 to issue fines which can go up to a maximum fine of AU$2.22 million. In October, Attorney General Mark Dreyfus introduced the Privacy Legislation Amendment Bill 2022 to parliament to increase the maximum fine to AU$50 million and grant additional powers to Australian authorities to regulate data breaches. Read more   

Turkey’s competition authority has fined Facebook-parent Meta Platforms $18.63 million for violating the country’s competition law. According to the Authority, Meta merged the data collected from its three applications – Facebook, Instagram and WhatsApp and created barriers for competitors to enter the market. The authority launched an investigation in 2021 when WhatsApp forced its users to agree to let Facebook collect user data such as phone numbers and locations, a change that was also rolled out globally. Read more

The California Privacy Protection Agency reviewed and published the second version of the draft California Privacy Rights Act (CCPA) regulation that was previously in September 2022. The proposal identifies additional areas for the CPPA Board to consider including notice at collection, limits on selling and sharing personal data, contract requirements for service providers and regulating B2B and employee data. Read more

The UK’s Information Commissioner’s Office (ICO) has levied a £1.5m fine against Easylife, a home and garden catalogue retailer for two different violations. The ICO claimed that Easylife used the personal information of its customers without their consent to target them with health-related products, and violated Article 5(1)(a) of the GDPR. The company was also fined for violating regulation 21 of the Privacy and Electronic Communications Regulations 2003 (PECR) after it made unsolicited direct marketing calls to individuals. Read more

The UK government has paused the new post-Brexit data legislation, Data Protection and Digital Information Bill, it had introduced in recent months. The brakes were applied following the current flux of political changes in the UK. Earlier in the month, Culture secretary Michele Donelan announced that the UK government would be replacing the GDPR, which the UK had “inherited” from the European Union. Read more

Colorado Attorney General’s Office has published the proposed rules to implement the Colorado Privacy Act (CPA) which will go into effect on July 1, 2023. The draft rules cover a range of topics in detail about consumer-facing compliance mechanisms such as disclosures, data subject requests and opt-out mechanisms, handling sensitive data, data minimization and purpose limitations. Read more

TikTok users in the US who created videos before September 30, 2021, began receiving payments between $27.84 and $167.04 in October as part of a $92 million class-action data privacy settlement against the social media company. Illinois residents received the highest sums when TikTok was sued for violating the state’s strict biometric data laws for disclosing biometric information and private data to third parties.  The lawsuit “asserted a variety of common law and other types of claims” in state and local courts to maximize the number of people who could receive the payout. Read more

Zoetop, the owner of fast fashion brand Shein and its sister brand Romwe, has been fined $1.9 million by the state of New York for failing to disclose a data breach which affected 39 million customers. The security breach which took place in July 2018 saw hackers gain unauthorized access to Shein’s payment systems. As per New York’s attorney general office, Zoetop lied about the extent of the breach and had notified “only a fraction” of affected customers. Read more