The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions. Local implementation efforts Although the … Continue Reading
The recent case of Green v. Group Ltd and others [2019] EWHC 954 (Ch) dealing with Cambridge Analytica’s insolvency has clarified the approach that administrators should take when subject access requests are made to the companies over which they are appointed. A failed administration… In the aftermath of the notorious data analytics activities of Cambridge … Continue Reading
On May 22, 2019, Singapore’s Personal Data Protection Commission introduced three new initiatives: a) A public consultation on data portability. The corresponding consultation paper also proposes to introduce data innovation provisions as part of the ongoing review of the Personal Data Protection Act (PDPA). The consultation is open for six weeks and will close on … Continue Reading
Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses … Continue Reading
On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’). According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose … Continue Reading
The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda. One of the key developments was the adoption of draft guidelines by the EDPB on … Continue Reading
On April 10, U.S. lawmakers introduced the Algorithmic Accountability Act (the AAA). The AAA empowers the Federal Trade Commission (FTC) to promulgate regulations requiring covered entities to conduct impact assessments of algorithmic “automated decision systems” (including machine learning and artificial intelligence) to evaluate their “accuracy, fairness, bias, discrimination, privacy and security.” The bill is evocative … Continue Reading
On 23 April 2019, Singapore’s Personal Data Protection Commission (commission) issued two separate grounds of decision against PAP Community Foundation and Tutor City. In both cases, the commission issued warnings to the organisations for breaching the protection obligation under section 24 of the Personal Data Protection Act (PDPA), but no financial penalty was imposed. PAP … Continue Reading
The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading
The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements. The ICO compiled responses from over 2,300 participants in an … Continue Reading
The European Union Agency for Network and Information Security (ENISA) recently published its report on ‘Security and privacy considerations in autonomous agents’. Artificial intelligence (AI) and complex algorithms offer unlimited opportunities for innovation and interaction, but they also bring a number of challenges that should be addressed by future policy frameworks at the EU level – … Continue Reading
The UK Centre for Data Ethics and Innovation (CDEI) released its 2019/20 Work Programme and Two-year strategy to enhance the benefits of data and Artificial Intelligence (AI) for the UK society and economy on 20 March 2019. What’s in scope? CDEI is an advisory body founded by the UK government and is led by an … Continue Reading
On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing. Cooperation and information sharing The ICO and FCA have set out what matters they will communicate with each other … Continue Reading
On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year. This is a short overview of some of the key themes in the EDPS’s annual report: Overview of 2018: GDPR: This is the first annual report of … Continue Reading
On 11 March 2019, the Personal Data Protection Commission of Singapore (PDPC) issued a set of advisory guidelines for management corporations of strata title plans (MCSTs), which were developed in consultation with Singapore’s Building and Construction Authority. The guidelines provide guidance to MCSTs on complying with Singapore’s Personal Data Protection Act (PDPA), and some key … Continue Reading
On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices. Why ad-tech? ‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses … Continue Reading
On 25 February 2019, Minister for Communications and Information announced that Singapore is considering, as part of an ongoing review of the Personal Data Protection Act (PDPA), introducing a data portability requirement that would confer greater control and rights by data subjects over the movement of their personal data across service providers. In connection with … Continue Reading
On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here. At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally … Continue Reading
The European Data Protection Board (EDPB) met for its seventh plenary session on 12 February 2019. The session covered many areas of discussion, outlined in the agenda. The four main areas covered, and highlighted in the EDPB’s press release, were: 1. Work programme: The EDPB adopted a two-year work programme, covering 2019-2020. The work programme … Continue Reading
Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric … Continue Reading
The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner. Audit by the Bavarian DPA Tracking and the requirements for using cookies have been a highly debated topic … Continue Reading
On 23 January 2019, the European Commission adopted an adequacy decision for Japan, with immediate effect. The decision certifies Japan as having a comparable level of data protection to that of the European Union. On the same day, Japan adopted an equivalent decision regarding the EU’s data protection regime. This is the first example of … Continue Reading
Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs. The criminal prosecution may not sound surprising – after all, SCL had failed … Continue Reading
On 22 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against COURTS (Singapore) Pte Ltd (Courts), a consumer electronics and furniture retailer in Singapore. The facts of the case were as follows: A complaint was brought by an individual who discovered that his contact number and address were disclosed in an … Continue Reading
