On November 29, 2018, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data to manage (1) business activities and (2) unpaid invoices. Continue Reading CNIL Launches Public Consultation on Draft Standards on Data Processing for Managing Business Activities and Unpaid Invoices
European Union
EDPB Publishes Guidelines on Extraterritorial Application of the GDPR
Posted on
Posted in European Union, International
On November 23, 2018, the European Data Protection Board (“EDPB”) published its long-awaited draft guidelines on the extraterritorial application of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). To date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR’s application outside of the EU. While the Guidelines provide some clarity on this issue, questions will remain for non-EU controllers and processors. Importantly, these Guidelines are only in draft form and are open for consultation until January 18, 2019, which will give organizations an opportunity to provide comments and raise additional questions in an effort to obtain further clarification from the EDPB on these important scoping questions.
Continue Reading EDPB Publishes Guidelines on Extraterritorial Application of the GDPR
Belgian DPA Publishes Post-GDPR Activity Review
Posted on
Posted in European Union, International
On November 23, 2018, the Belgian Data Protection Authority (the “Belgian DPA”) published a review of its activities since the EU General Data Protection Regulation (“GDPR”) became applicable on May 25, 2018 (the “Review”). The Review is available in French and in Dutch. Continue Reading Belgian DPA Publishes Post-GDPR Activity Review
UK ICO Issues Warning to Washington Post Over Cookie Consent Practices
Posted on
On November 19, 2018, The Register reported that the UK Information Commissioner’s Office (“ICO”) issued a warning to the U.S.-based The Washington Post over its approach to obtaining consent for cookies to access the service. Continue Reading UK ICO Issues Warning to Washington Post Over Cookie Consent Practices
UK and EU Draft Withdrawal Agreement
Posted on
Posted in European Union, International
On November 14, 2018, the UK government and the EU agreed upon the text of a draft Withdrawal Agreement in relation to the UK’s impending exit from the European Union on March 29, 2019. The draft Withdrawal Agreement provides for a transition period under which the UK will remain subject to a number of its EU membership obligations, during the period starting when the UK leaves the EU on March 29, 2019 to the end of the transition period on December 31, 2020. The draft Withdrawal Agreement provides the following in relation to data protection law: Continue Reading UK and EU Draft Withdrawal Agreement
Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers
Posted on
On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]… that will protect individuals from wide-scale and systematic infringements of the GDPR.” Continue Reading Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers
BayLDA Publishes Review on Audits
Posted on
Posted in Cybersecurity, European Union
On November 7, 2018, the Data Protection Authority of Bavaria for the Private Sector (the “BayLDA”) issued a press release describing audits completed and pending in Bavaria since the EU General Data Protection Regulation (“GDPR”) took force. Continue Reading BayLDA Publishes Review on Audits
CNIL Publishes DPIA Guidelines and List of Processing Operations Subject to DPIA
Posted on
Posted in European Union, Information Security
On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”). Read the guidelines and list of processing operations (in French). Continue Reading CNIL Publishes DPIA Guidelines and List of Processing Operations Subject to DPIA
CNIL Details Rules on Audience and Traffic Measuring in Publicly Accessible Areas
Posted on
On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French). Continue Reading CNIL Details Rules on Audience and Traffic Measuring in Publicly Accessible Areas
CNIL Publishes Statistical Review of Data Breaches Since Entry into Application of GDPR
Posted on
Posted in European Union, Security Breach
Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application. View the review (in French). Continue Reading CNIL Publishes Statistical Review of Data Breaches Since Entry into Application of GDPR