Two-minute Recap of Data Protection Law Matters Around the Globe – September 2024

The authority acts against deceptive cookie banners

The Belgian data protection authority has ordered four major news websites to bring their cookie banners into compliance with of the General Data Protection Regulation (“GDPR”) after complaints from noyb, an Austrian non-profit data protection organization, about deceptive practices. The websites must now include a “reject” button on the first layer of their cookie banners and modify misleading button colors. Failure to comply could result in fines of EUR 50,000 per day, totaling EUR 10 million. This decision reflects a significant shift in the authority’s approach, emphasizing that consent is required for analytical cookies and rejecting previous justifications for non-enforcement.

 

Key updates to data protection toolkit

The National Data Guardian (“NDG”) and National Health Service (“NHS”) England have announced a significant update regarding the assessment of data security capabilities in health and social care organizations. Starting 2 September 2024, the NHS Data Security and Protection Toolkit (“DSPT”) will shift from the NDG’s 10 data security standards to the Cyber Assessment Framework (“CAF”) from the National Cyber Security Centre. This amendment aligns with the Department of Health and Social Care’s cyber security strategy for 2023 to 2030, aiming to enhance cyber resilience across sectors.

The NDG’s 10 standards have been crucial in safeguarding patient information by focusing on people, processes, and technology. While these principles will remain important, the evolving technology and cyber threat landscape necessitates a more advanced framework like the CAF.

 

Massive fine for Meta

The Irish Data Protection Commission (“DPC”) has fined Meta Platforms Ireland Limited (“Meta”) EUR 91 million following an inquiry that began in April 2019. This investigation was triggered when Meta reported that it had accidentally stored user passwords in plaintext, without any encryption. The DPC’s final decision, confirmed on 26 September 2024, found multiple violations GDPR, including failing to notify the DPC of the data breach, not documenting the breach, inadequate security measures to protect user passwords, and lack of appropriate security measures for sensitive data.

Previously, in May 2023, Meta was fined EUR 1.2 billion by DPC for improperly transferring data between Europe and the United States, marking the largest fine under the EU’s GDPR. In 2022, Meta faced another fine of EUR 265 million after data from 533 million users across 106 countries was leaked on a hacking forum, having been scraped from Facebook years earlier.

 

PIPC imposes fine on Worldcoin

South Korea’s Personal Information Protection Commission (“PIPC”) has fined the Worldcoin Foundation, and its affiliate Tools for Humanity (“TFH”) approx. USD 829,000 for violating personal information protection laws. The investigation began in February after complaints about the collection of biometric data, including iris scans, without a legal basis.

The PIPC found that almost 30,000 South Koreans used iris authentication via the Worldcoin app, which had nearly 100,000 downloads. The foundation failed to inform users about the purpose of data collection, retention periods, and the transfer of data to foreign entities, as required by the Personal Information Protection Act. Additionally, there were insufficient procedures for deleting sensitive data and verifying the ages of users.

 

Telegram updates data sharing practices

Telegram will now disclose IP addresses and phone numbers of users who violate its rules in response to valid legal requests. The platform’s website states that upon receiving a judicial order confirming a user as a suspect, they may share this data with authorities. These disclosures will be included in transparency reports. Telegram may also collect metadata like IP addresses and device information to combat spam and abuse.

 

A heavy penalty to the bank

The Polish data protection authority imposed a fine of approx. USD 1 million for a data breach at bank. It is stated that the breach occurred when a bank employee accidentally sent customer documents containing large amount personal data to an unauthorized financial institution. Although the letter containing these documents was returned to the bank, the fine was imposed because the third-party financial institution may have accessed and read the contents of these documents.

 

The Greek DPA fines ministry

Greece’s data protection authority imposed a EUR 150,000 fine on the Ministry of Citizen Protection for GDPR violations related to new identity cards for Greek citizens. The decision followed complaints about the legality of data processing, particularly concerning biometric information and delays in responding to inquiries. The authority’s investigation revealed that the Ministry failed to conduct a required data protection impact assessment before processing sensitive data. The authority ordered the Ministry to document necessary data processing changes and adjust its procedures within six months to ensure compliance.

 

MoneyGram faces ICO investigation

The UK Information Commissioner’s Office (“ICO”) has launched an investigation into MoneyGram International following a data breach that has disrupted the company’s global operations since 20 September 2024. The ICO is examining the nature and extent of the breach, as well as MoneyGram’s compliance with data protection laws.

MoneyGram, which serves over 50 million customers worldwide, first reported connectivity issues on September 21 and later confirmed a cybersecurity incident that prompted it to take systems offline to mitigate damage. The company has engaged external cybersecurity experts and coordinated with law enforcement to address the issue.

 

For detailed information, you may reach us:

EBRU TEMİZER

IRMAK SEYMEN VARAT

SERAY APAK

EFE UTKU ÇAL

SEE More