Data Protection Authority

On January 10, 2018, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.

Continue Reading Advocate General Finds Search Engine Operators May Limit the Scope of Right to Be Forgotten to the EU

On November 30, 2018, the Austrian Data Protection Authority (“DPA”) published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website. As a factual matter, the Austrian newspaper offered three options to individuals who sought to access content on the site: (1) accept the use of cookies for analytics and advertising purposes and have full, complimentary website access; (2) refuse cookies and obtain access to only limited content on the website; or (3) pay a monthly subscription of €6 to obtain full access to the website without accepting the use of cookies and similar tracking technologies.

Continue Reading Austrian DPA Issues Decision on Validity of Cookie Consent Solution

On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions: Continue Reading CNIL Publishes Guidance on Data Sharing with Business Partners or Data Brokers

On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach. Continue Reading CNIL Fines Uber for Data Security Failure Related to 2016 Data Breach

On December 19, 2018, the European Commission (the “Commission”) issued a press release regarding the publication of the Commission’s second annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”).

Continue Reading Commission Publishes Report on the Second Annual Review of the Functioning of the EU-U.S. Privacy Shield

On December 13, 2018, the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) (the “Dutch DPA”) published a report on the complaints it has received since the EU General Data Protection Regulation (“GDPR”) became applicable on May 25, 2018 (the “Report”). The GDPR gives data subjects the right to lodge a complaint with the relevant national supervisory authority when they believe that their personal data is processed in a way violative of the GDPR (see article 77 of the GDPR).

View the Report and the press release (in Dutch).

Continue Reading Dutch DPA Publishes Post-GDPR Complaints Report

EU data protection authorities (“DPAs”) are proving their willingness as enforcers with respect to the GDPR, not just with regard to the most serious acts of non-compliance but also for errors of a more administrative nature. Under the previous regime, DPAs typically required companies to register their processing activities with the regulator, but the GDPR now permits organizations to maintain data processing inventories internally, only showing them to DPAs when there is a particular need to do so. In the UK, the Information Commissioner’s Office (“ICO”) introduced a requirement for organizations to pay a “data protection fee,” which data controllers falling under the ICO’s scope must pay once a year. Those companies that fail to pay the fee risk incurring a fine of up to £4,350 each.

Continue Reading ICO Notifies More Than 900 Organizations of Failure to Pay Required Data Protection Fee

The Agency of Access to Public Information (Agencia de Acceso a la Información Pública) (“AAIP”) has approved a set of guidelines for binding corporate rules (“BCRs”), a mechanism that multinational companies may use in cross-border data transfers to affiliates in countries with inadequate data protection regimes under the AAIP.

Continue Reading Argentina DPA Issues Guidelines on Binding Corporate Rules

On November 29, 2018, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data to manage (1) business activities and (2) unpaid invoicesContinue Reading CNIL Launches Public Consultation on Draft Standards on Data Processing for Managing Business Activities and Unpaid Invoices