INTERNATIONAL 

EUROPEAN UNION

7. Irish DPC imposes fine of €310 Million on LinkedIn for GDPR Violation[1]

On October 24, 2024, the Irish Data Protection Commission (“DPC”) delivered its final verdict in the matter involving LinkedIn wherein the inquiry was initiated following a complaint made by the French Data Protection Authority. Basis the investigation it was observed that LinkedIn was in violation of GDPR on the grounds that consent obtained by LinkedIn for the processing of first party personal data and third-party personal data of its users for behavioural analysis and targeted advertisement was not ‘free’, ‘sufficiently informed’, ‘specific’ or ‘unambiguous’ in nature as clearly required as per Article 6(1)(a) of GDPR. Additionally, it was observed that in case of first party personal data, it was not necessary for LinkedIn to use personal data for behavioural analysis for performance of its contract with the users as required under Article 6(1)(b) for lawful processing of personal data. Further, LinkedIn’s processing was being undertaken for its own interest overriding the fundamental rights of its users and therefore, in violation of Article 6(1)(f). Hence, the DPC concluded that LinkedIn’s practices are not fair, transparent or lawful in nature as per Article 5(1)(a) and imposed a fine along with reprimand and an order for LinkedIn to amend its practices as per GDPR standards.

This decision is a significant reference point for companies operating in jurisdictions with GDPR-inspired frameworks, like India’s DPDP, offering a practical model for achieving compliant, ethical data processing and practices for obtaining consent. This serves as both a reminder and a guideline for building transparent, user-centric data practices that uphold user rights and regulatory standards alike. 

8. EU rules on Commercial Interest as Legitimate Basis for Data Processing[2]

The Court of Justice of the European Union (“CJEU”) has provided clarity on how a purely commercial interest can serve as a legitimate basis for data processing. In the matter of Koninklijke Nederlandse Lawn Tennisbond v. Autoriteit Persoonsgegevens [(C-621/222)], the Royal Dutch Tennis Association (“KNLT”) disclosed the personal data comprising of names, addresses, domiciles, date of birth, telephone number, email addresses and mobile numbers of its members to its sponsor for marketing purposes without obtaining prior consent of the members. Moreover, KNLT was paid for such disclosure and sharing of personal data. Consequently, complaints were filed by members before the Dutch Data Protection Authority.  As per the DPA, the commercial interest of KNLT did not constitute legitimate interest under Article 6(1)(f) and a fine of €525,000 was imposed.

The matter was eventually brought before the CJEU, which observed that sharing personal data for commercial purposes could be legitimate basis of processing, if it meets the principle of data minimization and aligns with the reasonable expectations of the data subject. In this case, KNLT disclosed personal data to two of its sponsors: one, a sports equipment company, and the other, a provider of games of chance and casino games. While it may be reasonably expected that members of a sports federation would welcome offers for sports equipment that will only be an added advantage to their membership, sharing data with a gambling-related sponsor could expose members to risks of gambling addiction, conflicting with their interests and expectations.

Accordingly, CJEU held that commercial interest can be considered legitimate basis for processing on a case-by-case basis, provided it adheres to data minimization principles and respects the reasonable expectations of the data subjects.

This judgment offers a significant relaxation for companies, enabling them to share personal data to better meet the expectations of their clients, as long as they remain compliant with GDPR requirements. By recognizing that data sharing for commercial interests can be legitimate if it fulfils the reasonable expectations of data subjects and respects the principle of data minimization, the Court provides companies with more flexibility in engaging with third-party sponsors and partners. However, this flexibility is not without limits as it requires careful adherence to GDPR’s core principles, ensuring that data sharing aligns closely with the interests and expectations of individuals. This ruling underscore the importance of a balanced approach where companies can enhance client offerings while maintaining strong data protection standards.

