Category Archives: Enforcement

Working Party welcomes the draft ePrivacy Regulation, yet expresses grave concerns

Written by
The Working Party recently issued its first Opinion for 2017, focusing on the EU Commission’s proposed ePrivacy Regulation (WP 247, Opinion 01/2017). The Commission’s proposal, which was published in January this year, aims to modernize the existing ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) which concerns the protection of personal data in the context of electronic communication services. In its Opinion, the Working Party overall welcomed the proposed regulation, yet expressed several points of concern and suggested amendments. The congratulations… In welcoming the regulation, [...] Read more

May 30 is Fast Approaching – Are You Ready for Compliance with the Amended Act on Protection of Personal Information in Japan?

Written by
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003.  It was originally enacted on May 30, 2003, and came into effect in 2005.  Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015.  Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017. It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person [...] Read more

Germany Proposes Bill Requiring Social Network Takedowns – with € 50 Million Fines

Written by
Recent media reports indicated that Germany was considering legislation that would fine social networks for failing to combat fake news and hate speech.  Today, German Justice Minister Heiko Maas introduced a “Draft Law to Improve Law Enforcement in Social Networks” (abbreviated as the Network Enforcement Act (Netzwerkdurchsetzungsgesetz), or “NetzDG”).  The NetzDG aims to curb “hate-based criminality” in large social networks that have the potential to drive public opinion, and to improve law enforcement access to evidence held by social networks.  The Justice Department’s NetzDG [...] Read more

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

Smart Television Manufacturer Settles by Paying $ 2.2 Million to the FTC and the State of New Jersey

Written by
The FTC and the State of New Jersey recently announced a settlement with Vizio, Inc., in the amount of $2.2 million for tracking consumer behavior using its smart television devices. The complaint alleged that Vizio acted unfairly by collecting, storing (indefinitely) and sharing consumer data with third parties without consent and in an unexpected manner. Further, the complaint alleged that Vizio had misrepresented the functionality of the feature in their smart televisions that collected such data (also known as “Smart Interactivity”). It was also alleged that these practices were an unconscionable [...] Read more

New York Financial Services Regulator Issues Revisions to Proposed Cybersecurity Regulation

Written by
Today, the New York Department of Financial Services (DFS) released a revised version of the proposed cybersecurity regulations that it first issued in September.  According to a press release issued by DFS Superintendent Vullo, the new version of the proposed rules will be finalized following a 30-day notice and public comment period. Among the most notable changes are an extension of the effective date to March 1, 2017, an array of longer transition periods for various sections of the regulation, increased emphasis on risk assessment, and a slight reduction in the extremely broad scope of [...] Read more

WP29’s Guidance on the Lead Supervisory Authority

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR).  This is part three of a three-part Alston & Bird series evaluating WP29's positions, and relates to  the “One Stop Shop” mechanism which aims at simplifying the way companies with operations in multiple EU countries interact with the EU supervisory authorities (“SAs”). Part 1 deals with Data Protection Officer Obligations, under the GDPR, while part 2 analyzes guidance on the Right to Data Portability. The [...] Read more

WP29 Issues Guidance on the Right to Data Portability under the GDPR

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation ("GDPR").  This is part two of a three-part Alston & Bird series evaluating WP29's positions, and relates to the Right of Data Portability for data subjects and its obligations for data controllers.  Part 1 deals with Data Protection Officer obligations, under the GDPR, while part 3 analyzes guidance on the Lead Supervisory Authority mechanism. Article 20 of the GDPR creates a new right to data portability [...] Read more

WP29 Releases Extensive Guidance on DPO Obligations; Companies Need to Start Planning Now

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR).  This is part one of a three-part Alston & Bird series evaluating WP29's positions, and relates to Data Protection Officer obligations under the GDPR.  Part 2 deals with the Right to Data Portability, while Part 3 analyzes guidance on the Lead Supervisory Authority mechanism. The GDPR mandates that companies appoint a Data Protection Officer (DPO) in certain circumstances.  DPOs have been a fixture [...] Read more

EU Releases Amendments to Model Clause and Country-Whitelisting Decisions – with Good News for Companies

Written by
Most privacy professionals are familiar with the European Court of Justice’s 2015 Schrems decision, which struck down the US-EU Safe Harbor mechanism.  One lesser-discussed aspect of the ECJ’s decision related to the powers of Data Protection Authorities (DPAs) within the EU’s Member States.  In the Schrems proceedings, the Irish Data Protection Commission argued that it had no authority to suspend or restrict transfers based on Safe Harbor because Safe Harbor was a decision by the EU Commission.  The ECJ rejected this argument, holding that the Commission cannot restrict DPAs’ ability [...] Read more