SimpLawfy

Here is a quick summary of some recent major privacy related events around the world in September A bad month for Big Tech on Privacy Law violations            Tiktok is currently facing a potential 27M GBP fine from the UK Information Commissioner's Office for violation of data protection laws regarding the processing of minors' data, unlawful processing of special category data, and insufficient transparency. This comes soon after Instagram was fined 405M Euros by Ireland's Data Protection Commission  earlier this month for breaching the GDPR's laws regarding children's privacy, the second largest fine ever under the GDPR. Moreover, Meta (the parent company of Instagram) was also sued by iOS users for bypassing Apple's privacy settings and tracking users' activity on third party websites. Adding in South Korea's $22M fine on Meta (as well as $50M fine on Google) for privacy law violations regarding both companies' collection and use of behavioural

Sep 25 Blog Korea’s supreme court is currently reviewing the government’s newly introduced discovery policy , with a report expected by October of this year. This would be a significant change to Korea’s currently lacking discovery policies ; although courts can order for parties to produce documents, there are no enforcement powers which allows respondants to ignore the orders or produce minimal documentation. The result of Korea’s current system is that with evidence being so hard to obtain, many give up on seeking legal redress even after suffering damages for issues such as technological infringement, product liability, and medical litigation.    A discovery policy has many benefits , such as reducing the burden of proof on consumers in lawsuits against big companies, drastically raising consequences for companies that refuse to comply with court orders to provide relevant evidence (as they currently often do in Korea), and streamlining the process of investigating evidence. Such a

Sep 24 Blog What happened?  The Citizens’ Coalition for Economic Justice (CCEJ) and 37 other civic organizations have signed a petition for Meta to “cease their threats to users and respect their rights over their personal data”, while also claiming that Meta’s privacy policy violates Korea’s privacy legislation – in particular, the restriction on excessive collection of information.  Why is this important?  This is yet another case of Meta being alleged to be violating its own privacy policy or their practices violating common privacy laws such as laws requiring meaningful consent before the collection of data, and laws limiting collection to only information necessary for legitimate business purposes. The ongoing lawsuits and the hefty fines given raise concerns that Meta is failing to meet privacy laws in multiple countries, which could severely impact its business and user retention.  In more detail:  The issue is that Meta is requiring extensive collection of personal data as

Sep 23 Blog Image by starline on Freepik What happened?           Korea amended their privacy legislation so that Non-Fungible Tokens are now required to de-identify personal information involved in its coding before it is encoded and linked into the blockchain.  Why is this important?           Existing privacy laws have several conflicts with the nature of NFTs that are difficult to resolve, such as the right to rectify or delete one's personal information, which have not yet been adequately addressed. Korea's amendments and solution to some of the conflicts may point at a path other countries with developing privacy legislation could adopt.  In more detail:              On July 19, Korea made an Amendment to the Personal Information Protection Act(PIPA) regarding Non-Fungible Tokens, the basis of Blockchain. NFTs contain several privacy risks, such as online identifiers, blockchain addresses, transactional activity, and location data. The nature of blockchain means that eac

Sep 21 Blog What was the issue?  An investigation is being launched in Korea over whether a Chief Privacy Officer's lawful right to autonomy and freedom to carry out their duties in s31 of Korea's PIPA was violated. This is the first potential violation of s31 of PIPA, and could serve as a landmark for improved authority and legal protection given to CPOs.  What happened?            Korea’s Personal Information Protection Commission (PIPC) is launching an investigation into whether Starbucks Korea’s internal disciplinary action towards their Chief Privacy Officer (CPO) violated s31 of the Personal Information Protection Act (PIPA) . The source of the issue came from an internal harassment claim filed against the CPO after the CPO had submitted an official report recommending improvements to the company’s privacy protection measures, upon which Starbucks Korea temporarily suspended the CPO. The CPO objected to the company, saying this was impeding him from carrying out his dut

Sep 20 Blog What’s the Issue?  There is growing concern over possible breaches of privacy through the recordings from mounted cameras on autonomous delivery robots.  Why is it important?  Recordings done on autonomous vehicles can include location data, biometric data (such as facial imaging), and behavioural data (such as driving), which can be used to identify and profile an individual person.  What are proposed solutions/laws?  Currently there are few laws specifically addressing autonomous vehicles, and the ones that do seem inadequate for new developments in autonomous vehicles. Proposals to amend laws include relying on a legitimate business purpose combined, informing users of data collection beforehand to gain informed consent, and practicing good cybersecurity and data retention practices.  In more detail:            In Korea, autonomous delivery robots are raising concerns that their mounted cameras (which record the surroundings and then send the pictures to a control

What happened?  A murder suspect gained unauthorized access to the victim's personal information through a public organization's internal computer network, and used it to locate the victim's working area.  What's the issue?  Currently there are inadequate safety precautions preventing such unauthorized access of personal information collected by government organizations, which can be abused by criminals seeking the personal information of their targeted victims.  What does this mean?   This case demonstrates how inadequate protection measures for personal information controlled by government institutions can be exploited by criminals to facilitate violent crimes, such as by knowing their target's address and working locations.  More Detail:  The murder that happened in Sindang Station , Korea on Sept 14 is notable for the murder suspect's use of a publicly owned company’s internal computer network to access the victim’s personal information and locate their work

What happened?  On Sep 14, Korea’s Personal Information Protection Commission (PIPC) found Meta and Google in violation of privacy law regarding consent and collection of users’ behavioural data online, and fined them a record $72.2M .  What was the issue?  The PIPC concluded that Meta and Google were presuming consent by enabling data collection as the default option for new users, and made relevant privacy settings difficult to understand or change.  What impact will this have?  In Korea, this is a sign that the PIPC will strongly enforce privacy rights compliance  regarding the collection of personal information for targetted advertising, and will likely cause other online platforms such as Kakao and Naver to improve the privacy settings of users.  In Canada, existing laws and ‘guiding opinions’ released by the Office of the Privacy Commissioner (OPC) indicate that such practices by Meta and Google in Korea would also be considered as non-compliant with Canadian privacy law. Given

 This is the start of Simplawfy, a blog aimed at summarizing and simplifying developments in privacy law into an easy-to read and understand format.