November 8, 2021 |

Global Privacy News Roundup – Fall 2021 Compilation

United States

Crackdowns on illegal data collection

The Federal Trade Commission (FTC) banned surveillance app, SpyFone, and its CEO, Scott Zuckerman from dealing in the surveillance business. After finding the company guilty of selling access to users’ private information, including their physical movements and online activities, SpyFone was ordered to:

  • Delete all data that was illegally collected.
  • Notify the owners of devices that have the app installed about the potential monitoring of their device.

This is the FTC’s second case against a stalkerware app, but its first one in which a ban is being obtained.

Time limits for reporting cyber attacks

Legislation has been introduced that would require companies to report cyber attack incidents within 24 hours of their detection. This comes after companies delayed reports to their consumers and failed to accurately report the severity of the attack.

The 24-hour time limit poses opposition as companies argue they need at least 72 hours to properly define the attack. Language used to characterize an attack is also being put into question. How the attack is reported to the public can determine how consumers understand the nature and severity of the attack.


Record setting fines in Ireland

Ireland’s Data Protection Commission (DPC) imposed a 225 million euro fine against popular messaging app, WhatsApp for insufficient transparency regarding the processing of information between WhatsApp and other Facebook companies. An investigation began in December 2018 after complaints were received by users and non-users of the application about concerns of data processing procedures.

This is the largest fine ever imposed by the DPC and the second largest by the GDPR. The European Data Protection Board (EDPB) suggested raising the DPC’s initial fine of 30-50 million euros, compared to Twitter’s 445,000 euro fine given in December 2020 for receipt of breach.

In addition to the fine, WhatsApp must also make changes to bring their data processing into compliance with General Data Protection Regulation (GDPR) regulations.

Cyber resilience and delays in data flow in the European Union

The Cyber Resilience Act is an initiative that aims to define baseline cybersecurity standards for connected devices and was introduced on September 15 at the European Parliament.

This act will add to an existing proposal for a Directive on Security of Network and Information Systems (NIS2) that deals with cybersecurity requirements for critical sectors of the economy and society.

Additionally, delays in data flow operations between the US and EU are likely to occur. Threats of canceling a planned EU-U.S. Trade and Technology Council (TTC) meeting were made by the EU council.

China’s new era of data enforcement

Chinese legislation has passed the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). These laws will work together with the 2016 Cybersecurity Law (CSL) to be the comprehensive regulation for data protection and security.

The introduction of DSL and the PIPL allows new authority to enforcement agencies and increases penalties against violations of the law. A new era of data enforcement in China is expected as a result.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.