On October 11, 2018, the French data protection authority (the “CNIL”) announced that it adopted two referentials (i.e., guidelines) on the certification of the data protection officer (“DPO”). View the announcement (in French). As a practical matter, both referentials are intended to apply to DPOs located in France or who speak French. The referentials include: Continue Reading CNIL Adopts Referentials on DPO Certification

On October 5, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted a workshop on how to implement, demonstrate and incentivize accountability under the EU General Data Protection Regulation (“GDPR”), in collaboration with AXA in Paris, France. In addition to the workshop, on October 4, 2018, CIPL hosted a Roundtable on the Role of the Data Protection Office (“DPO”) under the GDPR at Mastercard and a pre-workshop dinner at the Chanel School of Fashion, sponsored by Nymity. Continue Reading CIPL Hosts Workshop on Accountability Under the GDPR in Paris

The European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States regarding which processing operations are subject to the requirement of conducting a data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (“GDPR”). Continue Reading EDPB Adopts Opinions on National DPIA Lists in the EU

Recently, the French Data Protection Authority (“CNIL”) published its initial assessment of the compatibility of blockchain technology with the EU General Data Protection Regulation (GDPR) and proposed concrete solutions for organizations wishing to use blockchain technology when implementing data processing activities. Continue Reading CNIL Publishes Initial Assessment on Blockchain and GDPR

On September 27, 2018, the Federal Trade Commission announced a settlement agreement with four companies – IDmission, LLC, (“IDmission”) mResource LLC (doing business as Loop Works, LLC) (“mResource”), SmartStart Employment Screening, Inc. (“SmartStart”), and VenPath, Inc. (“VenPath”) – over allegations that each company had falsely claimed to have valid certifications under the EU-U.S. Privacy Shield framework. The FTC alleged that SmartStart, VenPath and mResource continued to post statements on their websites about their participation in the Privacy Shield after allowing their certifications to lapse. IDmission had applied for a Privacy Shield certification but never completed the necessary steps to be certified. Continue Reading Four Companies Settle FTC Allegations Regarding False EU-U.S. Privacy Shield Certifications

On September 25, 2018, the French Data Protection Authority (the “CNIL”) published the first results of its factual assessment of the implementation of the EU General Data Protection Regulation (GDPR) in France and in Europe. When making this assessment, the CNIL first recalled the current status of the French legal framework, and provided key figures on the implementation of the GDPR from the perspective of privacy experts, private individuals and EU supervisory authorities. The CNIL then announced that it will adopt new GDPR tools in the near future. Read the full factual assessment (in French). Continue Reading CNIL Publishes Initial Assessment of GDPR Implementation

The Information Commissioner’s Office (“ICO”) in the UK has issued the first formal enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) on Canadian data analytics firm AggregateIQ Data Services Ltd. (“AIQ”). The enforcement action, in the form of an Enforcement Notice served under section 149 of the DPA, requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” Continue Reading ICO Issues First Enforcement Action Under the GDPR

Recently, the UK Information Commissioner’s Office (“ICO”) fined credit rating agency Equifax £500,000 for failing to protect the personal data of up to 15 million UK individuals. The data was compromised during a cyber attack that occurred between May 13 and July 30, 2017, which affected 146 million customers globally. Although Equifax’s systems in the U.S. were targeted, the ICO found the credit agency’s UK arm, Equifax Ltd, failed to take appropriate steps to ensure that its parent firm, which processed this data on its behalf, had protected the information. The ICO investigation uncovered a number of serious contraventions of the UK Data Protection Act 1998 (the “DPA”), resulting in the ICO imposing on Equifax Ltd the maximum fine available. Continue Reading UK ICO Fines Equifax for 2017 Breach

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the “Law”) was published in the Belgian Official Gazette.

This is the second step in adapting the Belgian legal framework to the EU GDPR after the Law of 3 December 2017 Creating the Data Protection Authority, which reformed the Belgian Data Protection Authority.

The Law is available in French and Dutch.