On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation. We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of … Continue Reading
The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here). Summary of findings in the Report We previously reported … Continue Reading
In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading
On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some … Continue Reading
The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below. Argentina … Continue Reading
The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019. One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the … Continue Reading
After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019. The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance … Continue Reading
In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)). The ECJ set clear requirements on what cookie … Continue Reading
In July 2019, the UK privacy regulator, the Information Commissioner’s Office (ICO) issued a warning about the privacy implications of automated facial recognition technology (AFR). The ICO was concerned that AFR “represent[s] the widespread processing of biometric data of thousands of people as they go about their daily lives.” The UK High Court recently handed … Continue Reading
The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: ECJ and GDPR: Another decision hitting social media activities by companies EDPB does not opt for changes to EU standard contractual clauses EU … Continue Reading
The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the checklist that it used … Continue Reading
Recently, the Berlin Data Protection Authority (Berlin DPA) announced that it would issue a high administrative fine for violations of the General Data Protection Regulation 2016/679 (GDPR). The announcement is available in German on the website of the City of Berlin. The fine will likely be a double-digit million amount of euros. The Berlin DPA … Continue Reading
The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK. Post-Brexit privacy and data protection issues that you need to consider include: how to maintain uninterrupted … Continue Reading
The Information Commissioner’s Office (ICO) has published its 2018/19 Annual Report, covering the 12 months to 31 March 2019. This is the ICO’s first annual report to parliament since the GDPR came into force in May 2018. It sets out exactly what the ICO has been up to in what has been an interesting year. … Continue Reading
In a late night session on 28 June 2019, the German Parliament (Bundestag) passed the Second GDPR Implementation Act (2. Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – 2. DSAnpUG-EU; the Act). The Act is available online in German here and here. For more information on the First German GDPR Implementation Act read our blog here. The Act will amend 154 German … Continue Reading
Never one to miss a bandwagon, the European Commission has published three documents to mark the first year of GDPR: a Eurobarometer survey on data protection (Eurobarometer Survey); a multi-stakeholder expert group (MEG Report); and guidance on the free flow of non-personal data within the EU (reported on here). We set out some of the … Continue Reading
The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR). In … Continue Reading
The Spring 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on cookies and tracking tools, Facebook fan pages, fines under GDPR, influencer marketing, email encryption, platform provider obligations, framing, the new German Trade Secrets Act, and more. The newsletter also includes multiple … Continue Reading
At its eleventh plenary session on 4 June 2019 in Brussels, the European Data Protection Board (EDPB) adopted final versions of (1) the Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679, (2) annex 2 to the Guidelines on certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 … Continue Reading
By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This … Continue Reading
The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework … Continue Reading
The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how: the GDPR’s “one stop shop” mechanism has been bedding down; and the number of data subject complaints and data breach … Continue Reading
The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”. Supporting the public, DPOs, SMEs and other organisations The first year of the GDPR … Continue Reading
25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we … Continue Reading
