The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

Instagram fined for violating kids’ privacy

Instagram has been hit with a pretty hefty fine after Eu regulators decided on a long-running complaint relating to how the company handles data pertaining to children.

Details of the findings are unclear, as the fine amount was leaked, with full details of the decision to be published next week.

The Instagram penalty is the largest GDPR penalty the social media giant has been hit with to date (though not the largest ever GDPR fine; that one landed on Amazon) — following a $267 million penalty levied upon the Meta-owned messaging platform WhatsApp last September for violations of the GDPR’s transparency principle.

The complaint plays very much into the GDPR’s definition of privacy by design, and in Instagram’s case, it seems that when processing children’s data, it is being set to public by default.

I will report back on the full reasoning underpinning the fine as and when it’s published.

A deeper dive into the proposed American Data and Privacy Protection Act

This article is an excellent read on the changes facing the data privacy landscape in the US.

As I’ve discussed in previous editions, the lack of comprehensive federal data privacy laws in the US seems to change.

But what does that mean for DPOs, and privacy professionals in general?

Who and what will ADPPA regulate?

ADPPA would apply to “covered” entities, meaning any entity collecting, processing or transferring covered data, including nonprofits and sole proprietors. It also regulates cellphone and internet providers and other common carriers, with potentially concerning changes to federal communications regulation. It does not apply to government entities.

How ADPPA protects consumers’ data

The act would require data collection to be as minimal as possible. The bill allows covered entities to collect, use or share an individual’s data only when reasonably necessary and proportionate to a product or service the person requests or to respond to a communication the person initiates. It allows collection for authentication, security incidents, prevention of illegal activities or serious harm to persons, and compliance with legal obligations.

There’s much more to dig into in that piece!

Other data privacy news

Data Breaches That Have Happened in 2022 So Far

TikTok denies security breach after hackers leak user data

Post of the week

Check out this excellent guide on the difference between a DPO and a Senior Responsible Individual (as mentioned in the UK Data Protection Information Bill).

Poll the DPOs

Apologies for all of the new parts to this newsletter, I guess I’m getting a little carried away with the substack features!

I wanted to try and ask the DPO community a question each week. Hopefully, we’ll get enough responses to share the findings each week. On to those shocking insights…