Global News Roundup: Dec. 14–21, 2020

In this week’s global legislative roundup, IAPP leaders discussed developments in privacy law during 2020 and looked forward to 2021. The European Commission unveiled the Digital Services Act and Digital Markets Act. The Irish Data Protection Commission arrived at a much-anticipated final decision in its Twitter case, while fellow EU member states also handed down new fines. And a member of the Indian Parliament offered an update on the Joint Parliamentary Committee’s review of the Personal Data Protection Bill.

LATEST NEWS

Romania’s National Supervisory Authority for Personal Data Processing fined Banca Transilvania 487,380 lei for violations of Article 5(1) and 32 of the EU General Data Protection Regulation.
More

The U.S. Department of Health and Human Services’ Office for Civil Rights issued guidance on how the Health Insurance Portability and Accountability Act allows covered entities and business associates to use health information exchanges to disclose protected health information.
More

The U.S. Federal Trade Commission approved a settlement with Nevada-based SkyMed International over a lack of safeguards that led to a data breach involving 130,000 membership records. SkyMed will put in place a comprehensive information security program as part of the deal.
More

ICYMI

On the latest installment of The Privacy Advisor Podcast, IAPP Editorial Director Jedidiah Bracy, CIPP, spoke with IAPP Vice President and Chief Knowledge Officer Omer Tene and Research Director Caitlin Fennessy, CIPP, to assess what just happened in privacy during 2020 and what’s ahead in 2021.
More

IAPP Staff Writer Joe Duball wrote for The Privacy Advisor with details on Ireland’s Data Protection Commission’s 450,000 euro GDPR fine against Twitter related to its 2019 data breach.
More

ENFORCEMENT

Colombia’s data protection authority, the Superintendencia de Industria y Comercio, fined medical practice EPS Sanitas 894,365,280 pesos for lacking safeguards on patients’ personal data.
More

Poland’s DPA, UrzÄ…d Ochrony Danych Osobowych, fined Virgin Mobile Polska PLN 1.9 million for violating confidentiality and accountability principles under the GDPR.
More

Spain’s data protection authority, the Agencia Española de Protección de Datos, issued 5 million euros worth of fines to Banco Bilbao Vizcaya Argentaria for alleged violations of the EU General Data Protection Regulation.
More

Sweden’s DPA, Datainspektionen, ordered housing company Uppsalahem to pay SEK 300,000 for conducting illegal surveillance practices when it was discovered it had placed cameras in apartment buildings.
More

The U.K. Information Commissioner’s Office announced it has started to receive the 250,000 GBP fine it had administered to the now-defunct Pownall Marketing Limited over making more than 350,000 nuisance calls.
More

In the U.S., an administrative law judge ruled Uber must pay a $59.1 million fine to the California Public Utilities Commission for noncompliance with requests for sexual assault data from the company, Business Insider reports.
More

ASIA-PACIFIC

A blog post by Salinger Privacy Principal Anna Johnston, CIPP/E, CIPM, FIP, looks at the history of privacy law in Australia and likely directions the latest Privacy Act review could take, including potentially key topics, like targeted advertising and stricter limits on the collection, use and disclosure of data.
More

ThePrint reports Member of Indian Parliament Rajeev Chandrasekhar does not expect the Joint Parliamentary Committee to pass the Personal Data Protection Bill in its current form.
More

CANADA

University of Ottawa Law Professor Teresa Scassa said political parties should follow the same laws as other entities as Canada considers revamping the country’s federal privacy laws, the Toronto Star reports.
More

EUROPE

The European Commission unveiled the Digital Services Act and the Digital Market Act.
More

The European Data Protection Board released its draft guidance on restrictions under Article 23 of the GDPR. It also finalized its guidance on the interplay between the Second Payment Services Directive and the GDPR.
More

France’s data protection authority, the Commission nationale de l’informatique et des libertés, released a white paper with an analysis of the ethical, technical and legal issues involved with voice assistants.
More

Ireland’s Data Protection Commission released guidance on transferring data between Ireland and the U.K. following the end of the Brexit transition period.
More

Italy’s data protection authority, the Garante, announced a series of guidance notes on matters associated with the right of access.
More

The U.K. Information Commissioner’s Office released its Data Sharing Code of Practice, which offers tips on how to carry out responsible data sharing.
More

US

The U.S. Department of Health and Human Services’ Office for Civil Rights released its audit report looking at efforts of health entities and associates to comply with Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules.
More

A bipartisan group from the U.S. House of Representatives unveiled the Email Privacy Act, which aims to close a government loophole for warrantless access to individuals’ emails, Gizmodo reports.
More

According to Husch Blackwell’s Data Privacy and Cybersecurity Legal Resource, Byte Back, Dec. 16 marks the effective date for California Privacy Rights Act provisions on the creation of the California Privacy Protection Agency and extensions for business-to-business and employee exemptions.
More

In an op-ed in the Boston Globe, Boston Celtics basketball players urge Gov. Charlie Baker, R-Mass., to reconsider his opposition to a bill that would place a moratorium on facial recognition use by police.
More