Privacy & Information Security Law Blog

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

On October 25, 2022, the U.S. Department of Justice (“DOJ” or the “Department”) announced that Google had entered into an agreement to resolve a dispute over the loss of data responsive to a search warrant issued in 2016.

On November 3, 2022, the Federal Trade Commission announced a proposed order to settle an action against an internet phone service provider, Vonage, that would require Vonage to pay $100 million in refunds to customers harmed by its practices, which the FTC alleged included “dark patterns” that made it difficult for customers to cancel their service. The order also would require Vonage to not use dark patterns and provide a simple and transparent way for customers to cancel their service. 

SHIFT Counsellors at Law reports from Indonesia that The People’s Representative Council of the Republic of Indonesia has ratified Indonesia’s draft law on personal data protection. The draft law came into effect on October 17, 2022. The law, which is partly modeled on the EU General Data Protection Regulation, is Indonesia’s first “umbrella regulation” on personal data protection. The law will provide certain protections to Indonesian citizens’ data, and provide more legal certainty to parties processing such data.

Read SHIFT Counsellors’ article on the ...

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On  November 2, 2022, the ICO issued to the UK Department for Education (“DfE”) a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service (“LRS”), a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for. The investigation found that the DfE’s poor due diligence meant the LRS database was being used by Trust Systems Software UK Ltd (trading as Trustopia), a third party screening firm, to check whether people opening online gambling accounts were 18. Trustopia was found to have had access from September 2018 to January 2020, during which it performed over 20,000 searches on children whose personal data was in the LRS database.

On October 28-29, 2022, the California Privacy Protection Agency (“CPPA”) held a Board Meeting to discuss the modified proposed regulations promulgated for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), as well as the remainder of the rulemaking process. The CPPA previously released the modified proposed regulations on October 17, 2022.  

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 1, 2022, the Colorado Attorney General’s Office submitted an initial draft of the Colorado Privacy Act Rules (“CPA Rules”), which will implement and enforce the Colorado Privacy Act (“CPA”). The CPA Rules, which are currently about 38 pages, address many recent issues in state data privacy regulation, including data profiling, data protection, automated data processing, biometric data, universal opt-out mechanisms and individual data rights.

On October 18, 2022, the European Commission published a report, titled Information Frictions and Public Policies: Approaching the Regulation and Supervision of Decentralized Finance (“DeFi”) (the “Report”). The Report discusses the need to adapt existing policy frameworks to account for the change brought about by DeFi to the underlying information structure upon which financial services are provided. Unlike traditional finance, DeFi applications provide financial services based on blockchain technology, i.e., without requiring any intermediary agent and instead relying on automated protocols that are encoded in public digital contracts universally accessible and maintained by an open pool of pseudonymous miners.