On September 14, 2017, the UK Government introduced a new Data Protection Bill to Parliament, which is intended to replace the UK's existing Data Protection Act 1998 and enshrine the GDPR into UK law once the UK has left the European Union.… Continue Reading
On June 20, 2017, the UK Information Commissioner’s Office published an updated version of its Code of Practice on Subject Access Requests. The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests. The revisions more closely align the ICO’s position with the court’s judgments.… Continue Reading
Pablo Palazzi, from Buenos Aires law firm Allende & Brea, reports that earlier this month, the Argentine Data Protection Agency posted the first draft of a new data protection bill on its website. The Draft Bill is heavily based on the EU GDPR and maintains the structure of Argentina’s current data protection bill.… Continue Reading
On February 1, 2017, Matt Hancock, the UK Government Minister responsible for data protection, was questioned by the House of Lords committee on the UK’s implementation plan of the EU General Data Protection Regulation in the context of Brexit. In responding to the questioning, Hancock revealed further details into the UK Government’s position on implementing the GDPR into UK law.… Continue Reading
On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act. … Continue Reading
On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.… Continue Reading
On October 3, 2016, at the Paris Motor Show, the CNIL reported on the progress of a new, expanded compliance pack on connected vehicles. The work was launched on March 23, 2016, and should be finalized in Spring 2017. … Continue Reading
On July 20, 2016, the French Data Protection Authority announced that it issued a formal notice to Microsoft Corporation ordering the company to address several alleged violations of the French Data Protection Act concerning the Windows 10 operating system.… Continue Reading
On June 28, 2016, the UK Information Commissioner's Office released its Annual Report for 2015 - 2016. This blog post provides a summary of the report.… Continue Reading
On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act. … Continue Reading
On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority of data security breaches, and (2) authorizes the Data Protection Authority to impose direct fines for violations of the Data Protection Act.… Continue Reading
On July 28, 2015, the UK Supreme Court announced its decision to grant permission in part for Google to appeal the England and Wales Court of Appeal’s decision in Google Inc. v Vidal-Hall and Others. … Continue Reading
On September 4, 2014, the UK Information Commissioner's Office published guidance on data protection for the media that explains how the UK Data Protection Act 1998 applies to journalism and provides best practices for journalists and the media.… Continue Reading
On July 15, 2014, the UK Information Commissioner's Office released its Annual Report for 2013/14, in which it calls for increases in its funding and substantial new powers to help combat a range of growing privacy and data protection concerns.… Continue Reading
On May 13, 2014, the French data protection authority decided to examine 100 mobile apps most commonly used in France. This review takes place in connection with the Global Privacy Enforcement Network’s second annual enforcement sweep, which involves participation by the CNIL and 26 data protection authorities.… Continue Reading
On December 18, 2013, the UK Information Commissioner's Office published a public consultation document containing its proposed strategy for handling data protection violation complaints. The ICO is seeking comments on the proposal through January 31, 2014, and intends to implement the new approach beginning in April.… Continue Reading
As we reported on October 8, 2013, the UK Information Commissioner's Office is in the process of reviewing its Privacy Notices Code of Practice. With the November 30 deadline for submitting comments fast approaching, today the ICO's Head of Policy Delivery posted a request for feedback on the ICO blog.… Continue Reading
In its October 2013 e-newsletter, the UK Information Commissioner's Office announced that it is reviewing its Privacy Notice Code of Practice to assess whether it should be updated. The Code, last updated in December 2010, is designed to assist organizations in drafting privacy notices.… Continue Reading
On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) … Continue Reading
On August 6, 2013, the UK Information Commissioner’s Office (“ICO”) opened a new consultation on a draft code of practice on conducting privacy impact assessments (the “Code”).… Continue Reading
The UK Information Commissioner’s Office has published guidance on the application of Data Protection Act requirements to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for business purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.… Continue Reading
On May 20, 2013, the Estonian Data Protection Inspectorate issued its Annual Report 2012. This blog entry provides highlights of the Report.… Continue Reading
On May 6, 2013, the Global Privacy Enforcement Network announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.… Continue Reading
