The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework … Continue Reading
The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how: the GDPR’s “one stop shop” mechanism has been bedding down; and the number of data subject complaints and data breach … Continue Reading
The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”. Supporting the public, DPOs, SMEs and other organisations The first year of the GDPR … Continue Reading
25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we … Continue Reading
The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions. Local implementation efforts Although the … Continue Reading
The EU has published its initial eCommerce proposals (Proposal) to be discussed at the WTO negotiating meeting, which is ongoing at the time of writing. The EU has been a member of the WTO for more than 20 years. The 28 member states of the EU are also members of the WTO in their own … Continue Reading
A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s … Continue Reading
Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses … Continue Reading
On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’). According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose … Continue Reading
The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda. One of the key developments was the adoption of draft guidelines by the EDPB on … Continue Reading
Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data. Breach of the data minimisation principle The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining … Continue Reading
The Council of Europe (CoE) recently issued its recommendation to member states on the protection of health-related data (Recommendation). The Recommendation guides member states to ensure that their law and practice reflect the principles of processing health-related data. The recommendations stem from Convention 108 which was the first international treaty in the field of data … Continue Reading
The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it … Continue Reading
The European Data Protection Board (EDPB) has published a report (Report) assessing the implementation and enforcement of the General Data Protection Regulation (EU) 2016/679 (GDPR). The Report focusses on how the cooperation and consistency mechanisms are being used by EU supervisory authorities (SAs). Cooperation mechanism Where cases involve cross-border processing, SAs cooperate through: Mutual assistance; … Continue Reading
The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR. Four categories of fines plus an aggravating category The legal maximum monetary fine that can be … Continue Reading
The Information Commissioner’s Office (ICO) is inviting organisations to help develop a framework for future auditing of artificial intelligence (AI). A team from the ICO’s Technology Policy and Innovation Directorate will develop the framework. The framework is intended to help regulators ensure AI applications are transparent, fair and appropriately risk assessed. As well as the … Continue Reading
Procedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up. Judgment of the Higher Labour Court of Baden-Württemberg On 20 December … Continue Reading
On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes: A checkbox obtaining … Continue Reading
The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically: whether data protection authorities (DPAs) are competent to regulate processing that triggers both … Continue Reading
On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task … Continue Reading
The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR. We hope you enjoy … Continue Reading
On 18 February 2019, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) updated their Memorandum of Understanding (MoU) with an aim to reinforce and develop their cooperation, collaboration, and information and intelligence sharing. Cooperation and information sharing The ICO and FCA have set out what matters they will communicate with each other … Continue Reading
On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year. This is a short overview of some of the key themes in the EDPS’s annual report: Overview of 2018: GDPR: This is the first annual report of … Continue Reading
The European Data Protection Board (EDPB) has adopted guidelines in relation to the certification mechanism prescribed under the General Data Protection Regulation 2016/679 (GDPR). The EDPB guidelines are aimed at supervisory authorities and certification bodies and provide helpful insight into the requirements and criteria relevant to all types of certification mechanisms issued under articles 42 … Continue Reading
