Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

First Fine Imposed by the Polish DPA Under the GDPR

The President of the Personal Data Protection Office in Poland (Polish DPA) imposed a fine amounting to PLN 943,470 (approximately EUR 220,000; approximately USD 245,977) for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation (GDPR).

This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR. Continue Reading

Posted in News & Events

You’re Invited to an In-Person Event: CCPAnow: Understanding the Challenge Ahead and What You Should Be Doing Now

CCPAnow: Understanding the challenge ahead and what you should be doing now

The groundbreaking California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, and companies are already working on compliance. Join members of the Hogan Lovells Privacy and Cybersecurity team for our CCPAnow program, a valuable opportunity to explore the questions that you need to address now in order to be ready.

We are hosting an event on the CCPA, on April 16 in New York.

CCPAnow will offer expert and practical guidance on how to navigate the CCPA, and help you benchmark against how other organizations are addressing the same issues.

Continue Reading

Posted in International/EU Privacy

Crumbs of Comfort: the Advocate-General’s Opinion on Consent and Cookies in Planet49

It’s no secret that a hot topic, perhaps the hot topic, in the European data protection world at present is the interplay between the GDPR and the e-Privacy Directive, in particular how it affects online advertising involving cookies. The European Data Protection Board recently released an opinion on this topic (as we discuss here), and on 21 March the Court of Justice of the European Union (CJEU) released Advocate-General Szpunar’s opinion in the case of Planet49 (C-673/17), which discusses the requirements for valid consent, in the context of both cookies under the e-Privacy Directive and more general data processing under the GDPR. Continue Reading

Posted in News & Events

Privacy and Cybersecurity April 2019 Events

Please join us for our April events.

April 2
Trust in data, no longer a luxury?
Nicola Fulford and James Denvil will speak at the workshop,” Trust in data, no longer a luxury – Privacy, security, and consumer trust for 21st century,” at the Luxury Law London Summit. They will discuss some of the challenges of succeeding in a data-driven market that is undergoing global regulatory upheavals.
Location: London

 

April 4
Global TEC Forum
Mark Brennan will speak on the panel, “California Breaks New Privacy Ground (Again): The California Consumer Privacy Act and What it Means,” at the 2019 Global TEC Forum, hosted by the Minority Corporate Counsel Association.
Location: San Francisco

 

April 5
International Privacy + Security Forum
Bret Cohen and Tim Tobin will be speaking at the International Privacy + Security Forum. Bret will be speaking on the panel, “Trends in Global Privacy Enforcement and How to Allocate Scarce Compliance Resources,” and Tim will be speaking on the panel, “Navigating ePrivacy Requirements: New Ways to Tackle Consent, Cookies and Other Marketing Challenges.”
Location: Washington, D.C.

 

Continue Reading

Posted in International/EU Privacy

EDPB Joins the Dots of ePrivacy and GDPR

On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs. Continue Reading

Posted in International/EU Privacy

Dutch Data Protection Authority Sets GDPR Fines Structure

On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act). Continue Reading

Posted in International/EU Privacy

A Global Approach to IoT Cybersecurity?

The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard. Continue Reading

Posted in Financial Privacy

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

The Federal Trade Commission (“FTC”) issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act (“GLBA”), commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade. Continue Reading

Posted in International/EU Privacy

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies.

Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website. In view of the Dutch DPA, websites should offer users a real choice to accept or reject cookies. Users who decide not to consent to the placing of tracking cookies should still be granted access to the website (e.g., in exchange for payment). Continue Reading

Posted in International/EU Privacy

Vietnam Quick to Enforce New Cybersecurity Law

Vietnam’s new Law on Cybersecurity has garnered much attention due to its sweeping attempt to regulate online content available to internet users in Vietnam. Among its more controversial provisions are the requirements that both foreign and domestic online service providers store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove “prohibited” content (defined to include content viewed as disparaging of the Vietnamese government and/or government officials or state agencies). The law also requires offshore service providers to open branches or representative offices in Vietnam, presumably to facilitate enforcement of the Cybersecurity Law against them. Continue Reading