Google keeps third-party cookies
Google has reversed its decision to eliminate third-party cookies from Chrome ending its four-year Privacy Sandbox project. Users will now have the option to block or allow cookies. This change aims to address concerns from advertisers and publishers while granting users control over browsing privacy.
The digital advertising, advertising technology and publishing industries have consistently argued that removal of cookies would destroy their business models and grant Google further advantages in collection of consumer data forcing them to pay more for ad targeting services, and Google has now backed down from this decision.
The Information Commissioner's Office ("ICO") emphasized that it is "disappointed that Google has changed its plans" because "blocking third-party cookies would be a positive step for consumers."
Malaysia reforms data protection law
Malaysia's House of Representatives passed the Personal Data Protection Amendment Bill ("Bill"), enhancing data protection via mandatory data protection officers, data breach notifications, and increased penalties. The bill introduces data portability rights, stricter compliance for data processors, and updated rules for international data transfers; it will become law once it passes the Senate and receives royal approval.
Scholarship student information leak in Thailand
Thailand's data protection authority is investigating a data breach involving the personal information of government scholarship students at the Civil Service Commission Office ("CSC"). The leak, attributed to an AI search engine error, exposed sensitive details via Microsoft Bing. The CSC has since addressed the issue and worked with Microsoft Thailand to remove cached data.
Major Ofcom fine for TikTok
The Office of Communications ("Ofcom"), regulator of the UK's communications industry, fined TikTok approx. EUR 2 million for providing inaccurate data which delayed the publication of a child safety report. Ofcom had requested information from video-sharing platforms, based on regulations established before the UK's Online Safety Act for an upcoming report outlining safety measures platforms currently deploy to safeguard children from harmful content. However, TikTok's slow response and insufficient data governance disrupted this work. The penalty was reduced by 25% after TikTok agreed with the findings in settlement.
New EU-Japan data flow agreement
A new Data Flow Agreement, previously part of the EU-Japan Economic Partnership, will facilitate non-personal data transfers between the parties, reduce digital protectionism, and support sectors such as finance and e-commerce. Personal data transfers remain regulated separately under Japan's Adequacy Decision.
Nigeria issues historic penalty for Meta
Nigeria's data protection authority fined Meta approx. EUR 200 million after a 38-month investigation revealed that its policies do not allow users to exercise control or with hold consent regarding the collection, use, and sharing of their personal data.
Pre-ticked box is not GDPR-compliant
The Netherlands' data protection authority fined a financial company EUR 600,000 for placing tracking cookies before obtaining consent. The decision emphasized that a pre-ticked box for acceptance of advertising/marketing tracking cookies does not constitute freely given consent.
Sweden reduces Spotify fine
Sweden has reduced last year's EUR 5 million fine against Spotify for failure to manage data subject applications in accordance with the GDPR to EUR 3.5 million after an appeal. The Swedish Supreme Administrative Court agreed with the data protection authority's assessment of the company's inability to meet access to personal data requests, but declared the breaches were not serious and extensive.
The complaint originated from Austrian non-profit data protection organisation noyb, which alleged that Spotify failed to provide full information in response to user personal data requests. The case was transferred to Spotify's Swedish headquarters resulting in the fine being imposed in Sweden.
Spain again, another fine for the bank
A bank erroneously associated a data subject's bank account details with an unrelated debtor resulting in the data subject incurring unauthorised charges. Spain's data protection authority determined that the controller lacked lawful basis for this action and subsequently imposed a fine of EUR 150,000.
Big penalty for Italian oil producers
Italy's data protection authority imposed a fine of approx. EUR 6.5 million on an oil company for conducting marketing phone calls with data subjects who had registered with the national opt-out registry (which allows consumers to revoke consent to telemarketing).
The DPA decided the controller had failed to implement sufficient technical and organizational measures to guarantee comprehensive adherence to GDPR across all processing activities. It highlighted "substantial deficiencies" in the oversight of processors, observing that the controller only conducted superficial inspections and undertook audits only after incidents had occurred.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.