Pinterest may be under fire
The advocacy group NOYB filed a complaint with French Data Protection Authority alleging that Pinterest processes user data without their consent and enables tracking for advertising purposes by default. NOYB emphasized that the EU’s General Data Protection Regulation (“GDPR”) requires users to be given the option to opt-out. NOYB stated that Pinterest uses data from approximately 130 million European users to display personalized ads.
Huge fine on LinkedIn
The Irish Data Protection Commission has imposed a fine of EUR 310 million on LinkedIn. This penalty was issued for violations of the GDPR. The infractions primarily concern how LinkedIn collected, processed, and stored user data without proper consent. The authority highlighted that LinkedIn had been gathering personal data from users without obtaining the necessary permissions and failed to adequately protect this data. The significant size of the fine underscores Linkedln’s responsibility and the seriousness of data protection regulations. This ruling serves as a warning to other technology companies regarding the importance of user privacy and secure data handling. The response from LinkedIn and the measures they will take to address these issues are now being closely watched. In addition to the fine, LinkedIn was given three months to bring its European operations into compliance with the GDPR.
The clinic received the fine
The Spanish Data Protection Authority fined a plastic surgery clinic EUR 10,000 for illegally sharing before and after photos of a data subject on its social media account. The authority emphasized that the images contained health data under the GDPR.
Meeting with countries with adequacy decisions
On 8 October 2024, the European Data Protection Board (“EDPB”) convened with commissioners and representatives from data protection authorities of the fifteen countries that have received an EU adequacy decision. This meeting occurred alongside the EDPB’s October plenary and demonstrates the Board’s dedication to international collaboration. The European Commission (“EC”) has currently acknowledged the following countries as adequate: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States.
Warning decision is issued
The Danish Data Protection Authority has issued a warning decision, stating that an app developer acts as a “data controller” and the user of the app acts as a “joint data controller” by integrating their services into the app, and has issued a warning to the app developer data controller to review and change its data processing practices within the app, to ensure that no more data is processed than necessary and that all data processing is lawful, fair and transparent.
Toolkits released
The UK’s data protection authority (“ICO”) has published a toolkit to help organizations comply with key requirements in data protection laws. The nine tools focus on topics such as record management, data sharing, accountability, personal data breach management, artificial intelligence and age-appropriate design.
Police service subjected to a data breach
The ICO has fined the Police Service of Northern Ireland nearly EUR 750,000 for a data breach affecting all employees. The data breached by the accidental sharing of an Excel file included police officers’ surnames and initials, job role, rank, grade, department, location, contract type, gender and staff number.
Employer fined for disclosing employee’s e-mail box
Italy’s Data Protection Authority has fined an employer EUR 80,000 for accessing a former employee’s e-mail box to investigate the disclosure of trade secrets. The decision stated that the data subject was not informed about the retention period of the backed-up e-mail data under the GDPR and that the company procedures did not include information about possible inspections of e-mails, backups and other data/devices.
Fine for unauthorized access to files
Norway’s Data Protection Authority has fined Agder University EUR 12,700 for lack of technical and administrative measures after some personal data stored in a Microsoft Teams folder became freely accessible to around 1,200 employees and 12,000 students.
