The French Data Protection Authority published new Guidelines on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation. The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes.
On 19 July the French Data Protection Authority published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification, which officially came into effect on May 1, 2018. The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law and other enactments and measures.
Fifteen months after forming an Internet of Things working group, on March 2, 2016, the Online Trust Alliance released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices.