Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization. On this blog, we have outlined the items we have seen as particularly time- or resource-intensive.
On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction. Germany has 16 state-run DPAs with general [...] Read more
With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. [...] Read more
The GDPR entered into force on May 25, 2018. One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy. DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make. Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more
The Securities and Exchange Commission’s $35 million settlement with Altaba Inc., the successor in interest to Yahoo! Inc., is the first civil penalty of its kind for a data breach and underscores the agency’s increasing focus on public companies’ cybersecurity disclosure obligations. A cross-practice team from our Securities Litigation and Cybersecurity Preparedness & Response groups examined the SEC action in an advisory published on April 27, 2018.
To read the full advisory, please click here. [...] Read more
The Council of the European Union published a new draft of the ePrivacy Regulation (link here) for discussion purposes on 22 March. This draft aims to facilitate discussions as we are moving towards the final version of the ePrivacy Regulation. As such, the changes outlined below are not final, but rather indicative of the direction that the ePrivacy Regulation is taking. Of particular interest to companies are the provisions relating to cookie settings, and direct marketing communications:
Cookie Settings
The new draft clarifies that a one-off consent for a cookie in the context [...] Read more
On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in [...] Read more
On November 16, 2017 the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority” (the “Act”). Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the General Data Protection Regulation 2016/679 (“GDPR”) prior to its effective date of 25 May 2018. The new Belgian Act sets forth the structure and legal organization of the Data Protection Authority (“DPA”), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s [...] Read more
On October 18, 2017, the Article 29 Working Party (the “WP29”) published Guidelines clarifying the new profiling and automated decision-making provisions of the General Data Protection Regulation (“GDPR”). European Union regulatory authorities and the WP29 consider that technological developments that facilitate the creation of individual profiles, such as big data analytics, AI and machine learning, have created new risks to data protection. As the majority of industries (insurance, marketing and finance, and even healthcare) already apply and use these new techniques today, the WP29 [...] Read more
On 18 May 2017, the European Commission (“Commission”) fined Facebook €110 million ($122 million) for misrepresentations made in its application for competition clearance of the company’s acquisition of WhatsApp. In its merger application, Facebook claimed that it would be unable to automatically match Facebook users’ accounts and WhatsApp users’ accounts for marketing and other purposes. However, in August 2016, WhatsApp introduced functionality enabling the linking of WhatsApp users’ phone numbers with Facebook users’ identities. This is the first time since the new Merger Regulation [...] Read more
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act.
Who is Subject to the New Legislation?
The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy
