Privacy newsletter - Oct. 20, 2020

Welcome to the latest edition of the Privacy Insider Newsletter. Each week, we send you the latest and smartest news in the world of data privacy.

Here are the top stories from last week you might have missed:

1. The IAB’s Transparency and Consent Framework has been found to fail the standards set out in GDPR. Key issues included their own privacy policy and the lawfulness of data processing. “There are further highly embarrassing findings for the IAB Europe, which the inspectorate found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.” Link
2. The California Department of Justice unveiled a third set of modifications to CCPA regulations. These changes include requiring opt-out requests to be “easy for consumers” and informing consumers of their ability to exercise their “Do Not Sell” rights when data is collected offline. The CA DOJ is collecting comments on the modifications until the end of October. Link
3. Data breach volumes are on track to decrease by 30% in 2020 in the United States. Security experts theorized that remote working would increase data breaches due to an expansion of an organization's attack surface area. Initial data from the Identity Theft Resource Center suggests volumes are actually moving in the other direction. Link
4. Thailand’s government is using cash transfers to citizens for Covid relief as an opportunity to spy on their spending habits. The cards are part of a broader effort by the military-backed government to use data to crack down on political freedoms. Thais have been told that they need to elect government-aligned candidates to keep their card benefits. The government says they need to collect the data to "formulate better policies." The Thai example is part of a bigger story about governments using the pandemic to reduce citizens’ privacy. Link
5. The UK Information Commissioner’s Office has fined British Airways £20 million due to its 2018 data breach affecting more than 400,000 customers. The cyberattack lasted more than two months, and the UK ICO determined that the airline lacked sufficient security to detect and defend itself against this type of hack. This is the Data Protection Authority’s largest fine to date. Link
6. Could the UK turn into a haven for illegally obtained data? Carissa Veliz argues that we could begin witnessing data havens, just like we have tax havens today. The UK’s lax post-Brexit data policy could lead bad actors to launder their nefariously obtained data through apparently respectable products. Link
7. A FairWarning research report shows that nearly half (44%) of organizations are still in the early stages of adopting a privacy program. Even though the CCPA and other laws are being used to prosecute firms regularly, many firms still have catching up to do. 28% of companies are only in the middle stages of adopting a privacy program. Link