The European Data Protection Board (EDPB) released an opinion indicating that large online platforms implementing pay-or-consent models typically fail to comply with EU General Data Protection Regulation (GDPR) requirements for valid consent. This opinion follows concerns raised by various data protection authorities regarding Meta’s attempt to implement such a model. The EDPB clarified that users should have a genuine choice beyond either giving away their data or paying a fee, emphasizing the importance of freely given consent. While the opinion is non-binding, it provides clarity for privacy professionals and indicates that ‘consent or pay’ models must ensure users’ freedom of choice. Read more here
IAPP will also a LinkedIn webinar on that scheduled for 23 April – click here for more details.
***
As Reuters reports, the EU Commission requested a risk assessment from TikTok to ensure compliance with the Digital Services Act after this month’s launch of TikTok Lite in France and Spain. The reason for that is concerns about its potential impact on children and users’ mental health. “TikTok should have done a risk assessment on the new app before launching it in the 27-country European Union”, the Commission said.
***
UK’s ICO has launched “a quick and easy generator tool to help you create a bespoke privacy notice in just a few simple steps. This brand new tool has been designed for sole traders and start-ups, as well as small and medium-sized businesses and charities to help make sure your organisation is compliant with the law.
In summer 2024, ICO will be launching “new sector-specific versions of the privacy notice generator for customer and supplier information. These will be for the following sectors:
- Professional services (including finance, insurance and legal services).
- Education and childcare.
- Health and social care.
- Charity and voluntary sector”.
***
The Catalan Data Protection Authority (DPA) fined an occupational health center €3000 for breaching confidentiality by sending emails to patients’ family members without using the blind copy option. The breaches occurred on multiple occasions due to human error, disclosing personal data to unauthorized recipients. The controller admitted responsibility and voluntarily paid €1800 as an advance. Despite mitigating factors such as regular data protection training and implementing new protocols, the DPA deemed a €3000 fine appropriate. However, considering the controller’s acknowledgment and payment, the penalty was reduced to €1800.
***
Nexperia, a Dutch chipmaker, recently fell victim to a cyberattack and is actively investigating the incident alongside third-party experts. Following the attack, the company swiftly disconnected affected systems from the internet and initiated extensive mitigation measures. Authorities, including the Dutch DPA and law enforcement, have been informed, and Nexperia is regularly updating them on its investigation. While specific details regarding the extent of damage and losses remain undisclosed due to the ongoing probe, reports suggest that the cybercriminals accessed sensitive data, including trade secrets, chip designs, and customer information, from notable companies like SpaceX, Apple and Huawei.
Comments are closed.