On 13 November 2019, the European Data Protection Board (EDPB) adopted the guidelines on Data Protection by Design and Default (DPbDD) for public consultation (link here) until 16 January 2020, providing an in-depth analysis of the components that make up DPbDD under GDPR article 25. We highlight below some of the key definitions. Background DPbDD … Continue Reading
This week the EU’s independent data protection authority (DPA), the European Data Protection Supervisor (EDPS), published a preliminary opinion on data protection and scientific research subject to the General Data Protection Regulation 679/2016 (GDPR) and Regulation 1725/2018 governing data protection in EU institutions (Preliminary Opinion). Regulation 1725/2018 is very similar to the GDPR’s provisions in … Continue Reading
The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019. Amendments put … Continue Reading
The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below. Argentina … Continue Reading
Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing … Continue Reading
In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy … Continue Reading
The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK. Post-Brexit privacy and data protection issues that you need to consider include: how to maintain uninterrupted … Continue Reading
On July 3, 2019 the Information Commissioner’s Office (ICO) published an updated guidance on the use of cookies. Although the guidance confirms requirements of which most data practitioners already comply, it outlines steps for non-compliant companies. Now that the ICO has confirmed its regulatory expectations and detailed immediate enforcement, companies need to take action to … Continue Reading
On June 20, 2019 the Information Commissioner’s Office (ICO) published an Update Report on real-time bidding (RTB). Following the recent GDPR one-year anniversary of implementation, the ICO has made adtech a focus for the upcoming year. Although RTB has not been made obsolete, the report denotes all current RTB practices as non-compliant with the GDPR, … Continue Reading
The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions. Local implementation efforts Although the … Continue Reading
The recent case of Green v. Group Ltd and others [2019] EWHC 954 (Ch) dealing with Cambridge Analytica’s insolvency has clarified the approach that administrators should take when subject access requests are made to the companies over which they are appointed. A failed administration… In the aftermath of the notorious data analytics activities of Cambridge … Continue Reading
On May 22, 2019, Singapore’s Personal Data Protection Commission introduced three new initiatives: a) A public consultation on data portability. The corresponding consultation paper also proposes to introduce data innovation provisions as part of the ongoing review of the Personal Data Protection Act (PDPA). The consultation is open for six weeks and will close on … Continue Reading
Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses … Continue Reading
On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’). According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose … Continue Reading
The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda. One of the key developments was the adoption of draft guidelines by the EDPB on … Continue Reading
On April 10, U.S. lawmakers introduced the Algorithmic Accountability Act (the AAA). The AAA empowers the Federal Trade Commission (FTC) to promulgate regulations requiring covered entities to conduct impact assessments of algorithmic “automated decision systems” (including machine learning and artificial intelligence) to evaluate their “accuracy, fairness, bias, discrimination, privacy and security.” The bill is evocative … Continue Reading
On 23 April 2019, Singapore’s Personal Data Protection Commission (commission) issued two separate grounds of decision against PAP Community Foundation and Tutor City. In both cases, the commission issued warnings to the organisations for breaching the protection obligation under section 24 of the Personal Data Protection Act (PDPA), but no financial penalty was imposed. PAP … Continue Reading
The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading
The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements. The ICO compiled responses from over 2,300 participants in an … Continue Reading
The European Union Agency for Network and Information Security (ENISA) recently published its report on ‘Security and privacy considerations in autonomous agents’. Artificial intelligence (AI) and complex algorithms offer unlimited opportunities for innovation and interaction, but they also bring a number of challenges that should be addressed by future policy frameworks at the EU level – … Continue Reading
The UK Centre for Data Ethics and Innovation (CDEI) released its 2019/20 Work Programme and Two-year strategy to enhance the benefits of data and Artificial Intelligence (AI) for the UK society and economy on 20 March 2019. What’s in scope? CDEI is an advisory body founded by the UK government and is led by an … Continue Reading
On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing. Cooperation and information sharing The ICO and FCA have set out what matters they will communicate with each other … Continue Reading
On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year. This is a short overview of some of the key themes in the EDPS’s annual report: Overview of 2018: GDPR: This is the first annual report of … Continue Reading
On 11 March 2019, the Personal Data Protection Commission of Singapore (PDPC) issued a set of advisory guidelines for management corporations of strata title plans (MCSTs), which were developed in consultation with Singapore’s Building and Construction Authority. The guidelines provide guidance to MCSTs on complying with Singapore’s Personal Data Protection Act (PDPA), and some key … Continue Reading
