The Polish data protection authority has fined ClickQuickNow €47,126.97 for violating the General Data Protection Regulation (GDPR) by requiring too difficult a process for revoking consent.

The process in question required the person who submits the statement of withdrawal of consent to indicate the reason for his request after the site provided the person with a message saying “Your withdrawal of consent today […]!”.

Only following this did the company inform the person about how to withdraw consent.

The data protection authority took issue with a number of things:
  1. It should not be more difficult to withdraw consent than to give it. This is not quick and simple.
  2. The message displayed re ‘your withdrawal of consent today’ is one that most people already associate with consent having already been revoked and would not think they need to do anything else which means that consent is not effectively revoked.

Details from the Polish data protection authority.

The auto-complete function is not prohibited by GDPR, says the Danish data protection authority.

  • The search function suggested certain search suggestions automatically including the complainant’s name.
  •  The purpose of the function was to offer a better service to citizens.
  • The municipality also stated that when a user performs a search only the entered keyword is stored in the search engine.
  •  All keywords are stored as simple text strings, so it is basically impossible for the feature to distinguish whether the keyword is a personal name or something else.
  • There is a built-in functionality that ensures that no social security numbers are displayed.

Datatilsynet DK held that the processing of the complainant’s name for the auto-complete is permitted as the processing is necessary for the performance of a task in the best interest of the community or is a matter of public authority imposed by the data controller. (Art 6(1)(e) GDPR, namely the search function as a tool to support the municipality’s compliance with the general duty of guidance towards the citizens.

Details from Datatilsynet.

“Regulators ordered China’s app developers and third-party service providers to halt illegal collection and use of personal data in a sweep targeting some of the country’s largest apps,” reports TechNode.com.

“The latest crackdown signals the government’s determination to clean up unauthorized data collection from any and every company violating data privacy laws, particularly bigger players.”

“The platforms have until Nov. 10 to carry out self-inspections and make changes.” Authorities will take action against non-compliant apps during the first three weeks of December, and they face suspension or even blacklisting.

In a complaint, the Federal Trade Commission alleges that between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018.

The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed to recertify until it was contacted by the FTC in October 2018.

The FTC also alleges that while RagingWire was a participant of the Privacy Shield program, the company failed to comply with the following requirements:

  • to verify annually that it had made accurate statements about its Privacy Shield privacy practices
  • to maintain a dispute resolution process for consumers who had privacy-related complaints about the company
  • to affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program

Details from the Federal Trade Commission.

Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws some of which have not been updated in 35 years. Their joint resolution calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws
  • enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions
  • the right of access should apply to all information held by public entities, regardless of format

Read the full statement.

Democratic U.S. Reps. Anna Eshoo and Zoe Lofgren have announced the Online Privacy Act, a proposal that would create a federal enforcement agency to protect privacy rights.

“The bill proposes the creation of the Digital Privacy Agency (DPA) that would have the power to enforce privacy rights for users and make sure companies follow the law. The independent agency would be funded for up to 1,600 employees and could impose damages up to the same maximum amount as the FTC’s, which is $42,530 per incident, according to a fact sheet from the representatives’ offices.”

Key provisions include:
  •  individuals’ right to access, correct, delete and transfer data about them
  •  right to choose for how long a company can keep the data
  • right to request “human review of impactful automated decisions”
  • opt-in consent for users’ data to be used for machine learning or artificial intelligence algorithms
  • obtain consent to disclose or sell personal information
  • prohibition from using “dark patterns” that can mislead users into providing consent

Details from CNBC.

The Information Commissioner of the Isle of Man has issued guidance on “accountability” under GDPR.

Key takeaways:

  • You need to develop, embed and maintain a culture of data protection in your processing activities, with compliance demonstrably supported from the top.
  • All processing of personal data should be subject to overview, governance and demonstrable compliance.
  • Key components:
    • Effective data protection policies and procedures, in particular regarding security arrangements
    • Records of processing activities
    • Ongoing review and testing of security arrangements, and compliance with policies and procedures.
    • Providing staff appropriate and regular training in the relevant policies and procedures.
    • The appointment of an autonomous data protection officer (DPO)
  • Regular monitoring, review and revision is required to ensure that processes, procedures and documentation remain fit for purpose, reflect the realities of the processing undertaken and are adhered to by staff, processors and others.

Read the full guidance.

Do the draft CCPA Regulations make a big difference in compliance costs where it comes to privacy notices? Standardized Regulatory Impact Assessment (SRIA) of the economic impact of the draft CCPA Regulations says – maybe not.

The SRIA issued together with the draft regs does not see any incremental economic impact to the regulations’ provisions on privacy notices, stating that the proposed requirements are what businesses would likely do anyway.

“Because notification requirements are required under the CCPA, the economic impacts of developing these notifications are part of the regulatory baseline. The DOJ regulations provide guidance to businesses on how they must structure the notification requirements but the resources required to do this are not likely to be different than what businesses would otherwise do to meet CCPA requirements.”

Other sections of the regulations are expected to include costs. See the chart below:

No alternative text description for this image

The California Attorney General considered and rejected the creation of a safe harbor exemption from the CCPA for businesses that are already complying with GDPR, says the statement of reasons that accompanies the draft CCPA Regulations.

“The Attorney General rejected this alternative because CCPA and GDPR have different requirements, different definitions, and different scopes. For example, GDPR prohibits collection without express consent; CCPA does not prohibit collection. GDPR does not have a right to opt-out of sale; the right to opt-out is a core right of CCPA. GDPR applies to both public and private sector entities; CCPA only applies to specific types of business.

Because of this incompatibility, the Attorney General determined that a safe harbor would not effectively further the purposes of the CCPA. In addition, both laws are relatively new, and thus, carving out a safe harbor so early in their existence appears premature.”

Get the latest info on CCPA rulemaking.

The Dutch DPA has issued guidance on the use of “legitimate interest” as a legal basis for processing data under GDPR.

Key takeaways on what constitutes “legitimate”:

  • The interest needs to be pursuant to a written or unwritten legal principle.
  • Merely serving the interests of society or pure commercial interests, profit maximization, following the behavior of employees or the (buying) behavior of (potential) customers, etc. is not legitimate interest.
  • This position seems not to be in line with previously expressed positions in the EU.
  • For example, per the United Kingdom Information Commissioner’s Office, individual interests or broader societal benefits may all be legitimate.
  • The Article 29 Working Party in its opinion WP217 recognized legitimate interest as applying to certain types of marketing activities.

Per the Dutch DPA, Autoriteit Persoonsgegevens,  legitimate interest can be:

  • protection of property from imminent danger
  • protection of privacy
  • preventing infringement of a personality or property right
  • litigate and/or defend a legal claim
  • combat fraud, or unlawful conduct
  • hold someone liable for damage
  • inform existing customers about similar products or services
  • protect computer systems
  • fulfill duties of care for employees and/or customers
  • comply with all legal obligations