Archives: Privacy & Data Protection

Subscribe to Privacy & Data Protection RSS Feed

Death, taxes, and preliminary enforcement notices – ICO investigates UK tax authority’s processing of voice data.

The Information Commissioner’s Office (ICO) issued a preliminary enforcement notice to Her Majesty’s Revenue and Customs (HMRC). The ICO’s notice compels HMRC to delete personal data which was wrongfully collected. Consent A complaint was made to the ICO last year about HMRC relying on implied consent for the historic collection of personal data from individuals. … Continue Reading

What businesses should know about the upcoming CCPA rulemaking

With barely half a year until the California Consumer Privacy Act (CCPA) takes effect in January 2020, the landmark privacy law is in a state of flux. The already-amended landmark law is likely to face further rounds of revision, and the California Attorney General is required to hammer out many key compliance requirements through an … Continue Reading

California lawmakers propose new CCPA amendments that address major concerns of the business community while preserving the privacy law

Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses … Continue Reading

HHS reexamines prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s penalty structure

The U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”) on April 26, 2019, confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. Effective immediately, the maximum penalty that the HHS … Continue Reading

An interview with Vermont Attorney General T.J. Donovan

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Aaron Lancaster and Divonne Smoyer’s and Q&A with Vermont Attorney General T.J. Donovan. As attorney general, he has taken an active role in advocating for consumers’ rights with respect to privacy and data security by … Continue Reading

German DPAs publish resolution on concept of ‘broad consent’ and the interpretation of “certain areas of scientific research”

On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’). According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose … Continue Reading

EDPB guidelines on processing personal data under GDPR, Article 6(1)(b)

The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda. One of the key developments was the adoption of draft guidelines by the EDPB on … Continue Reading

Algorithmic Accountability Act proposed by U.S. lawmakers

On April 10, U.S. lawmakers introduced the Algorithmic Accountability Act (the AAA). The AAA empowers the Federal Trade Commission (FTC) to promulgate regulations requiring covered entities to conduct impact assessments of algorithmic “automated decision systems” (including machine learning and artificial intelligence) to evaluate their “accuracy, fairness, bias, discrimination, privacy and security.” The bill is evocative … Continue Reading

Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data

The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime … Continue Reading

Warnings issued against two organisations for breaching Singapore data protection law

On 23 April 2019, Singapore’s Personal Data Protection Commission (commission) issued two separate grounds of decision against PAP Community Foundation and Tutor City. In both cases, the commission issued warnings to the organisations for breaching the protection obligation under section 24 of the Personal Data Protection Act (PDPA), but no financial penalty was imposed. PAP … Continue Reading

Protection of children’s online space: ICO issues code of practice on age-appropriate design

The UK Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online products and services provided by information society services (ISS). The consultation closes on 31 May 2019. The draft code sets out principles for any online service accessed by children under the age … Continue Reading

Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data. Breach of the data minimisation principle The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining … Continue Reading

Processing publicly available personal data without telling data subjects? The Polish data protection authority has (bad) news for you…

The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading

Cooperation and consistency? Nine months in, the EDPB reflects on GDPR

The European Data Protection Board (EDPB) has published a report (Report) assessing the implementation and enforcement of the General Data Protection Regulation (EU) 2016/679 (GDPR). The Report focusses on how the cooperation and consistency mechanisms are being used by EU supervisory authorities (SAs). Cooperation mechanism Where cases involve cross-border processing, SAs cooperate through: Mutual assistance; … Continue Reading

ICO investigates adtech awareness through fact finding forum

The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements. The ICO compiled responses from over 2,300 participants in an … Continue Reading

How (not) to restrict GDPR access requests in employment proceedings – German court establishes high threshold

Procedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up. Judgment of the Higher Labour Court of Baden-Württemberg On 20 December … Continue Reading

Planet49: Advocate General’s opinion on cookies and consent bundling

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes: A checkbox obtaining … Continue Reading

e-Privacy meets GDPR – the European Data Protection Board shines some light

The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically: whether data protection authorities (DPAs) are competent to regulate processing that triggers both … Continue Reading

The European Parliament adopts first stance to proposed EU Cybersecurity Act

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act. Initiatives to build strong EU-wide cybersecurity The … Continue Reading

In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task … Continue Reading

State Attorneys General and the data economy: lead, protect, enforce

With the passage of the California Consumer Privacy Act but no clear federal consumer privacy law on the imminent horizon, state Attorneys General (AGs) continue to investigate and analyze how best to protect their consumers. To further that goal, the National Association of Attorneys General hosted a panel entitled Emerging Issues in the Data Economy … Continue Reading

Get your update on IT & Data Protection Law in our Newsletter (Winter 2019 edition)

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR. We hope you enjoy … Continue Reading
LexBlog