Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

The United Kingdom’s Information Commissioner’s Office published its action plan for 2021.

Areas of focus include:
  • the Age Appropriate Design Code
  • data sharing.
  • data broking,
  • the use of sexual crime victims’ personal information,
  • adtech, including audits focused on digital marketing platforms.
Additional guidance is forthcoming on:
  • political campaigning
  • facial recognition,
  • codes of conduct and certification

Automated vehicle manufacturers beware: Blurred images can still be personal data under the European Union’s General Data Protection Regulation (GDPR),  says French Data Protection Authority CNIL in a statement on the use of drones by French police.

If information is blurred only after it is collected, and blurred flows can be accessed in clear images

Spanish Agencia Española de Protección de Datos – AEPD has issued a press release on the data protection implications of’IoB’ (internet of body) devices. These are devices connected to the Internet that monitor and/or act on vital signs, biometric data, and health indicators (e.g. physical activity, sleep quality, and sports activity).

IoB devices include external,

In atypical 2020 fashion, Santa actually gave UK the #1 present on its Christmas list: adequacy for cross-border data transfers from the EU as part of an overall trade deal.

Bloomberg reports the deal will include an interim solution for a maximum of 6 months while the European Commission considers a full adequacy decision for

Norway’s Datatilsynet does not mince words in its Brexit guidance:

“On 31 December 2020, the Brexit transition period will end. This means, among other things, that anyone who transfers personal data to the United Kingdom after this date must follow the rules on the transfer of personal data to third countries.”

“If the European Commission

“Increased usage of consumer products and industrial devices connected to the internet will also raise new risks for privacy, information- and cybersecurity, including increasingly potential impacts on the integrity and availability of products and data, which can directly affect safety,”  says the Council of Europe in its “Conclusions on the cybersecurity of connected devices.”

Additional

The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology

  • The CEF is the foundation on which the annual