.png){kind=logo}
Israel's Adequacy decision is on the line, being double-tested
Over the past decade, the State of Israel has benefited from an Adequacy Decision, in accordance with Article 45 of the European Data Protection Regulations (GDPR),which allows the relatively free flow of information between EU countries andIsrael. Without a valid decision, the conditions for transferring information from the EU to Israel will be tightened, which could lead to significant economic harmful consequences for Israeli economic activity with the EU market.
In recent months, the existing decision regarding Israelis being re-examined, including the fact that European law is changing and progressing at a dazzling pace, as opposed to the known stagnation related to Israeli law.Moreover, the proposed reform in Israel is also giving its signals, with the Europeans seeing the shackling of the courts as a step that distances us from renewing the decision; The head of the Norwegian Data ProtectionCommission, Tobias Jodin, said during his visit to Israel:
"Over the years the threshold to obtain adequacy has risen a bit, so nowadays the threshold is very high," he explained. "It is very important in these assessments that the judiciary is actually independent, that you have independent oversight and redress... A possible consequence would be that adequacy for Israel would be revoked because it no longer meets the criteria.That means that suddenly you can't transfer data freely from Europe to Israel anymore, and probably European companies would avoid Israeli companies as well... They would be in the same category as China."
Source: https://www.calcalistech.com/ctechnews/article/rjsnuxt2i
The Privacy Protection Authority – ‘We are re-pricing privacy infringements’
At a conference held earlier this month, the head of thePrivacy Protection Authority, Mr. Gilad Sammama addressed the obligations of organizations under the Protection of Privacy Law and the Information SecurityRegulations under it, and emphasized the obligations to report personal data breaches and incidents.
At the conference, Sammama also addressed the proposals to amend the Protection of Privacy Law, placed on the Knesset's table, saying that: "Higher fines are expected to be imposed for violations of the information security regulations, noting that "we are 're-pricing' privacy. The Privacy Protection Authority has intelligence tools that can identify violations of the law, and the goal is that any company that holds personal information will understand that it is the citizen's property and it needs to protect it. Otherwise, it is exposed to extremely high financial penalties."
Source: https://www.funder.co.il/article/144210
Medical teams found to be photographing patients in operating rooms
In a Knesset debate aimed at promoting the status of women, Yael Sherer, director of theLobby to Combat Sexual Violence, presented that "medical staff take pictures of themselves with patients while they are in the midst of a medical procedure and under general anesthesia." After that, the photos are shared on dating apps and sites such as Tinder.
Following the serious and important discovery, the Director General of the Ministry of Health, Bar Siman Tov, issued severe warnings regarding violations of patients' privacy, human and patient rights and freedoms, in a manner that may even amount to sexual offenses, according to a letter from his ministry.
Source: https://www.ynet.co.il/news/article/rj11bw85nj
An administrative fine of NIS 95,000 was imposed on a civil servant who exploited his access to a government database and posted personal information in a Facebook group
The fine was imposed for a number of violations of the Protection of Privacy Law, committed by an employee of the Tax Authority who used his permissions for various systems, and posted private information in a Facebook group, on a number of different occasions.
It should be recalled that according to the custom in Europe, as well as according to another recent ruling in Spain, the managers of Facebook groups are considered the Controllers, and the responsibility for the publications made in them lies with them. Here, it appears that the various authorities have approached the group's managers, but no sanctions have been imposed on them.
https://www.gov.il/he/departments/news/fine95k
New ISO Standard (ISO 31700) - Privacy Design
The obligation to characterize, plan, and design services and products in accordance with privacy issues came to public order in2009 in Canada (what is known as Privacy by Design), where it was introduced and became part of local privacy legislation (PIPEDA). This obligation is also entrenched inEuropean law (GDPR). InIsrael, this concept is not introduced in law, but is recommended by thePrivacy Protection Authority, according to a guide it previously published (here).
Now, theInternational Standardization Organization (ISO) will publish a new standard – 31700, that guides, through 30 different requirements, on how to design and design systems for optimal protection, or mitigate privacy risks, by default. It should be noted that regarding compliance with applicable European law (Art. 25 GDPR), it may be determined later that such certification would be considered as compliance with the relevant duty under the GDPR.
Read more - https://iapp.org/news/a/iso-set-to-adopt-privacy-by-design-standard
Meta is leading legal action against the "harvesting of information" from its platforms, and is suing an Israeli-owned company
Meta is taking action against companies that collect"visible" information found on its various platforms – Instagram andFacebook – and is filing a lawsuit against Voyager Labs, an Israeli company, in a California court.
