Massive fine for Uber
The Netherlands’ data protection authority fined Uber EUR 290 million for transfer of European drivers’ personal data to the US in violation of the EU’s General Data Protection Regulation (“GDPR”). The authority stated that Uber made the transfer without appropriate safeguards and included health information classified as sensitive personal data. The investigation was launched after a French human rights organization filed a complaint on behalf of more than 170 drivers in France.
European Parliament faces data breach
The European Data Protection Supervisor (“EDPS”) is investigating the European Parliament for alleged breaches of the GDPR involving around 8,000 candidates who used the software application “PEOPLE” (controlled by the Parliament’s human resources department). The sensitive data compromised allegedly included “identity cards and passports, criminal record summaries, residence documents and even marriage certificates revealing a person’s sexual orientation”. EDPS claims that Parliament refused to delete the data despite a formal request made by a complainant.
Software provider faces fine after massive data breach
The UK Information Commissioner’s Office (“ICO”) has imposed a provisional penalty of approx. EUR 7 million on NHS software provider Advanced Computer Software Group (“Advanced”). The data breach involved the sensitive personal information of more than 80,000 people, including medical records, and data on methods of access to the homes of 890 people. The ICO’s provisional findings argue that Advanced failed to take necessary precautions but no final decision has been made. Advanced has the right to appeal before the penalty is finalized.
State of Texas sues General Motors
Texas has filed a lawsuit against General Motors alleging that the company installed technology in over 14 million vehicles that collected driver data to sell to insurers and other companies without obtaining consent. According to the Texas Attorney General, data was used to create “Driving Scores” which assessed the driving habits of 1.8 million Texans including behaviors such as speeding, sudden braking, sharp turns, non-use of seatbelts, and late-night driving. Insurers could then use this information to raise premiums, cancel policies or deny coverage. The lawsuit requests the destruction of the improperly collected data, compensation for affected drivers, civil penalties, and other remedies under the Texas Deceptive Trade Practices Act.
More penalties in Spain
Spain’s data protection authority fined a legal consultancy EUR 145,000 after an unencrypted USB containing case information was stolen. The firm, which filed a data breach notification 13 days after the theft, is said to have failed to take adequate technical and administrative measures. Furthermore, non-encryption of the USB constituted a breach of privacy which the authority stated was an aggravating factor in calculation of the fine.
In another decision a data controller was fined EUR 20,000 (ultimately reduced to EUR 3,000) for violation of the principle of data minimization by requiring a photocopy of ID for age verification purposes on entry to events. The authority highlighted that the applicable data processing and retention policy was outdated, and the controller had failed to fulfil its obligation to inform.
EU and China open negotiations on data transfer disputes
The EU and China have begun inaugural discussions under the Cross-Border Data Flow Communication Mechanism. Regulatory uncertainty was a key theme in addressing challenges arising from data transfers in sectors such as finance, insurance, pharmaceuticals and ICT and in improving EU companies’ understanding of Chinese data protection laws. A key issue is the definition of “important data”, which remains unclear to EU companies operating in the country, under China’s 2022 Measures for Security Assessment of Data Export.
Denmark emphasizes free will
Denmark’s data protection authority has ruled that explicit consent for a gym entry and exit facial recognition system cannot be considered freely given when the data subject has not been offered an alternative option that does not involve the processing of their biometric data.
The data controller confirmed that, without the member’s explicit consent to the said system, gym access was only allowable during staffed working hours. However, the authority ruled that this eliminated the free will of explicit consent and issued a reprimand to the data controller. The authority also confirmed that, as of the date of the decision, data subjects were adequately informed of alternatives and valid consents could be obtained.
Chile adopts data protection law
The Chilean government adopted a GDPR-compliant data protection law on 26 August 2024 which will enter into force after 2 years. This will allow the European Commission to declare Chile a country with adequate levels of personal data protection and thus facilitate data transfer with the EU.
Saudi Arabia publishes standard contracts
Saudi Arabia’s data protection authority has published draft documents on standard contracts for the transfer of personal data abroad. The documents were made available for public consultation until 30 August 2024 during which time the authority assessed public opinion. Publication of the final versions is expected in due course.