UNITED STATES OF AMERICA

9. FTC and State AGs settle with Marriott over Major Data Breaches[3]

The Federal Trade Commission (“FTC”) recently penalized Marriott International, Inc. (“Marriot”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”) and its subsidiary Starwood with a $ USD 52 million fine after multiple data breaches compromised sensitive data of over 344 million guests between 2014 and 2020. The FTC’s investigation revealed that Marriott failed to implement essential security measures, such as network monitoring and proper credential management, even following its acquisition of Starwood in 2016. This lapse allowed unauthorized access to guest data, including passport details and payment information. It was discovered that Marriott deceived its customers of having proper security practices.

As this matter has reached settlement, under the FTC’s settlement proposal, Marriott must provide all U.S. consumers with a clear option to request the deletion of their personal information held by the company, regardless of whether specific state laws require it. The Group is also mandated to minimize data retention, only keeping personal information as long as necessary to fulfil its original purpose.

10. ‘Click-to-Cancel’ Rule for Consumer Protection Unveiled by FTC[4]

On October 16, 2024 FTC announced a final ‘Click-to-Cancel’ rule (“Rule”) ensuring that the consumers are able to cancel their enrolment in an easy manner similar to the process of signing up and prohibit the negative marketing options (i.e., assuming customer’s inaction as consent to continue billing them) used by the sellers. The Rule provides a relief from the endless and tedious process of cancelling a mere subscription. FTC, through this move, aims to end the traps of sellers making the customers keep paying for the services they no longer require.

This Rule, effective 180 days post-publication in the Federal Registrar, prohibits misleading practices, mandates clear disclosure of terms, and requires consumer consent before charges. The Rule aims to remove earlier draft provisions for annual cancellation reminders and restrictions on presenting alternative offers at cancellation, allowing companies to present these if the consumer consents.

UNITED KINGDOM

11. ICO Reprimands Sky Betting and Gaming for Cookie Violations[5]

In September 2024, the Information Commissioner’s Office (“ICO”) reprimanded Bonne Terre Ltd., (“Bonne Terre”) a company offering various online betting and gaming products and related services through domain name ‘SkyBet.com’ for violating the U.K. GDPR. This action was taken by ICO following a report by ‘Clean Up Gambling’, a U.K. advocacy organization, highlighting transfer of extensive amount of personal data by Bonne Terre to third parties without obtaining consent of the users. The investigation revealed issues with the consent management pop-up.  Users were led to believe that accepting ‘all cookies’ only applied to site functionality, marketing, and analytics, but Bonne Terre also treated this as consent to share data with third parties. The ICO emphasized the importance of obtaining clear, informed consent, particularly in sensitive areas like gambling, and warned Bonne Terre of future regulatory actions if compliance lapses continue.

As consent is the one of the most crucial aspect of data privacy, it should never be obtained through misleading mechanisms. When users are not fully informed or are led to believe their consent covers limited purposes while it actually includes additional data sharing, it undermines trust and violates privacy standards. Genuine consent requires transparency, ensuring users understand exactly what they are agreeing to and how their data will be used. Especially in sensitive sectors, clear consent practices are essential for respecting users’ rights and maintaining regulatory compliance.

AUSTRALIA

12. Australia introduces Cyber Security Legislative Package[6]

The Cyber Security Legislative Package is a comprehensive set of legislative measures introduced to enhance Australia’s cyber security framework. It aims to address the growing threats in cyberspace, particularly as digital infrastructure and technology become increasingly integral to national security, economic stability, and the everyday lives of citizens. It includes three key bills: the Cyber Security Amendment (Infrastructure Security) Bill 2024, which mandates operators of critical infrastructure to implement protective measures and allows Government intervention during significant cyber incidents. Additionally, the bill has an extra territorial applicability on any entity that carries on business in Australia over the reporting threshold. The Cyber Security (Public Sector) Bill 2024, which requires public sector agencies to adopt minimum cyber security standards and report incidents for coordinated responses; and the Cyber Security and Data Protection Bill 2024, which strengthens penalties for data breaches, mandates breach notifications to affected individuals, and establishes guidelines for data protection assessments. The framework also provides security standards for smart devices.