Wedlake Bell DPO Radio Alexander Dittel

* ICO's International data transfer agreement laid before Parliament (link (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/02/international-data-transfer-agreement-and-addendum-and-transitional-provisions-laid-before-parliament/)). * CNIL requires website to rectify non-compliance in relation to its use of Google Analytics with data transfers to the United States (link (https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply)).* German DSK conference seeks opinion on US surveillance from Stephen I. Vladeck of University of Texas (link (https://www.datenschutzkonferenz-online.de/media/weitere_dokumente/Vladek_Rechtsgutachten_DSK_de.pdf)).* ICO's draft Chapter 3 on Pseudonymisation (link (https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf)).* ENISA's Data Protection Engineering (link (https://www.enisa.europa.eu/publications/data-protection-engineering)).* Belgian DPA claims to restore order to the online advertising industry by declaring IAB Europe's TCF non-compliant (link (https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr)).* Google's Topics (link (https://blog.google/products/chrome/get-know-new-topics-api-privacy-sandbox/)) and the path forward with the privacy sandbox (link (https://blog.google/around-the-globe/google-europe/path-forward-privacy-sandbox/#:~:text=Google's%20aim%20with%20the%20Privacy,need%20to%20build%20thriving%20businesses.)).* EPIC's push for the FTC to create a federal data privacy rule (link (https://advocacy.consumerreports.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF_.pdf)).* EDPB issues an opinion (link (https://edpb.europa.eu/news/news/2022/edpb-adopts-first-opinion-certification-criteria_en)) on the first ever GDPR certification scheme GDPR-CARPA from Luxembourg (link (https://cnpd.public.lu/content/dam/cnpd/fr/actualites/national/CNPD-GDPR-CARPA-Certification-Criteria-Consultation-publique.pdf)).* Irish DPC to continue prioritising work on children's data (link (https://dataprotection.ie/en/dpc-guidance/blogs/children-and-data-protection-reflections-safer-internet-day)) in line with its 2022-2027 regulatory strategy (link (https://www.dataprotection.ie/sites/default/files/uploads/2021-12/DPC_Regulatory%20Strategy_2022-2027.pdf)).* Latest on EU's Data Act (link (https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113)).* EU Cloud Code of Conduct (link (https://eucoc.cloud/en/public-register/list-of-adherent-services.html)).* EDPB's Guidelines 01/2022 on data subject rights - Right of access (link (https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf)).* EU Commission's proposal: European Declaration on Digital rights and principles for the Digital Decade (link (https://ec.europa.eu/commission/presscorner/detail/en/IP_22_452)).

1. The Independent Human Rights Act Review by the UK Government (link (https://www.gov.uk/guidance/independent-human-rights-act-review)).2. Irish DPC's Children Front and Centre Fundamentals for a Child-oriented Approach to Data Processing, December 2021 (link (https://www.dataprotection.ie/sites/default/files/uploads/2021-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_FINAL_EN.pdf)).3. Austrian DPA says that The Use of Google Analytics violates the "Schrems II" decision (link (https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_DE_bk.pdf)). Some facts about Google Analytics data privacy (link (https://blog.google/around-the-globe/google-europe/google-analytics-facts/#:~:text=It%20does%20not%20track%20people,only%20their%20site%20or%20app).)).4. EDPS research report on Government access to data in third countries including China, India and Russia, November 2021 (link (https://edpb.europa.eu/system/files/2022-01/legalstudy_on_government_access_0.pdf)).5. EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation (link (https://edps.europa.eu/system/files/2022-01/22-01-10-edps-decision-europol_en.pdf)).6. EDPB on the law enforcement directive (LED) (link (https://edpb.europa.eu/system/files/2021-12/edpb_contribution_led_review_en.pdf)).7. European Parliament's research paper on Rethinking biometrics in the era of artificial intelligence (link (https://www.europarl.europa.eu/RegData/etudes/STUD/2021/697191/EPRS_STU(2021)697191_EN.pdf)).8. Shinigami Eyes banned in Norway (link (https://www.datatilsynet.no/en/news/2021/varsler-forbud-mot-nettleserutvidelsen-shinigami-eyes-i-norge/)).9. Chinese Internet Information Service Algorithm Recommendation Management Regulations (link (https://digichina.stanford.edu/work/translation-internet-information-service-algorithmic-recommendation-management-provisions-effective-march-1-2022/)).10. Open Rights Group's Adtech Challenge in Killock and Veale & Ors v Information Commissioner (GI/113/2021 and ors) (link (https://www.openrightsgroup.org/blog/our-adtech-challenge-what-we-won-what-we-lost-and-what-we-do-next/)).11. French CNIL fines Google €150M and Facebook €60M for making refusing cookies not as easy as accepting them (link (https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance)).12. Meta's Threat Report on the Surveillance-for-Hire Industry (link (https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf)).

