Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy news from the last week. This week, we are providing the top news and updates by region.

Privacy News From Around the Globe


Singapore: PDPC issues guide to accountability under PDPA 

Singapore’s Personal Data Protection Commission issued a guide to accountability under the Singapore Personal Data Protection Act. In particular, the Guide outlines how organizations should approach accountability under the Act within their organization and industry, and provides clarity on the Commission’s interpretation of accountability in relation to the Act. The Guide highlights that in order to succeed in an increasingly digital economy, organizations should shift from a compliance based approach when managing personal data to an accountability based approach. The PDPC also noted that it had updated the current “Openness Obligation” to the “Accountability Obligation” in their Advisory Guidelines on Key Concepts in the PDPA in line with the Guide.


EU: EDPB publishes 2018 annual report

The European Data Protection Board (EDPB) published its 2018 annual report. In particular, the Annual Report highlights that in 2018 the EDPB endorsed the 16 different GDPR-related guidelines of the Article 29 Working Party, adopted four more guidelines, issued 26 opinions on Data Protection Impact Assessments carried out by the national supervisory authorities, and held five plenary meetings in which it adopted guidance and requests for mandates for 36 expert subgroup meetings on a broad range of topics.

France: CNIL approves first DPO certification and accreditation body

The French data protection authority (CNIL) announced that it had approved the first accredited certification body to certify the skills of a data protection officer (DPO). The CNIL highlighted that the certification is as a “voluntary mechanism” for professionals to be able to demonstrate their suitability for the role of DPO, and can serve as a sign of trust not only for organizations, but also for their users, customers, and employees. The Certification body’s approval follows the CNIL’s DPO certification and accreditation framework adopted in September 2018, and will last for a period of five years.

Germany: Bundestag issues response on Draft ePrivacy Regulation

The ePrivacy Regulation has hit another speed bump. The German Parliament issued its response on the current draft of the proposed draft regulation following a request for feedback from t eh Council of the EU. In particular, the Response outlines that the German Parliament is advocating for regulation on privacy settings for internet browsers to be included in future drafts so that end users can control how they are tracked online. Moreover, the Response states the draft must ensure a higher level of protection than the GDPR and that it does not do so in its current form. Finally, the Response notes that Germany cannot support the Draft Regulation in its current form, and lists a number of additional revisions that would need to be made.

UK: ICO announces intention to fine British Airways £183.39M for data breach

The UK Information Commissioner’s Office (ICO) announced its intention to issue a £183.39 million fine to British Airways  under the GDPR, following its investigation into a data breach involving the personal data of approximately 500,000 customers. In particular, the ICO noted that the data breach involved user traffic to the British Airways website being diverted to a fraudulent website, which allowed access to customers’ personal information, including, names, addresses, login, payment card and travel booking details. n addition, the ICO outlined that British Airways had cooperated during the investigation and had made improvements to its security arrangements. Finally, the ICO highlighted that British Airways will now have the opportunity to make representations on the suggested results and sanctions, after which the ICO will make a final decision.

UK: ICO announces intention to fine Marriott £99.2M for data breach

The UK Information Commissioner’s Office (ICO) announced its intention to issue a £99.2 million fine to Marriott under the GDPR, following its investigation into a data breach involving the personal data contained in 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area, and seven million of which related to UK residents. In particular, the ICO highlighted that the vulnerability allegedly began in 2014 when the system of the Starwood hotels group was compromised, and that while Marriott had acquired Starwood in 2016, the exposure of customer information was not discovered until 2018. Moreover, the ICO’s investigation found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and that it should also have done more to secure its systems. In addition, the ICO highlighted that Marriott had co-operated with the investigation and made improvements to its security arrangements. Finally, the ICO noted that Marriott will now have an opportunity to make representations to the ICO as to the proposed findings and sanction, after which the ICO will make its final decision.

Latin America

Brazil: President promulgates law amending LGPD

Brazilian lawmakers have passed an amendment to the Brazil General Data Protection Law (LGPD). In particular, the amendment approves certain provisions including the competences and the structure of Brazil’s data protection authority (the “ANPD”) and the appointment of data protection officers for certain controllers and processors who would act as points of communication with the ANPD. Additionally, Brazil’s president vetoed certain provisions in the amendment such as higher fines for violations of the LGPD and the right for data subjects to request the review by an individual of automated decisions, considering the processing activity and size of the entity, as well as the volume of processing operations.

North America

California: Judiciary Committee passes consumer privacy bills

The California Senate Judiciary Committee passed a series of bills seeking to amend the California Consumer Privacy Act of 2018 (CCPA) and re-referred them to the California Senate Appropriations Committee. In particular, the Judiciary Committee passed Assembly Bill (AB) 25 which would require companies to inform employees about the data collected about them, AB 846 which would prohibit the sale of information collected through customer loyalty programs, as well as AB 874 which would exempt publicly available information and deidentified or aggregate consumer information from the CCPA’s application. In addition, the Judiciary Committee passed AB 1146 which would add a product recall exception to the right of deletion regarding vehicle information, AB 1355 which would require businesses to disclose to consumers that they have the right to request specific pieces and categories of information that businesses have collected about them and AB 1564 which would stipulate that a business make available a toll-free telephone number or an email address for specific information requests. You can track these and other propose CCPA amendments here.

USA: FTC announces $5 billion settlement with Facebook

The U.S. Federal Trade Commission announced a $5 billion settlement with Facebook as a result of alleged mishandling of Facebook users’ personal information. The fine is the result of the FTC’s probe into Facebook’s privacy practices after the much-reported incident with Cambridge Analytica, which the FTC concluded amounted to a violation of its 2011 agreement with Facebook.

Washington: AG announces $10M settlement with Premera for breach involving sensitive data

The Washington State Attorney General announced a settlement with Premera Blue Cross in the amount of $5.4 million to be paid to Washington state and another $4.6 million to a coalition of 29 other state AGs for a data breach that occurred between 2014 and 2015 involving sensitive data of approximately 10.4 million consumers. In particular, the Attorney General stated that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated several other state consumer laws by not addressing known cybersecurity vulnerabilities that gave a hacker access to a wide variety of personal information. As part of the settlement, Premera also agreed to greatly improve, regularly assess and update its security measures; map where HIPAA-protected information, including personal health information, is located on its network; hire a chief information security officer and provide security training to all employees who handle personal information.

To learn more about how you can track the latest in privacy, security and third-party risk news, visit www.dataguidance.com.