In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.Continue Reading ICO enforcement actions in Q1 2022

The English High Court delivered an important judgement earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB). You can read the judgment here.

Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, or monitor the behaviour of, individuals, they are usually required to appoint a representative. Since Brexit where such processing involves individuals in the UK, a UK based representative is also required under the UK GDPR.

This case concerned the liability of the UK representatives of data controllers based outside the UK. The High Court struck out the claim and held that Article 27 GDPR does not create ‘representative liability’.

Background

The claimant Mr Sansó Rondón brought a claim against LexisNexis Risk Solutions, the designated ‘representative’ of U.S. company World Compliance Inc. (WorldCo). WorldCo is the controller of a database containing millions of profiles of individuals. The claimant argued WorldCo’s processing of his personal data in producing a profile of him breached the GDPR. The defendant applied for the claim to be struck out, or alternatively for summary judgment, arguing that a representative cannot be held liable for the actions of a controller and the remedies sought can only be obtained from a controller.Continue Reading Is an Article 27 GDPR representative liable for a controller’s breach? Not according to the English High Court

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year

In a recent Q&A with Tennessee Attorney General (AG) Herbert Slatery, the eight-year term AG discusses how he makes consumer protection, including privacy and cybersecurity issues, a top priority for Tennessee citizens and businesses. AG Slatery shares his thoughts on privacy on a multi-state state level, the prospect of standards of enforcement for technology companies,

Washington State legislators continue in their effort to pass only the second comprehensive privacy legislation in the U.S., the Washington Privacy Act (WPA).  Introduced on January 11, 2021, the WPA is currently making its way through committee hearings.  The debate continues, with the Washington State Senate Ways & Means Committee recently holding a public hearing to discuss the enforcement provision proposed in the WPA.  Currently, $1.4 million is proposed to the Washington State Attorney General’s office for enforcement of the WPA.  Some are calling for an increased budget, others for private right of action.
Continue Reading Washington State weighs enforcement mechanism for its comprehensive privacy bill

After many months and several rounds of revisions, the Office of the California Attorney General has finally submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).

The complete package, which includes the Final Text of Proposed Regulations and the Final Statement of Reasons, was submitted on June 1, 2020.  A comparison between the most recent second modified regulations – which were released on March 27, 2020 – and the Final Text of Proposed Regulations reveals very few changes.  In fact, the changes were entirely grammatical, with no substantive revisions.  This means that the last round of revisions, summarized here, will be implemented.Continue Reading The wait is over: Final CCPA regulations have been submitted

On March 10, 2020, Vermont Attorney General T.J. Donovan initiated an enforcement action based on Vermont’s new data broker law against Clearview AI, Inc.

Vermont’s data broker law, which became effective January 1, 2019, governs data brokers, which it defines as companies that collect and sell or license to third parties the personal information of a consumer with whom the business does not have a direct relationship. The law requires that data brokers (a) annually register with the Vermont Secretary of State, including completing certain necessary disclosures, and (b) maintain minimum data security standards. The law also prohibits any businesses or individuals – not just data brokers – from acquiring brokered personal information through fraudulent means or for the purpose of stalking, harassment, discrimination, or fraud.

According to the complaint, Clearview, which only registered as a Vermont data broker in January 2020 shortly before the publication of a New York Times article discussing many of the issues outlined in the complaint, uses “screen scraping” to amass a database of three billion photographs. Clearview then combines those photographs with facial recognition technology to create a commercial service that allows a customer to upload a photograph and “instantly identify the individual through facial recognition matching.” While Clearview claims the technology exists to help law enforcement, the complaint alleges that Clearview has also provided its app to for-profit entities, investors, and foreign governments.Continue Reading Vermont Attorney General brings first data broker enforcement action

On March 2, 2020, Reed Smith and the International Association of Privacy Professionals (IAPP) presented a panel discussion on 2020 privacy laws and trends featuring Attorney General Christopher Carr of Georgia; Linda Holleran Kopp of the Bureau of Consumer Protection, Division of Privacy and Identity Protection of the Federal Trade Commission (FTC); and Oriana Senatore, Senior Vice President of Policy & Research at the U.S. Chamber Institute for Legal Reform (ILR).

A clear theme from the discussion was that federal legislation is the best path for privacy reform in the United States.  The current “patchwork quilt” of federal and state data privacy laws and enforcement by the FTC (and other agencies) as well as by states – now complicated exponentially by enforcement actions by cities and counties and the presence of private rights of action increasingly proposed for state privacy legislation – is not the way to best balance privacy consumer protection and business compliance.  Indeed, the evolving privacy landscape is now approaching a “crazy quilt patchwork.”
Continue Reading Georgia AG, FTC and US Chamber Institute for Legal Reform discuss “crazy quilt patchwork” of privacy laws in the US

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.

Local implementation efforts

Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.

EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.

Local implementation highlights

Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:

  • In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
  • France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
  • Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
  • Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
  • Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
  • The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.

You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
Continue Reading One year of GDPR – How have EU member states implemented and enforced the new data protection regime?