Welcome to The Privacy Explorer recap of privacy news for week 25 of 2024 (17-23 June)!
This edition at a glance:

📧 LfDI Rhineland-Pfalz Launches Information Campaign on Direct Marketing
The Rhineland-Palatinate data protection authority (LfDI) initiated an information campaign on postal and email advertising to raise awareness of data protection laws. The campaign outlines the balance required under the General Data Protection Regulation (GDPR), particularly under Art. 6(1)(f) GDPR, which allows data processing for legitimate interests, including marketing, provided it meets specific criteria.
Read more here.

🤝 California Settles with Tilting Point Media over kids game "SpongeBob: Krusty Cook-Off" Data Violations
The California Attorney General announced a $500,000 settlement with Tilting Point Media LLC. The company violated the California Consumer Privacy Act (CCPA) and the Children’s Online Privacy Protection Act (COPPA) by collecting and sharing data from children without parental consent in the popular game “SpongeBob: Krusty Cook-Off.” The settlement includes injunctive terms mandating compliance with privacy laws, ensuring parental consent, and proper configuration of third-party software in games.

💼 R.R. Donnelley Settles SEC Charges Over Third-Party Cybersecurity Failures
R.R. Donnelley & Sons Co., a global business communications provider, agreed to a $2.125 million settlement with the US Securities and Exchange Commission for inadequate management of third-party cybersecurity controls. In late 2021, a ransomware attack exposed significant flaws in Donnelley’s oversight of its security service provider, leading to data breaches and operational disruptions. The SEC highlighted the company’s failure to properly supervise its managed security services provider, which compromised the integrity and confidentiality of sensitive client data.

🌐 OECD Releases Report on Digital Safety for Children
The OECD published a report titled “Towards Digital Safety by Design for Children.” This report highlights the importance of integrating safety features into digital environments tailored to children. It discusses international guidelines and emphasizes proactive measures such as age assurance and child-centered design. The report also stresses the need for transparency, accountability, and ongoing risk management to protect children’s privacy and ensure a safe digital experience.

🇪🇺 EDPB Finalizes Guidelines on Law Enforcement Data Transfers
The European Data Protection Board published its final Guidelines on Article 37 of the Law Enforcement Directive (LED). These guidelines establish standards for appropriate safeguards in data transfers by competent authorities, focusing on legally binding instruments with third countries. Key points include selecting transfer mechanisms, evaluating transfer risks to data subjects, and maintaining enhanced accountability. The guidelines emphasize legal certainty and the necessity of ensuring equivalent data protection levels when personal data is transferred outside the EU.

The Norwegian Data Protection Authority cannot impose daily fines in cross-border cases
On 18 June 2024, the Norwegian Data Protection Board ruled that the Norwegian Data Protection Authority (DPA) cannot impose daily fines on Meta for not complying with a ban on behavioral marketing on Facebook and Instagram. This decision challenges the DPA’s authority under Norwegian law, which allows daily fines. The Board determined that such fines could only apply to Norwegian companies, not international ones. The ban on behavioral advertising remains, but the ruling raises concerns about enforcement disparities between domestic and international businesses.

⚖️ CJEU Ruling on Compensation for Data Breach [C-182/22 and C-189/22 Scalable Capital]
The Court of Justice of the European Union ruled in merged cases C-182/22 and C-189/22 Scalable Capital, addressing compensation for non-material damage under GDPR Article 82(1) due to theft of personal data. The court clarified that compensation to individuals is purely compensatory, not punitive, and the severity of GDPR infringements by controllers is irrelevant for compensation purposes. The court emphasized that data breaches causing non-material damage are significant and may warrant minimal compensation even if not serious, provided they fully address the harm suffered.

🏛️ CJEU Ruling on Compensation for Non-Material Damages based on fear
The Court of Justice of the European Union (CJEU) ruled in Case C-590/22 PS, determining that mere infringement of GDPR is insufficient for compensation under Article 82(1). Claimants must demonstrate actual non-material damage, though it need not reach a specific severity. Fear of data disclosure can justify compensation if proven. The criteria for fines in Article 83 do not apply to damage awards, and compensation does not need to consider national law breaches not specifying GDPR rules.

🚦Spain’s AEPD Explores Identity as Service vs. Fundamental Right
The Spanish data protection authority (AEPD) published a blog post discussing the shift from viewing identity as a fundamental right to treating it as a service. This shift can undermine personal control over data, impacting rights, social inclusion, and privacy. The post highlights the risks of commodifying identity, emphasizing that identity should not be a service controlled by governments or companies. It cites examples like the Aadhaar system in India, where exclusion from services has severe consequences, arguing for identity management that respects privacy and autonomy.

📊 Belgium DPA Publishes 2023 Annual Report
The Belgian Data Protection Authority published its 2023 annual report, highlighting a year of renewal and strengthened collaboration internally and with European partners. Key initiatives focused on cookie compliance and enhanced support for data protection officers (DPOs). The DPA participated in significant decisions involving TikTok and Meta, reflecting its commitment to robust data protection. Complaints and mediation requests rose, with notable focus on direct marketing and data breaches, underscoring the DPA’s ongoing dedication to privacy and public awareness.

🛡️ SAFE for Kids Act Signed into Law in New York
The New York Governor signed the SAFE for Kids Act, targeting social media platforms’ addictive feeds for minors. Defined as feeds using algorithms to engage users based on their behavior, the act prohibits such feeds for users under 18 without parental consent, and mandates platforms to use reasonable methods to verify age. If violated, the New York Attorney General can impose penalties of up to $5,000 per infraction. The act, designed to protect children’s mental health, will take effect 108 days post-regulation by the AG’s office.

🎮 Nordic DPAs Publish Guidance to Strengthen Children's Data Protection in Online Gaming
The Nordic Data Protection Authorities, led by Denmark’s Datatilsynet, released guidelines to protect children’s data in online gaming. This document emphasizes four key GDPR principles: fairness, transparency, data minimization, and accountability. It aims to guide game developers in ensuring responsible data practices, highlighting the special protections required for children’s personal data. These guidelines were formulated in response to the growing digital gaming industry and the need for enhanced privacy measures for young players.

👇 That’s it for this edition. Thanks for reading, and subscribe to get the full text in a single email in your inbox! 👇
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.