The issue of the scraping information was discussed at relative length in LinkedIn's lawsuit against HiQ Labs – a case titled with headlines permitting the act of harvesting the information, centering on a request (which was rejected) for an injunction by LinkedIn against HiQ. Now, asHiQ relevant services seems as they are no longer operable, a new decision has been made allowing LinkedIn to re-submit its applications to court.
It should be noted that this is not the first time Meta has taken legal action in these matters, centering on enforcing its terms of use and blocking any scraping, when this lawsuit joins claims against NSO,Octopus and many others.
https://about.fb.com/news/2023/01/leading-the-fight-against-scraping-for-hire/
The Greek Privacy Protection Authority imposes a fine for violating the GDPR on a company owned by a former senior intelligence official, for non-cooperation
The company, Intelexa, which operated an offensive cyber tool that infects mobile phones with spyware, was fined €50,000. According to the Greek Privacy Protection Authority, the company's spyware tools were used to spy on journalists, and it was at the center of a wiretapping scandal inGreece, when it emerged that it was used to track a journalist investigating corruption scandals in the country. It was also found that the tool was used against the opposition leader and the minister of infrastructure in Greece.
The Greek authority tried to obtain information and documents from the company, but according to the Greek authority, the company did not cooperate in the proper way to advance the investigation into the so-called Watergate of Greece. The authority also reached the company's registered offices in Greece and its alleged centers of operations but found the company's local accounting firm and other offices empty. According to the PPA's announcement, considering the long response times and the refusal to provide relevant information, the company has violated Article 31 of the GDPR, for which the fine was imposed, and an order was even given to the company to transfer the necessary information immediately.
Source: https://www.haaretz.co.il/news/security/2023-01-16/ty-article/00000185-ba88-dee4-ad87-ba9836480000
Ireland's Privacy Protection Authority is imposing a €5.5million fine on Meta (forWhatsApp),but it must continue its investigation into further conclusions, according to EDPB
Following last month's fine imposed by the DPC on Meta for illegally relying on the Terms of Use as a basis for processing personal data (here), EDPB has now ordered the DPC, after the latter has decided to finalize the case and impose a fine of €5.5million on WhatsApp, to continue investigating WhatsApp's operations, in light of its own conclusions.
Recall that the tension between the DPC and EDPB has already been observed recently and raised many questions on issues of authority. Even now, it appears that theIrish Authority does not intend to act directly according to the EDPB's directive and transfer the question to the court.
French authority imposes a fine of €8million on Apple
The fine imposed by the CNIL, is regarding and addressing violations of the ePrivacy directive, which was adopted as part of local French law, and not the GDPR. The fine was imposed for embedding and automatically enabling an advertising identifier (Ad-Id),immediately upon installation of the new operating system iOS16.4. The processing is done upon visit to the app store, and is enabled by default.
The CNIL emphasized within the decision, the flow within the system – the number of steps a user must go through in order to disable the action. Even if it not explicitly stated, it is worth paying attention to the considerable attention given by law enforcement and legislative authorities around the world to the world of 'dark patterns' – an interface design that misleads, complicates or confuses the user, especially when the user wants to perform actions that are not desired by the owner (in this case, to disable the activation of the Ad-Id).
Taken from the full decision https://www.cnil.fr/en/advertising-id-apple-distribution-international-fined-8-million-euros (freely translated from French):
The restricted formation also points out that this stage of obtaining consent occurs late in the phase of the user taking control of the telephone and that it is optional because it is not integrated into the telephone initialisation process. In addition, this step is only accessible after the user clicks on the"Settings" icon on the iPhone, goes to the "Privacy" menu, and then clicks on the section labeled "Apple Advertising". It considers that it is difficult for the user to be able to validly accept or refuse those operations, in so far as the user who has completed the initialisation journey of his phone (where the journey includes a large number of steps as in the present case) may legitimately think that he no longer needs to make other configurations before consulting the App Store.
The EDPB publishes a report in connection with the use of cookie menus and banners
The document, which was published in light of the convening of a joint workforce investigating most of the complaints submitted on the subject to the various law enforcement authorities in the Eu, guides on the main issues arising from these complaints. Among its main points:
- Marking the consent boxes in advance - an unacceptable practice that, according to the EDPB, does not comply with the provisions of the GDPR.
- Accept All/ Refuse All - Compare the consent button to the decline button. A "read more" button/"personal selection", etc. is not enough.
- Back to dark patterns. The user option of refusal or choice should not be hidden or concealed, especially when the mirror option of accepting or agreeing to cookies is emphasized or set to intrigue.
- Cookie menu - A user should be able to return to the that menu at any time, from anywhere on the site. At the same time, it should be possible to change the selection at any time while browsing the site.
To read the full document: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf
