Tag Archives: data protection

Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric … Continue Reading

German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner. Audit by the Bavarian DPA Tracking and the requirements for using cookies have been a highly debated topic … Continue Reading

Free flowing data for 127 million people: Japan and the EU break down personal data transfer barriers

On 23 January 2019, the European Commission adopted an adequacy decision for Japan, with immediate effect. The decision certifies Japan as having a comparable level of data protection to that of the European Union. On the same day, Japan adopted an equivalent decision regarding the EU’s data protection regime. This is the first example of … Continue Reading

ICO brings prosecution against SCL Elections

Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs. The criminal prosecution may not sound surprising – after all, SCL had failed … Continue Reading

Financial penalty imposed for failure to protect personal data on website

On 22 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against COURTS (Singapore) Pte Ltd (Courts), a consumer electronics and furniture retailer in Singapore. The facts of the case were as follows: A complaint was brought by an individual who discovered that his contact number and address were disclosed in an … Continue Reading

“Worst breach of personal data in Singapore’s history” attracts highest penalties totalling S$1 million

On 14 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against Singapore Health Services Pte. Ltd. (SingHealth) and Integrated Health Information Systems Pte. Ltd. (IHiS) for what has been coined the “worst breach of personal data in Singapore’s history”. The unprecedented cyber attack on SingHealth’s patient database system led to the … Continue Reading

Brexit countdown: UK government to amend domestic data protection legislation

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 have been laid before the UK Parliament. The regulations are introduced under the European Union (Withdrawal) Act 2018. The Withdrawal Act grants powers to correct deficiencies in UK legislation that will arise as a result of Brexit. The regulations introduce a large … Continue Reading

First two Singapore data protection enforcement decisions issued in 2019

On January 3, 2019, Singapore’s Personal Data Protection Commission issued two grounds of decision against Bud Cosmetics and AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd. Bud Cosmetics The facts of this case were as follows: Bud Cosmetics is an organic and natural skincare retailer with retail outlets in Singapore and … Continue Reading

Social plug-ins – Advocate General issues opinion on joint controllership case

On 19 December 2018, the Advocate General (AG) delivered an opinion in a case concerning Fashion ID and Facebook, which considered the parties’ status as joint controllers, under the Data Protection Directive 95/46/EC (DP Directive), when a social plug-in had been embedded. Fashion ID’s website inserted Facebook’s ‘Like’ button as a plug-in, allowing personal data, … Continue Reading

European Commission publishes second annual report on EU-U.S. Privacy Shield

Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018. In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be … Continue Reading

‘No deal’ Brexit: ICO and UK government issue data protection guidance

The Information Commissioner’s Office (ICO) and the UK Department for Culture, Media and Sport (DCMS) have each issued no-deal Brexit data protection guidance. EU/UK personal data transfers The UK government has committed to incorporating the General Data Protection Regulation (GDPR) into domestic UK law when the UK leaves the EU. This means there will not … Continue Reading

Four Singapore organisations found to be in breach of obligation to protect personal data

On 13 December 2018, the Singapore data protection commission issued four separate decisions against the following organisations, for breaches of the protection obligation under section 24 of the Personal Data Protection Act 2012 (PDPA): Funding Societies Pte Ltd WTS Automotive Services Pte Ltd Institute of Singapore Chartered Accountants SLF Green Maid Agency Funding Societies The … Continue Reading

European Data Protection Board – Fifth plenary session: EU-Japan draft adequacy decision, DPIA lists and guidelines on accreditation

The European Data Protection Board (EDPB) met for its fifth plenary session on 4 and 5 December 2018. The EDPB published a press release, highlighting the three main areas of discussion: EU-Japan draft adequacy decision. The EDPB adopted an opinion on the European Commission’s draft adequacy decision. In adopting its opinion, the EDPB focused on the … Continue Reading

Singapore data protection commission issues warning for “heat of the moment” disclosure of personal data

On November 28, 2018, Singapore’s Personal Data Protection Commission (commission) issued its grounds of decision against Big Bubble Centre (respondent), a sole-proprietorship in the scuba-diving business. The facts of the case were as follows: The complainant was an individual who had worked for the respondent and claimed that he was not paid wages for such … Continue Reading

European Data Protection Board update

The European Data Protection Board (EDPB) met for its fourth plenary session on 16 November 2018. The session covered many areas of discussion, outlined in the session’s agenda. The EDPB published a press release, highlighting the three main areas of discussion. EU-Japan draft adequacy decision. The EDPB discussed the draft adequacy decision, which it received … Continue Reading

Guiding principles for AI development

A meeting of data protection authorities from around the world has highlighted the development of artificial intelligence and machine learning technologies (AI) as a global phenomenon with the potential to affect all of humanity. A coordinated international effort was called for to develop common governance principles on the development and use of AI in accordance … Continue Reading

EU and U.S. second annual review of Privacy Shield

The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month. The EU-U.S. Privacy Shield mechanism EU organisations that … Continue Reading

Singapore to adopt new legislation on unsolicited commercial messages, and enhanced practical guidance framework for data protection

On 8 November, 2018, Singapore’s Personal Data Protection Commission (PDPC) issued its response to feedback received on a public consultation paper. In that consultation paper, the PDPC had proposed to: merge the Do Not Call provisions in the Personal Data Protection Act 2012 of Singapore (PDPA) and Spam Control Act into a single legislation to … Continue Reading

Tesco Bank fined £16.4 million for cyber-security failings

The UK Financial Conduct Authority (FCA) announced at the start of last month that it had fined Tesco Bank £16.4 million for a cyber-attack that occurred two years ago. In November 2016, 8,261 personal current accounts at Tesco Bank were compromised. Attackers obtained customers’ debit card details and entered into thousands of unauthorised transactions. This … Continue Reading

ICO takes action against organisations for failure to pay new data protection fee

On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October … Continue Reading

ICO publishes Technology Strategy for 2018–2021

The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them. Technology goals Broadly, these goals include increased technology training for the ICO’s staff and … Continue Reading

The impact of a no-deal Brexit on data protection

The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event. While emphasising … Continue Reading
LexBlog