If you can take your eye off the ball, watch the app!

The World Cup in Qatar has attracted attention to many aspects other than football itself, one of them being lack of privacy. The tens of thousands of surveillance cameras using facial recognition technology prompted France’s DPA, the CNIL, to advise football fans to use a burner mobile (an inexpensive prepaid anonymous phone) in order to safeguard their personal data. Germany’s federal DPA has also issued a warning about Qatar’s data collection via World Cup apps and advised visitors to not take their usual phone to Qatar due to excessive data collection via the app. Ironically, Qatar has had a data protection law in force since 2017, but is not on the list of jurisdictions regarded by the EU as “adequate”.

The dilemmas posed by facial recognition technologies was one of the issues debated by the DPAs at their annual international conference in Turkey, where they adopted a resolution on this technology. Stewart Dresner and I attended the open days of the conference. Read an overview of the proceedings on and the latest news about Latin American Standard Contractual Clauses and other developments in the region.

Indonesia’s data protection law in now in force – a major change in the world's fourth-most populous country. Bangladesh has prepared a Bill and the EU has several Acts in the pipeline that will affect the data protection framework. The draft AI Act is making progress, and the Digital Services Act, EU’s new online content regulation, has been in force since 16 November. Companies now have until 17 February 2024 to ensure compliance.

In the US, a debate has started about the Federal Trade Commission’s rulemaking in the fields of consumer privacy and data security. The FTC’s focus is very much on behavioural advertising. Some commentators are however questioning the FTC’s authority to engage in privacy rulemaking, especially now as there are attempts in the US Congress to adopt a federal level privacy law.

Our Germany correspondents report on data transfers in the context of US-based subsidiaries, and the application of Schrems II. We also bring you an analysis of a recent Advocate General’s Opinion from the Court of Justice of the European Union on compensation under the EU GDPR.

Laura Linkomies
Editor, Privacy Laws & Business

December 2022