French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements
On January 21, 2019, the French Supervisory Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued Google’s U.S. headquarters (“Google”) with a fine of €50m for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. The CNIL found that the general structure of Google’s privacy policy and terms & conditions was too complex for the average user and that Google, by using pre-ticked boxes as a consent mechanism, failed to establish a legal basis for data processing to deliver targeted advertising. This is the first regulatory fine the CNIL issued on the basis of the GDPR’s penalty authorities, and it marks a strong enforcement signal to organizations subject to the CNIL’s jurisdiction moving forward. (more…)
EU Commission Decision Reconciles Data Protection Rules with the Need for Effective Trade Defence and Trade Policy Investigations
On December 17, 2018, European Commission Decision (EU) 2018/1996 (the ‘Decision’) was published in the Official Journal of the European Union. The Decision lays down rules designed to reconcile the rights of individuals respecting their personal data, with the need for effective trade defence and trade policy investigations in the EU. (more…)
EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR
On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”). The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them. The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2). The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).
The proposed Guidelines are open for public consultation until January 18, 2019. It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)
EU Parliament Adopts Blockchain Resolution
On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general. (more…)
New Belgian Data Protection Act Takes Effect
On September 5, 2018, the new Belgian Data Protection Act implementing the GDPR (the Belgian Act) was published and entered into force. Despite the GDPR being an EU regulation that directly applies to all EU Member States, several provisions of the GDPR explicitly allow, and even require, Member States to enact legislation which implements the law. Member States were expected to have this legislation in place by May 25, 2018, but the majority of Member States (including Belgium) did not meet the deadline. Since December 2017, however, Belgium has had in place a law implementing many of the more procedural provisions of the GDPR, namely the Act on the Establishment of the Supervisory Authority (the SA Act). The SA Act lays down the structure, powers and competence of the new Belgian Supervisory Authority, and also includes rules of procedure applicable to administrative proceedings before the Authority. (more…)
Dutch Supervisory Authority Investigates GDPR Compliance in the Healthcare Sector
On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures. (more…)
European Data Protection Board Releases Statement on the Revision of the ePrivacy Regulation
On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018. The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).
Belgian Privacy Commission Issues Guidance on Data Protection Impact Assessments Under the GDPR
On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”). Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:
- are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
- are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.
Privacy and Cybersecurity Top 10 for 2018
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
Dutch Data Protection Authority Confirms That Notifications Are No Longer Required
On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA. The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.