On November 29, 2018, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data to manage (1) business activities and (2) unpaid invoicesContinue Reading CNIL Launches Public Consultation on Draft Standards on Data Processing for Managing Business Activities and Unpaid Invoices

On November 23, 2018, the European Data Protection Board (“EDPB”) published its long-awaited draft guidelines on the extraterritorial application of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). To date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR’s application outside of the EU. While the Guidelines provide some clarity on this issue, questions will remain for non-EU controllers and processors. Importantly, these Guidelines are only in draft form and are open for consultation until January 18, 2019, which will give organizations an opportunity to provide comments and raise additional questions in an effort to obtain further clarification from the EDPB on these important scoping questions.

Continue Reading EDPB Publishes Guidelines on Extraterritorial Application of the GDPR

On November 14, 2018, the UK government and the EU agreed upon the text of a draft Withdrawal Agreement in relation to the UK’s impending exit from the European Union on March 29, 2019. The draft Withdrawal Agreement provides for a transition period under which the UK will remain subject to a number of its EU membership obligations, during the period starting when the UK leaves the EU on March 29, 2019 to the end of the transition period on December 31, 2020. The draft Withdrawal Agreement provides the following in relation to data protection law: Continue Reading UK and EU Draft Withdrawal Agreement

On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]… that will protect individuals from wide-scale and systematic infringements of the GDPR.” Continue Reading Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers

On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”). Read the guidelines and list of processing operations (in French). Continue Reading CNIL Publishes DPIA Guidelines and List of Processing Operations Subject to DPIA

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French). Continue Reading CNIL Details Rules on Audience and Traffic Measuring in Publicly Accessible Areas

Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application. View the review (in French).  Continue Reading CNIL Publishes Statistical Review of Data Breaches Since Entry into Application of GDPR