1.    ICO fines Cabinet Office £500,000 for disclosing addresses of 2020 the New Year Honours recipients (link (https://ico.org.uk/action-weve-taken/enforcement/cabinet-office-mpn/)). 2.    Draft EU directive on improving working conditions in platform work (link (https://ec.europa.eu/commission/presscorner/detail/en/ip_21_6605)). 3.    UK Government's Roadmap to an effective AI assurance ecosystem (link (https://www.gov.uk/government/publications/the-roadmap-to-an-effective-ai-assurance-ecosystem/the-roadmap-to-an-effective-ai-assurance-ecosystem)). 4.    EDPB on the interplay between GDPR's extraterritoriality and data transfer provisions (link (https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf)). 5.    Wiesbaden court orders university to stop using a cookie consent management platform because of transfers of data to the US due to the use of Akamai Content Delivery Network services (link (https://www.jurpc.de/jurpc/show?id=20210172)). 6.    Updated guidance on data transfers and EU SCCs from the Baden-Württemberg authority in Germany (link (https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2021/10/OH-int-Datentransfer.pdf)). 7.    Information Commissioner’s Opinion: Data protection and privacy expectations for online advertising proposals (link (https://ico.org.uk/media/about-the-ico/documents/4019050/opinion-on-data-protection-and-privacy-expectations-for-online-advertising-proposals.pdf)). 8.    CJEU's C‑102/20 in StWL v. eprimo GmbH on inbox advertising (link (https://curia.europa.eu/juris/document/document.jsf?text=&docid=250043&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=925901)). 9.     Advertising Platform OpenX has been fined $2 Million for breaching Children’s Privacy Law (link). 10. EDPB statement on the Digital Services Package and Data Strategy (link (https://edpb.europa.eu/system/files/2021-11/edpb_statement_on_the_digital_services_package_and_data_strategy_en.pdf)). 11. Proposal for a European regulation on the transparency and targeting of political advertising (link (https://eur-lex.europa.eu/resource.html?uri=cellar:9cec62db-4dcb-11ec-91ac-01aa75ed71a1.0001.02/DOC_1&format=PDF)). 12. NHS Business Authority v Information Commissioner & Spivack [2021] UKUT 192 (AAC) (link (https://assets.publishing.service.gov.uk/media/6135fb748fa8f503c7dfb8a3/GIA_0136_2021-00.pdf)) 13. Council of Europe recommendation on automatic processing of personal data in the context of profiling (link) (https://edoc.coe.int/en/international-law/10670-protection-of-individuals-with-regard-to-automatic-processing-of-personal-data-in-the-context-of-profiling-recommendation-cmrec20218.html).

* Belgian authority expected to conclude that the Transparency & Consent Framework or TCF is not compliant with the GDPR and IAB Europe is liable as joint controller (link), the Irish Council for Civil Liberties reports (link).* Lloyd v Google LLC [2021] UKSC 50 (link).* OAIC concluded that Clearview AI breached the privacy of Australians (link) having jointly investigated with the ICO (link).* Chinese Draft Outbound Data Transfer Security Assessment Measures (link).* New standard contractual clauses expected for foreign controllers caught by GDPR’s extraterritorial effect (link).* Global Privacy Assembly’s Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes (link).* ICO’s Draft Journalism Code of Practice (link).* ICO’s Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance Chapter 2: How do we ensure anonymisation is effective? (link).* ICO’s Response to DCMS consultation “Data: a new direction” (link).* Chinese Guiding Opinions on Strengthening Overall Governance of Internet Information Service Algorithms (link).* ICO’s opinion on Age Assurance for the Children’s Code (link) and ICO’s Children’s Code Design Guidance (link).* ICO Regulatory Sandbox: Child Privacy Consent Management Platform by Seers (link).* ICO Regulatory Sandbox: Gambling Commission’s duty to monitor users at risk (

* International data transfers: The ICO’s call for an international solution to data transfers (link), G7 cooperation on data free flow (link), and US Congress paper on transatlantic data flows (link).* Big Tech announced the Trusted Cloud Principles (link).* EDPB opines on the draft Adequacy Decision for South Korea (link).* Norwegian company is fined around £400,000 for non-compliant data transfers to China (link). Irish DPC investigating TikTok’s compliance of data transfers to China (link).* EU Parliament’s research paper on EU health data centre and a common data strategy for public health (link).* We Buy Any Car and Sports Direct are fined £270,000 for misapplying the soft opt-in rule (link).* Cookies: G7 cooperation (link), EDPB’s cookie taskforce (link), and European Digital Rights association’s push for strong ePrivacy (link).* EDPS opinion about the 2021 EU anti-money laundering package (link).* Swiss report on the US CLOUD ACT (link).* Opinion of Advocate Bobek in CJEU Case C‑175/20 SIA ‘SS’ v Valsts ieņēmumu dienests (link).* The right to privacy in the digital age, a report of the United Nations High Commissioner for Human Rights (link).* Navigating the global data privacy landscape: The 2020 Global Privacy Assembly census (link).

* Second largest fine of €225M imposed by the Irish Data Protection Commissioner (DPC) on WhatsApp (link) as revised by the European Data Protection Board (link).* UK Government announces a data reform to boost innovation and trade, to improve healthcare and protect the public (link).* Information Commissioner’s Office (ICO) consults on its draft international data transfer tools (link).* Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (link).* G7 data protection and privacy authorities to tackle the cookie pop-ups challenge (link).* ICO sets out plans for further protection of children online (link).* ICO guidance on Direct marketing in the public sector (link).