By

Geraldine Scali

24 January 2019

French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements

On January 21, 2019, the French Supervisory Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued Google’s U.S. headquarters (“Google”) with a fine of €50m for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. The CNIL found that the general structure of Google’s privacy policy and terms & conditions was too complex for the average user and that Google, by using pre-ticked boxes as a consent mechanism, failed to establish a legal basis for data processing to deliver targeted advertising. This is the first regulatory fine the CNIL issued on the basis of the GDPR’s penalty authorities, and it marks a strong enforcement signal to organizations subject to the CNIL’s jurisdiction moving forward. (more…)

EmailShare
22 January 2019

Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’

The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data.  (more…)

EmailShare
17 January 2019

French DPA Publishes Updated Data Protection Impact Assessment Guidance

Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale. (more…)

EmailShare
30 November 2018

EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR

On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”).  The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them.  The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2).  The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).

The proposed Guidelines are open for public consultation until January 18, 2019.  It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)

EmailShare
06 September 2018

European Data Protection Board Clarifies Application of GDPR to Payment Service Providers

On July 5, 2018, the European Data Protection Board (EDPB)1 replied to a request from a Member of the European Parliament (MEP), Dutch Democrat Sophie in ‘t Veld, for clarification on a number of issues relating to the protection of personal data under the EU General Data Protection Regulation (2016/679) (GDPR) and the revised EU Payment Services Directive (2015/2366) (PSD2). In its response, the EDPB set out its position on how the requirement to obtain explicit consent from payment service users under PSD2 interacts with the GDPR. The EDPB also provided guidance on the use of personal data relating to a payee by an account information service provider or a payment initiation service provider acting for a payer.

This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).

(more…)

EmailShare
08 August 2018

Japan Granted Adequacy Deal on Data Protection by the EU

On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection. (more…)

EmailShare
26 September 2017

ECHR Ruled on Monitoring of Employee’s Electronic Communication

On 5 September 2017, the Grand Chamber of the European Court of Human Rights (the “ECHR”) overturned  the previous decision of the ECHR (sitting as a Chamber) and ruled that the Romanian courts had failed to strike a fair balance between the interest of an employer to monitor its employees’ electronic communications to ensure the smooth operation of the company and the employee’s right to respect for his private life and correspondence under Article 8 of the European Convention on Human Rights. However, in a question and answer  section on its website the EHCR made it clear that the ruling does not mean that employers cannot monitor employee’s communications at work. Employers may still monitor their employee’s communications as long as such a measure is accompanied by “adequate and sufficient safeguards against abuse.” (more…)

EmailShare
21 July 2017

The Belgian Data Protection Authority Publishes Guidance on Records of Processing Activities Under the GDPR

The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.

This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it. (more…)

EmailShare
07 March 2017

ICO Publishes Draft Guidance on Consent Under the GDPR and Submit it to Public Consultation

On 2 March 2017, the UK Information Commissioner’s Office (“ICO”) published detailed draft guidance on consent under the GDPR and has submitted it for public consultation. This is the ICO’s first piece of specific GDPR guidance published further to its overview of the GDPR published last January.

The guidance sets out the ICO’s interpretation of the new requirements to obtain valid consent under the GDPR including its view of the role of consent in the GDPR, the benefits of getting consent right and the penalties for getting it wrong. The guidance also explains: (i) when consent is required or appropriate (or not) and the alternative to consent; (ii) what constitutes valid consent under the GDPR with specific guidance on children’s consent and consent for research purposes; (iii) advice on how to obtain, record and manage consent; and (iv) a consent checklist.

(more…)

EmailShare
04 December 2015

Negotiations on the General Data Protection Regulations Continue

As the legislative journey for the General Data Protection Regulation (“GDPR”) nears its conclusion, last week (Nov. 27,2015) saw the publication of a further compromise text which left the door open for additional “trilogue” discussions on the much-debated subjects of administrative fines, data protection officers (“DPOs”), and data breaches, as well as details of other provisions.

(more…)

EmailShare
XSLT Plugin by BMI Calculator