The latest COVID-19 privacy developments from the Asia-Pacific region

(Apr 9, 2020) As the COVID-19 pandemic continues, here are the latest stories on how the outbreak has affected privacy in the Asia-Pacific region: Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong issued guidelines on how to appropriately address children's privacy during the pandemic. The Office of the Australian Information Commissioner released guidance on how organizations can complete privacy impact assessments amid COVID-19. The New York Times Editorial Board writes individuals s... Read More

Turkish DPA issues 18K TL fine for purpose limitation violation

(Apr 9, 2020) Turkey's data protection authority, the KVKK, announced a fine of 18,000 TL for a violation of the purpose limitation principle in the country's Law on the Protection of Personal Data No. 6698. The violation is related to a consumer's phone number being provided to a third party without legitimate purpose. The data controller's actions breached Article 7 of the LPPD, which requires deletion or anonymization of data when there's no longer a legal basis for processing. (Original post is in Turkish... Read More

FTC's Smith discusses AI, algorithm usage

(Apr 9, 2020) In an agency blog post, U.S. Federal Trade Commission Bureau of Consumer Protection Director Andrew Smith addresses the utilization of artificial intelligence and algorithms across industries. Smith goes on to outline key considerations when applying AI tools, including appropriate application to the collection of sensitive data. "The FTC’s law enforcement actions, studies, and guidance emphasize that the use of AI tools should be transparent, explainable, fair, and empirically sound, while fost... Read More

EDPB sets scope for COVID-19 data processing guidance

(Apr 8, 2020) Following its 20th plenary session, the European Data Protection Board announced the scope of its guidance for data processing related to combating COVID-19 will focus on geolocation data and health data used for research purposes. EDPB Chair Andrea Jelinek said the board "will move swiftly" to draft guidance while ensuring that "technology is used in a responsible way to support and hopefully win the battle against the corona pandemic."Full Story... Read More

CNIL publishes RTBF Q&A

(Apr 8, 2020) The French data protection authority, the CNIL, has released a Q&A regarding a user's right to be forgotten. The document features 10 questions to help explain user rights, including the definition of de-listing, criteria for requests and the CNIL's role in the process. The Q&A follows a decision by the French Council of State, Conseil d'État, to overturn a fine against Google in a 2016 RTBF case. (Original post is in French.)Full Story... Read More

Germany adopts draft patient data protection law

(Apr 8, 2020) Germany's Federal Cabinet announced the adoption of the draft Patient Data Protection Act. The law seeks to further the country's shift to digital health while ensuring patient data, including information found in electronic patient data records, is appropriately protected. German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber issued a response to the adoption, noting the law requires further privacy considerations, especially regarding access to patient data. ... Read More

CNIL publishes page on ISO 27701 standard

(Apr 7, 2020) France's data protection authority, the CNIL, published a page on its website on the ISO 27701 standard. The CNIL breaks down the components of the ISO standard and highlights the agency's contribution to its creation. The agency states the EU General Data Protection Regulation was taken into consideration as the standard was formed. It adds ISO 27701 is not GDPR-specific and should not be used as a GDPR certification mechanism. Full Story... Read More

British Airways, Marriott GDPR investigations extended

(Apr 7, 2020) Computer Weekly reports British Airways and Marriott International negotiated with the U.K. Information Commissioner's Office to extend the probes into their EU General Data Protection Regulation violations. According to financial reports from both companies, British Airways and Marriott had their GDPR decisions deferred to May 18 and June 1, respectively. The ICO agreed to similar regulatory extensions for both companies in January.Full Story... Read More

Smart lock company settles FTC allegations

(Apr 7, 2020) Tapplock settled U.S. Federal Trade Commission allegations that its internet-connected smart locks falsely claimed to appropriately secure user data. The settlement states Tapplock is required to implement a comprehensive security program and obtain independent assessments every other year. Tapplock’s privacy policy stated it took “reasonable precautions” to secure user data, including usernames, email addresses, profile photos and location of users’ smart locks. The FTC alleged the company fail... Read More

Reciente sanción de la autoridad de control

(Apr 7, 2020) La Agencia de Acceso a la Información Pública sancionó a un obispado por no inscribir una base de datos con información de sus fieles. En julio de 2019, frente a la denuncia de un particular respecto del “Registro Digital de Sacramentos” ante el Registro Nacional de Bases de Datos de la Agencia de Acceso a la Información Pública (en adelante, la “AAIP”), en su carácter de Autoridad de Aplicación de la Ley de Protección de Datos Personales (la “LPDP”), la ente inició una investigación mediante la... Read More