Global Privacy News Roundup – Fall 2021 Compilation

The Federal Trade Commission (FTC) banned surveillance app, SpyFone, and its CEO, Scott Zuckerman from dealing in the surveillance business. After finding the company guilty of selling access to users’ private information, including their physical movements and online activities, SpyFone was ordered to:

• Delete all data that was illegally collected.
• Notify the owners of devices that have the app installed about the potential monitoring of their device.

This is the FTC’s second case against a stalkerware app, but its first one in which a ban is being obtained.

Legislation has been introduced that would require companies to report cyber attack incidents within 24 hours of their detection. This comes after companies delayed reports to their consumers and failed to accurately report the severity of the attack.

The 24-hour time limit poses opposition as companies argue they need at least 72 hours to properly define the attack. Language used to characterize an attack is also being put into question. How the attack is reported to the public can determine how consumers understand the nature and severity of the attack.

Ireland’s Data Protection Commission (DPC) imposed a 225 million euro fine against popular messaging app, WhatsApp for insufficient transparency regarding the processing of information between WhatsApp and other Facebook companies. An investigation began in December 2018 after complaints were received by users and non-users of the application about concerns of data processing procedures.

This is the largest fine ever imposed by the DPC and the second largest by the GDPR. The European Data Protection Board (EDPB) suggested raising the DPC’s initial fine of 30-50 million euros, compared to Twitter’s 445,000 euro fine given in December 2020 for receipt of breach.

In addition to the fine, WhatsApp must also make changes to bring their data processing into compliance with General Data Protection Regulation (GDPR) regulations.

The Cyber Resilience Act is an initiative that aims to define baseline cybersecurity standards for connected devices and was introduced on September 15 at the European Parliament.

This act will add to an existing proposal for a Directive on Security of Network and Information Systems (NIS2) that deals with cybersecurity requirements for critical sectors of the economy and society.

Additionally, delays in data flow operations between the US and EU are likely to occur. Threats of canceling a planned EU-U.S. Trade and Technology Council (TTC) meeting were made by the EU council.

Chinese legislation has passed the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). These laws will work together with the 2016 Cybersecurity Law (CSL) to be the comprehensive regulation for data protection and security.

The introduction of DSL and the PIPL allows new authority to enforcement agencies and increases penalties against violations of the law. A new era of data enforcement in China is expected as a result.