France gets ready for the Olympics
France’s data protection authority has published a Q&A on the processing of personal data during the 2024 Paris Olympics. It contains information on the collection and processing of personal data gathered by technology such as augmented cameras based on CCTV cameras, QR code-based passes, and ticketing systems based on the collection of personal data.
Italian authority imposes fines
Italy’s data protection authority has imposed a fine of EUR 75,000 on a hospital that processes health data for purposes other than providing healthcare services to the data subject. The authority has reminded the subject of the fine that processing data for purposes other than providing healthcare services requires the specific consent of the data subject.
The authority drew attention to the distinction between a “medical record”, which is a document that records a person’s medical condition during hospitalization and does not require explicit consent, and a “health dossier” the sole function of which is to improve the patient’s medical condition and requires explicit consent. It found that data subjects’ health dossiers were accessed by doctors other than their own doctor. The data controller was penalized despite stating that the data was shared with other doctors to improve the care of other patients with the same condition.
The authority also fined a company EUR 100,000 for unlawful processing of telephone numbers for telemarketing purposes. It further stated that a data controller may not assign its responsibilities and obligations under the GDPR to a processor through a contract.
Meta pixel creates privacy problem
Sweden’s data protection authority fined a bank approximately USD 1.5 million for using a Meta pixel on its website and app which transferred information about its customers’ securities holdings and account numbers to Meta. The bank confirmed that it deleted the offending Meta pixel when it became aware of the issue and that Meta deleted the data collected and transferred using the tool.
French Court rejects games company’s appeal
The French Supreme Administrative Court rejected a video game company’s appeal against a EUR 3 million fine imposed on it by the French data protection authority for failing to obtain data subjects’ consent to the collection of personal data for advertising purposes. The court held that the authority had not disregarded the principle of legality and proportionality of penalties in imposing the fine.
The fine was imposed on the grounds that the data controller did not obtain explicit consent from data subjects for advertising on Apple devices. The authority further granted the data controller a period of 3 months to bring its data processing into compliance with the law with a fine of EUR 20,000 imposed for each day of non-compliance.
California Attorney General’s Office settles
California’s Attorney General’s Office announced a USD 500,000 settlement with a mobile game developer for allegedly collecting and sharing children’s data without parental consent in violation of the California Consumer Privacy Act and the Children’s Online Privacy Protection Act (“COPPA”).
TikTok investigation assigned to the DoJ
The US Federal Trade Commission (“FTC”) has referred its investigation into TikTok’s data practices to the Department of Justice (“DoJ”) for alleged violations of COPPA with the filing of a lawsuit anticipated. The FTC announced the investigation was opened after inquiries conducted after a 2019 settlement with TikTok’s parent company ByteDance.
Switzerland declared a qualifying state by the US
The US Attorney General (“AG”) has declared Switzerland a qualifying state for data transfer based on the Swiss-US Data Privacy Framework. The AG emphasized that Swiss law requires appropriate safeguards in signals intelligence activities to allow the transfer of US citizens’ personal data from the US to Switzerland.
Competition and data privacy synergies under scrutiny
The Organization for Economic Cooperation and Development (“OECD”) has published a working paper exploring the interaction between competition and data privacy which considers whether data protection authorities should consider competition issues in their decisions and how synergies can be enhanced.
Spanish authority fines bank for breach of accuracy principle
Spain’s data protection authority fined a bank EUR 200,000 for breach of the principle of keeping data accurate and up to date. The authority announced later that it had reduced this fine to EUR 120,000. The data subject stated that the bank requested that another company add his personal data to a solvency file. The subject further indicated that this addition was made without adequate prior notification and that the address provided for notification was incorrect. The authority decided that a violation of the accuracy principle had occurred.
EDPS publishes guidelines
The European Data Protection Supervisor (“EDPS”) has published guidelines on privacy considerations for European Union institutions in the development and use of generative AI. These are intended to help organizations comply with their data protection obligations such as data protection impact assessments.
