General Data Protection Regulation (GDPR)

“Complying with GDPR and ethical considerations when developing a digital service is actually a ‘win win situation.'” – says Forbrukerrådet’s eloquent Finn Lützow-Holm Myrstad in a conversation with IAPP – International Association of Privacy Professionals’ Jedidiah Bracy.

Some key points:
  • If you don’t collect the data, it can’t be peaked or misused. If there is

France’s CNIL, Commission Nationale de l’Informatique et des Libertés, has issued guidance on data protection in the use of chatbots.

Key Takeaways
  • Consent for cookies isn’t necessary if they are strictly required to operate the chatbot, but is required for all other cookies.
  • Retain the data only for as long as required for the purpose.

“The Spanish Agencia Española de Protección de Datos – AEPD has launched the DIGITAL PACT FOR THE PROTECTION OF PEOPLE , an initiative that aims to promote a firm commitment to privacy in the sustainability policies and business models of organizations”

“Among the principles that are collected is to promote transparency so that citizens know

Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

The United Kingdom’s Information Commissioner’s Office published its action plan for 2021.

Areas of focus include:
  • the Age Appropriate Design Code
  • data sharing.
  • data broking,
  • the use of sexual crime victims’ personal information,
  • adtech, including audits focused on digital marketing platforms.
Additional guidance is forthcoming on:
  • political campaigning
  • facial recognition,
  • codes of conduct and certification

Automated vehicle manufacturers beware: Blurred images can still be personal data under the European Union’s General Data Protection Regulation (GDPR),  says French Data Protection Authority CNIL in a statement on the use of drones by French police.

If information is blurred only after it is collected, and blurred flows can be accessed in clear images

Norway’s Datatilsynet does not mince words in its Brexit guidance:

“On 31 December 2020, the Brexit transition period will end. This means, among other things, that anyone who transfers personal data to the United Kingdom after this date must follow the rules on the transfer of personal data to third countries.”

“If the European Commission