GDPR

Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration

Written by

As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data.  One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users.  The amount of the Google fine startled many companies, but with time the shock faded.  Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not […] Read more

EU and Japan Publish a Joint Release on Their Mutual Adequacy Decisions

Written by

On January 23, 2019, the Personal Information Protection Commission of Japan (the “PPC”) and the European Commission (the “Commission”) jointly announced the adoption of the decisions recognizing each other’s personal data protection systems as equivalent. The Commission launched the process leading to the adoption of the adequacy decision in September 2018 and successfully completed the process by obtaining the green light from a committee composed of representatives of the European Union (“EU”) Member States.  In parallel, the PPC adopted a decision to designate the EU as equivalent […] Read more

Alston & Bird Issues Advisory on Applying GDPR Experience to CCPA Implementation

Written by

Alston & Bird recently issued an advisory entitled, “Applying GDPR Process Lessons to the CCPA,” authored by Jim Harvey and Karen Sanzaro. The recently and hastily adopted California Consumer Privacy Act of 2018 (CCPA) has already been compared to the General Data Protection Act (GDPR), though the two greatly differ in scope and content.  However, there are valuable insights to glean from the GDPR adoption process that can give companies a heads start on implementing the CCPA. The advisory examines these five lessons from which companies can learn: Leadership and multidisciplinary [...] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

Privacy Activist Challenges Data Collection for Internet Businesses

Written by

Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria.  These “Day 1” complaints could have a definite impact on ad-supported online businesses. The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more

Alston & Bird Issues Data Protection Paper on Accurate Retrieval of Personal Data under the GDPR

Written by

Today Alston & Bird’s Jan Dhont, Peter Swire, and DeBrae Kennedy-Mayo, with support from Senzing, Inc., are publishing a White Paper titled The Importance of Accurate Retrieval of Data Subjects’ Personal Data in Complying with GDPR Individual Rights Requirements. The General Data Protection Regulation, which enters into effect on May 25, 2018, goes considerably beyond existing law in setting forth individual rights that allow data subjects to control how their personal data is used. This Paper addresses an important issue for implementing individual rights – how can those companies [...] Read more

Belgian Privacy Commission Issues DPIA “Black” and “White List” Recommendation

Written by

On February 28, 2018, the Belgian Privacy Commission issued a recommendation on the position it takes with regard to data protection impact assessments (or “DPIAs”) as foreseen in the GDPR. A DPIA under the GDPR is similar in scope and impact to its predecessor, the PIA (or “privacy impact assessment”) and requires businesses to assess processing operations that are likely to present a high risk to individuals’ rights. Such “high risk” is, for instance, likely to present itself in processing operations involving sensitive data, systematic monitoring, or vulnerable individuals such [...] Read more

Belgian Court Uses Novel Argument to Assume International Jurisdiction over Non-EU Facebook Entities

Written by and

On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in [...] Read more