Tag Archives: GDPR

New year, new laws: Washington re-introduces comprehensive privacy act among flurry of 2020 consumer privacy bills

Washington state’s lawmakers started the 2020 legislative session with a renewed focus on consumer privacy through the introduction of ten privacy-related bills across the state House and Senate on January 13. Chief among these proposals was the comprehensive Washington Privacy Act (WPA), a new version of which was re-introduced in the Senate after the previous … Continue Reading

The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

Background On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations … Continue Reading

EDPS, data protection and scientific research

This week the EU’s independent data protection authority (DPA), the European Data Protection Supervisor (EDPS), published a preliminary opinion on data protection and scientific research subject to the General Data Protection Regulation 679/2016 (GDPR) and Regulation 1725/2018 governing data protection in EU institutions (Preliminary Opinion). Regulation 1725/2018 is very similar to the GDPR’s provisions in … Continue Reading

Evaluation of the GDPR – The German supervisory authorities weigh in

The German Data Protection Authorities (German DPAs) released a “Report on the Experience Gained in the Implementation of the GDPR”, which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report. … Continue Reading

ICO consultation on draft guidance on the right of access

On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also … Continue Reading

EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation. We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of … Continue Reading

German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here). Summary of findings in the Report We previously reported … Continue Reading

AI Auditing Framework: data protection impact assessment

In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading

ICO blogs on AI and data subject rights

On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some … Continue Reading

Latin America to bolster data protection in a legal overhaul

The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below. Argentina … Continue Reading

EDPB issues guidelines on the contractual lawful basis for processing for online services

The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019. One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the … Continue Reading

Calculation of administrative fines under GDPR – standardized concept published in Germany

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019. The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance … Continue Reading

Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)). The ECJ set clear requirements on what cookie … Continue Reading

Face-off: UK High Court backs use of automated facial recognition technology

In July 2019, the UK privacy regulator, the Information Commissioner’s Office (ICO) issued a warning about the privacy implications of automated facial recognition technology (AFR). The ICO was concerned that AFR “represent[s] the widespread processing of biometric data of thousands of people as they go about their daily lives.” The UK High Court recently handed … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Summer 2019 Edition)

The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: ECJ and GDPR: Another decision hitting social media activities by companies EDPB does not opt for changes to EU standard contractual clauses EU … Continue Reading

German DPA released audit checklist for GDPR readiness

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the checklist that it used … Continue Reading

Berlin DPA announced high GDPR fines

Recently, the Berlin Data Protection Authority (Berlin DPA) announced that it would issue a high administrative fine for violations of the General Data Protection Regulation 2016/679 (GDPR). The announcement is available in German on the website of the City of Berlin. The fine will likely be a double-digit million amount of euros. The Berlin DPA … Continue Reading

Privacy and data protection: What you need to know in case of a no-deal Brexit

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include: how to maintain uninterrupted … Continue Reading

German Parliament voted ‘Yes’ to Second GDPR Implementation Act

In a late night session on 28 June 2019, the German Parliament (Bundestag) passed the Second GDPR Implementation Act (2. Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – 2. DSAnpUG-EU; the Act). The Act is available online in German here and here. For more information on the First German GDPR Implementation Act read our blog here. The Act will amend 154 German … Continue Reading

GDPR on its first birthday – people know what it is but aren’t sure what it does

Never one to miss a bandwagon, the European Commission has published three documents to mark the first year of GDPR: a Eurobarometer survey on data protection (Eurobarometer Survey); a multi-stakeholder expert group (MEG Report); and guidance on the free flow of non-personal data within the EU (reported on here). We set out some of the … Continue Reading

The ICO’s take on explaining AI

The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR). In … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Spring 2019 Edition)

The Spring 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on cookies and tracking tools, Facebook fan pages, fines under GDPR, influencer marketing, email encryption, platform provider obligations, framing, the new German Trade Secrets Act, and more. The newsletter also includes multiple … Continue Reading
LexBlog