After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release … Continue Reading
A meeting of data protection authorities from around the world has highlighted the development of artificial intelligence and machine learning technologies (AI) as a global phenomenon with the potential to affect all of humanity. A coordinated international effort was called for to develop common governance principles on the development and use of AI in accordance … Continue Reading
The Fall 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on Facebook fan pages, the right to be forgotten, cease and desists by competitors under GDPR, spamming and customer satisfaction surveys, the German Network Enforcement Act, and more. The newsletter also includes … Continue Reading
The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month. The EU-U.S. Privacy Shield mechanism EU organisations that … Continue Reading
The European Parliament has published a non-binding resolution on distributed ledger technologies and blockchains (blockchain technologies). What is distributed ledger technology? Best known as the technology behind bitcoin and other crypto-currencies, distributed ledger technology is, in its simplest form, a ledger of digital information maintained in decentralised form across a large network of computers. The … Continue Reading
On 8 November, 2018, Singapore’s Personal Data Protection Commission (PDPC) issued its response to feedback received on a public consultation paper. In that consultation paper, the PDPC had proposed to: merge the Do Not Call provisions in the Personal Data Protection Act 2012 of Singapore (PDPA) and Spam Control Act into a single legislation to … Continue Reading
The European Data Protection Supervisor (EDPS) published an Opinion on 5 October 2018 regarding the European Commission’s legislative package “A New Deal for Consumers”. In the Opinion, the EDPS calls for closer alignment between consumer and data protection rules in the EU. Background The Commission’s package, adopted earlier this year, includes two legislative proposals: (1) … Continue Reading
The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach. The CoP provides outcome-focused practical steps … Continue Reading
The UK government launched its Smart Data Review on 28 September 2018 (Review). The Review will look at how technology, such as online comparison tools and open banking, can be used to make it easier for consumers to get good deals on essential services and put an end to consumers paying unjustifiable ‘loyalty penalties’ for … Continue Reading
California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device … Continue Reading
On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October … Continue Reading
On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints). The Complaints The Complaints were submitted by Brave, an ad blocking web browser, … Continue Reading
Two businesses have been fined a total of S$13,000 for breaching Singapore’s data protection law. GrabCar Facts The first decision involved a carpooling service operated by GrabCar through an app. Twenty drivers had their accounts suspended for flouting usage rules for the platform. They were allowed to submit an appeal, by filling a Google form … Continue Reading
The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them. Technology goals Broadly, these goals include increased technology training for the ICO’s staff and … Continue Reading
Beginning on September 1, 2019, all Singapore private sector organizations will be banned from collecting, using or releasing all national identity cards, copies or their numbers unless required under law or deemed necessary to verify an individual’s identity. If organizations violate the rules under the Singapore Personal Data Protection Act 2012 (PDPA), they could face … Continue Reading
On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield. Specifically, the FTC alleged that IDmission, LLC misrepresented participation … Continue Reading
On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum. AggregateIQ The terms of … Continue Reading
Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with North Carolina Attorney General (AG) Josh Stein. Throughout his tenure as AG, Stein has shown a clear commitment to data privacy and security through his advocacy for strong … Continue Reading
The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event. While emphasising … Continue Reading
In Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an English General Regulatory Tribunal has overturned a fine, issued by the Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla Ltd, after the ICO determined that Xerpla had failed to obtain the necessary consents for electronic communications to its subscribers. … Continue Reading
The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public … Continue Reading
The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples. What is a DPIA? DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. … Continue Reading
The Federal Trade Commission (FTC) will be holding a series of hearings this fall on “Competition and Consumer Protection in the 21st Century,” with the goal of reflecting on the agency’s powers, and state attorneys general (AGs) want to make sure their voices are heard. A bipartisan group of 29 state AGs filed comments with … Continue Reading
Since California enacted its Automatic Purchase Renewals Law (APRL) in 2010, the plaintiffs’ class action bar has been active in suing companies with subscription-based services for their alleged failures to comply with the APRL requirements. The lawsuits stem from the alleged failure to comply with the disclosure, consent, and acknowledgment requirements applicable to many types … Continue Reading
