Data Protection Weekly 21/2022

May 27, 2022

European Union

European Commission publishes Q&A on SCCs for data transfers

The European Commission published on 25 May 2022, the Q&As in order to provide practical guidance on the use of the SCCs and to assist stakeholders.

The Q&A are divided in three parts (general inquiries about SCCs, SCC between controllers and processors and SCC for international transfers).

Concerning the SCCs for the transfer of data to third countries, the Q&A addresses :

  • reasons for modernisationa and main novelties ;
  • scope of application and transfer scenarios ;
  • general issues about the protection of individual rights ;
  • obligations of data exporters and importers ;
  • local laws and government access.

You can access the Q&As, here.



UK: The ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted

The ICO announced on 23 May 2022, that it fined Clearview AI , £7.5M for using images of people in the UK that were collected from the web and social media to create a global online database that could be used for facial recognition

For the ICO, Clearview mainly failed to:

  • use individual’s information in a fair and transparent manner: Data subjects were not aware of the use, nor they had reasonable expectations of the use
  • have a lawful basis to process the biometric information
  • have reasonable retention periods.
  • meet the standards required for the protection of biometric data

You can read the press release, here.


Italia: UBER – The Garante finds breaches of the law on information and consent

After a data breach that Uber suffered in 2016, the Garante started investigations. It found that :

  • the information provided to data subjects in the privacy notice was insufficient, incorrect and that it omitted to mention Uber Technologies Inc as joint controller.
  • Uber failed to obtain specific consent in relation to the processing carried out for the evaluation of the “Risk of fraud”: around 1.4m Uber users affected
  • Uber failed to notify the Garanteto the processing of geolocation data (mandatory at that time, pre-gpdr)

As a consequence, the Garante imposed a fine of 2.12M€ on Uber BV (NL).

You can read the press release here.