Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: GDPR

Posted in International/EU Privacy

EDPB’s Position on Clinical Trials Creates Friction with Other EU Legislation

Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.

Posted in International/EU Privacy

Will Widened Class Actions Regime Boost Data Litigation in the Netherlands?

On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]

Posted in International/EU Privacy

First Fine Imposed by the Polish DPA Under the GDPR

The President of the Personal Data Protection Office in Poland imposed a fine amounting to PLN 943,470 for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation. This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR.

Posted in International/EU Privacy

Crumbs of Comfort: the Advocate-General’s Opinion on Consent and Cookies in Planet49

It’s no secret that a hot topic, perhaps the hot topic, in the European data protection world at present is the interplay between the GDPR and the e-Privacy Directive, in particular how it affects online advertising involving cookies. The European Data Protection Board recently released an opinion on this topic, and on 21 March the Court of Justice of the European Union released Advocate-General Szpunar’s opinion in the case of Planet49, which discusses the requirements for valid consent, in the context of both cookies under the e-Privacy Directive and more general data processing under the GDPR.

Posted in News & Events

Privacy and Cybersecurity April 2019 Events

Join us this month as we address questions about the groundbreaking California Consumer Protection Act, consumer trust issues, TCPA, trends in global privacy enforcement, navigating ePrivacy requirements, and the GDPR as Brexit nears.

Posted in International/EU Privacy

EDPB Joins the Dots of ePrivacy and GDPR

On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities. The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs.

Posted in News & Events

Privacy and Cybersecurity March 2019 Events

Join us in March as we explore key questions on the California Consumer Privacy Act, TCPA considerations for financial services, regulatory decisions on transparency and evolving industry approaches to the GDPR, artificial intelligence, as well as how Brexit will impact data protection and privacy professionals.

Posted in International/EU Privacy

GDPR Enforcement Update: Increasing Fines Expected from German DPAs

Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.

Posted in International/EU Privacy

An Approach for Setting Administrative Fines Under the GDPR

Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.

Posted in International/EU Privacy

Poland: Credit Scoring in Danger?

A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm). The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.

Posted in International/EU Privacy

EDPB Advises on Lawful Grounds for Processing Personal Data in Clinical Trials

With the coming into effect of the General Data Protection Regulation (“GDPR”), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (“EDPB”).

Posted in International/EU Privacy

Brexit – A Data Protection Action Plan

Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different. The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.

Posted in International/EU Privacy

Are You Ready for Brazil’s New Data Protection Law?

The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation.

Posted in International/EU Privacy

UK Government Aims for Data Protection Continuity Despite No Deal Brexit Prospect

Amid the constitutional and political uncertainties surrounding the Brexit process, the UK Government has provided welcome assurance on the data protection front. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) confirms how UK data protection law will work in the event the UK leaves the EU without a deal. Whilst the Government still regards a No Deal Brexit as “unlikely”, given the extremely severe implications of that scenario for transfers of personal data into and out of the UK, the DCMS confirmation is hugely helpful in terms of the preparations needed for that eventuality.

Posted in International/EU Privacy

EDPB’s Common Sense Approach to the GDPR’s Territorial Scope

The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development. As a result, and as essential as this is, the GDPR’s territorial scope of application has become one of the most difficult issues to pin down. Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.

Posted in International/EU Privacy

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR. In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or location data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR

In the first fine issued by a German data protection authority under the GDPR, on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.

Posted in International/EU Privacy

Data Protection and the Draft EU-UK Withdrawal Agreement: Ten Initial Conclusions

The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. In this post, we discuss ten initial conclusions from the draft text.

Posted in International/EU Privacy

Busting the Myth: Compliance with the ‘Gold Standard’ of the GDPR Does Not Buy You a ‘Free Pass’ Under China’s New Personal Information Guidelines

On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification, which officially came into effect on May 1, 2018. The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law and other enactments and measures.

Posted in International/EU Privacy, Privacy & Security Litigation

U.S. Court Allows Video Deposition Over EU Deponent’s Privacy Objections

A U.S. court has recently ruled that an EU citizen’s privacy rights and the GDPR do not trump a U.S. litigant’s right to obtain discovery, including video-taped depositions. In d’Amico Dry d.a.c. v. Nikka Finance, Inc., CA 18-0284-KD-MU, Dkt. No. 140 (Adm. S.D. Ala. Oct. 19, 2018), a federal magistrate denied an EU citizen’s motion […]

Posted in International/EU Privacy

French Data Protection Authority’s Latest Newsletter Includes Assessment of First Four Months of GDPR & Several Guidelines

The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain. Since the Data Protection Act’s implementation, the CNIL has been very active in guiding French citizens on how to comply with the new legal framework and warning them about threats from new technologies.