Privacy Regulation Roundup

6 Downloads

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.

The Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.


US Privacy Regulation Roundup – A Federal Jury Found Uber Security Chief Joe Sullivan Guilty of Two Felonies in a 2016 Data Breach

Canada USA Europe APAC Rest of World


Type: Enforcement
Effective Date: October 5, 2022

Summary: On October 5, a San Francisco jury agreed with US prosecutors who charged Sullivan with “a scheme to withhold and conceal” a 2016 data breach affecting 57 million Uber account holders. The trial marks the first time a chief security officer faces criminal charges over an incident response. The jury found Sullivan guilty of obstruction and misprision of a felony, which involves knowing that an action is a felony and covering it up. The 2016 security incident at the heart of the trial did not become known until November 2017, after Uber’s new management investigated the incident. Sullivan’s crime was not that a data breach happened on his watch but that he interfered with an ongoing federal investigation into Uber’s data security practices in the wake of an earlier data breach in 2014. Sullivan took steps to suppress knowledge of the 2016 data breach and even paid off the hackers responsible for the breach under the guise of a bug bounty reward. Sullivan did not tell Uber’s attorneys communicating with the FTC of the breach, even as they represented the company’s security practices as being much improved since 2014.

Analyst Perspective: Remove the ambiguity in data breach notifications with guidelines that set out how to comply with notification requirements. Build these guidelines into security incident responses runbooks and workflows that identify who is accountable for the process, who is responsible for each part, and who you should consult as you work through resolution. The information security community is watching the case closely in part due to Sullivan’s reputation for advancing cybersecurity practices. The case also raises the specter of who is responsible for data breach reporting. The FCC did not charge anyone else involved in Uber’s response to the data breach or the subsequent cover-up. Sullivan’s defense leaned in part on the contentious claim that Uber’s legal team is responsible for deciding when to make a breach notification. The defense challenges the traditional view that the legal team’s role is to provide advice to the executives who make the decisions.

Analyst: Michel Hébert, Research Director – Security & Privacy

More Reading:


Europe Privacy Regulation Roundup – Irish Regulator Fined Instagram for GDPR Violation on Children’s Privacy

Canada USA Europe APAC Rest of World



Type: Regulatory Enforcement
Effective Date: September 5, 2022

Summary: In September 2022, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Ltd. €405 million for insufficient technical measures to ensure information security on its Instagram platform, which had allowed users aged 13 to 17 to set up business accounts that showed their phone numbers and email addresses. Instagram’s registration system also set accounts of users in this age group to “public” by default. This violated children’s privacy according to EU’s General Data Protection Regulation (GDPR). This fine is the third one given by the Irish DPC to Meta Platforms Ireland Ltd. The other two were €17 million, in March 2022, and €225 million, in September 2021. Furthermore, there are still six other ongoing investigations for Meta-owned companies.

Analyst Perspective: Make no mistake: organizations that are subject to GDPR and process children’s personal data must pay extra attention to protect that data and put in place strong security controls. Children’s personal data, special categories of personal data, and conviction-related personal data are considered highly sensitive and need to be protected properly. To implement security technical and organizational measures, organizations can leverage industry frameworks and standards such as ISO/IEC 27001, ISO/IEC 27002, CIS Controls, etc.

Analyst: Ida Siahaan, Research Director – Security & Privacy

More Reading:


Canada Privacy Regulation Roundup – The Privacy Act Extended Access Rights to Foreign Nationals

Canada USA Europe APAC Rest of World


Type: Regulatory Enforcement
Effective Date: September 5, 2022

Summary: Foreign nationals outside Canada now have the right under the Privacy Act to access their personal information that Canadian federal government institutions hold. Privacy Act Extension Order No. 3 grants foreign nationals abroad the same access rights Canadian citizens and permanent residents have. They can now access their information and request corrections of errors and omissions. They can also engage the Privacy Commissioner of Canada if they encounter challenges in the exercise of those rights.

Analyst Perspective: Until July 2022, foreign nationals had to employ third-party services to access federally held personal information through the Access to Information Act, often for a fee. The change should ensure foreign nationals more timely access to their own information. Extending universal access to personal information aligns Canada’s federal public sector privacy framework with its major global counterparts in the United Kingdom and the European Union.

Analyst: Michel Hébert, Research Director – Security & Privacy

More Reading:


US Privacy Regulation Roundup – Sephora to Pay $1.2 Million for Noncompliance With California Consumer Privacy Act (CCPA)

Canada USA Europe APAC Rest of World


Type: Regulatory Enforcement
Announcement Date: August 29, 2022

Summary: Sephora, a French cosmetic retail brand, will pay US$1.2 million in settlement and fix its privacy implementation gaps to comply with the California Consumer Privacy Act (CCPA). The allegation arises from the retailer’s shortcomings in addressing three key issues: first, failure to disclose to the customers that their information is sold; second, negligence in honoring opt-out requests; and third, inaction during the 30-day grace period to remediate the situation.

Analyst Perspective: Companies must have an effective data privacy program. Companies who are already preparing to comply with the California Privacy Right Act, which will be in effect in January 2023, must add an extra layer of urgency to their compliance measures. What’s more, the enforcement targeted a French retail chain, highlighting that no company doing business in California, regardless of their local or global presence, is exempt. Companies must also be aware of similar regulations emerging around the world as consumers become more informed and policymakers face pressure to act.

Analyst: Hendra Hendrawan, Technical Counselor – Security & Privacy

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019