From CompliNEWS | Financial Service Intelligence Watch
Compliance lessons from recent data protection enforcement cases around the world
By Compli-Serve
The Netherlands’ data protection authority fined Uber EUR 290 million for the unauthorised transfer of European drivers’ personal data to the US, in violation of the EU’s General Data Protection Regulation (GDPR). Uber’s failure to include proper safeguards, especially concerning sensitive health information, highlights the importance of ensuring that international data transfers comply with GDPR requirements. Compliance Lesson: When handling personal data, especially sensitive information, organisations must implement robust safeguards and ensure lawful transfers or face significant penalties.
European Parliament faces data breach
The European Data Protection Supervisor (EDPS) is investigating the European Parliament for alleged GDPR violations involving the personal data of around 8 000 candidates. This data, including sensitive documents such as identity cards and criminal records, was retained despite a formal request for its deletion. Compliance Lesson: Data retention policies must align with GDPR regulations, and organisations should act promptly on data deletion requests to avoid breaches and reputational damage.
Software provider faces fine after massive data breach
The UK’s Information Commissioner’s Office (ICO) provisionally fined Advanced Computer Software Group EUR 7 million following a data breach that compromised sensitive medical information of over 80 000 individuals. The ICO noted the company’s failure to take adequate security measures. Compliance
Lesson: Companies that handle sensitive personal data, especially in healthcare, must ensure their cybersecurity practices are up to date, as data breaches can lead to substantial financial and reputational costs.
State of Texas sues General Motors
The state of Texas has filed a lawsuit against General Motors, alleging that the company installed data collection technology in vehicles without obtaining drivers’ consent. This technology created ‘Driving Scores’ used by insurers, potentially impacting premiums and coverage.
Compliance Lesson: Companies must obtain explicit consent when collecting and processing personal data, particularly when the data could impact individuals’ financial and personal wellbeing, to avoid legal consequences and consumer mistrust.
More penalties in Spain
Spain’s data protection authority fined a legal consultancy EUR 145 000 after a stolen, unencrypted USB containing sensitive case information led to a data breach. In another case, a data controller was fined EUR 20 000 (reduced to EUR 3 000) for requiring photocopies of ID for event entry, violating the principle of data minimisation.
Compliance Lesson: Encryption and minimising data collection are critical in securing personal data and avoiding unnecessary breaches or fines.
EU and China open negotiations on data transfer disputes
The EU and China have commenced discussions under the Cross-Border Data Flow Communication Mechanism to address regulatory uncertainties regarding data transfers. These talks are particularly important for sectors such as finance and pharmaceuticals, as they navigate China’s unclear definition of ‘important data’ under its 2022 Measures for Security Assessment of Data Export.
Compliance Lesson: Companies involved in cross-border data transfers must stay informed about local regulations and collaborate with authorities to ensure compliance with global standards.
Denmark emphasises free will
Denmark’s data protection authority ruled that a gym’s facial recognition system for access control violated the principle of free will, as it did not provide an alternative option for members. The gym was reprimanded and ordered to offer alternatives.
Compliance Lesson: Consent must always be freely given, and individuals must have real alternatives when asked to provide sensitive biometric data, or the consent is not valid under GDPR.
Chile adopts data protection law
Chile passed a GDPR-compliant data protection law that will come into effect in two years, allowing for smoother data transfers between Chile and the EU.
Compliance Lesson: Countries aiming to strengthen their data protection frameworks can look to the GDPR as a model, ensuring they meet international standards and facilitate global business.
Saudi Arabia publishes standard contracts
Saudi Arabia’s data protection authority has published draft standard contracts for the transfer of personal data abroad, opening them for public consultation.
Compliance Lesson: As international data transfers become more common, having standardised contractual clauses can help ensure that data transfers meet legal requirements, protecting both businesses and individuals.