ICO Delays British Airways and Marriott GDPR Fines
Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)
German DSK Issues GDPR Fining Methodology Guidelines
Recently, the Association of German Data Protection Authorities (“Datenschutzkonferenz” or “DSK”) issued guidelines setting a GDPR fining methodology (“Fining Methodology”). GDPR enforcement across the EU has picked up over the past year. This Fining Methodology has been issued at the time of a significant increase in GDPR enforcement action across the EU. The European Data Protection Board (“EDPB”) reported a total of 281,088 national enforcement actions being initiated as of May 22, 2019 (approximately one year after the GDPR’s entry into application). Since then, data protection authorities across the EU have been initiating enforcement and fines on a daily basis. In particular, in the UK, the Information Commissioner’s Office (“ICO”) has issued two notices of intention to fine of €114m and €215m for failure to implement appropriate data security measures.
European Data Protection Board Adopts Data Protection by Design and by Default Guidelines
On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”). The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities. The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance. Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.
The Sixth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available
The sixth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)
Federal and State Authorities Increase Scrutiny and Enforcement of Children’s Privacy; Google, YouTube Agree to Pay a Record $170 Million Fine
This fall, scrutiny has increased on children’s privacy with the FTC and New York Attorney General’s announcement of the largest fine ever for violations of the Children’s Online Privacy Protection Act (“COPPA”), followed by FTC public workshops on updating the COPPA Rule. Combined with increased requirements for the sale of teen personal information under the California Consumer Privacy Act (“CCPA”), and calls for triple fines for children’s privacy violations under a potential CCPA 2.0 referendum for 2020, children’s privacy has come to the forefront of privacy risks.
The Final Countdown: What You Need to Know About the CCPA and its Draft Regulations Before January 1
Companies doing business in California or with Californians must be ready to comply with the California Consumer Privacy Act (CCPA) by January 1, 2020 – less than three months away. However, as businesses were putting the finishing touches on their compliance efforts, the California legislature amended the law and the Attorney General proposed a round of very significant regulatory requirements. Now businesses find themselves making last-minute adjustments as the deadline approaches.
Please join us for a discussion that highlights the key takeaways from the recent CCPA amendments and proposed regulations, identifies the steps companies should be taking to meet these new obligations, and provides benchmarks for how companies are addressing key issues surrounding the CCPA.
Observations from Albania: the 41st Annual International Conference of Data Protection and Privacy Commissioners (October 23-24, 2019)
UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”
Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.
CCPA In-Depth Series: Draft Attorney General Regulations on Verification, Children’s Privacy and Non-Discrimination
This post is the third in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at verification, children’s privacy and the non-discrimination provisions. Visit the CCPA Monitor for a collection of all our CCPA insights.
INTRO AND BACKGROUND. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.
On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.
CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Requests
This post is the second in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at consumer requests. Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.
Intro and Background. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.
On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.
CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Notice
This post is the first in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at consumer notice. Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.
Intro and Background. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers thus have been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.
On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.