Data Protection Authority

On March 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its draft guidelines on the accreditation of certification bodies under the GDPR (the “Guidelines”). The Guidelines were adopted by the Working Party on February 6, 2018, for public consultation. Continue Reading CIPL Submits Comments to Article 29 Working Party’s Draft Guidelines on the Accreditation of Certification Bodies under the GDPR

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership (“CIPL”), has been selected as Chair for the Bailiwick of Guernsey’s new data protection authority. Adding the appointment to his position at CIPL, Thomas will be formally appointed in May and will work with the Data Protection Commissioner and the States of Guernsey to support the island’s regulatory framework in conjunction with the introduction of its new data protection law. Thomas will work on a shadow basis until his formal appointment, and the role is expected to command between 10 and 15 days per year. Continue Reading Richard Thomas Selected as Chair for Guernsey’s New Data Protection Authority

On February 12, 2018, the Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) published on its website (in English and French) a form to be used for the purpose of compliance with data breach notification requirements applicable under the EU General Data Protection Regulation (the “GDPR”). The CNPD also published questions and answers (“Q&As”) regarding the requirements (only available in French). Continue Reading Luxembourg DPA Publishes Data Breach Reporting Form

On February 7, 2018, representatives of European Data Protection Authorities (“DPAs”) met in Brussels to appoint the new leader of the current Article 29 Data Protection Working Party (the “Working Party”). Andrea Jelinek, head of the Austrian DPA, was elected to the post and will replace Isabelle Falque-Pierrotin, leader of the French DPA, who has represented the Working Party over the past four years. Continue Reading Head of Austrian DPA Appointed Chair of Article 29 Working Party

On January 24, 2018, the European Commission issued a communication to the European Parliament and the Council (the “Communication”) on the direct application of the EU General Data Protection Regulation (“GDPR”). The Communication (1) recounts novel elements of the GDPR that create stronger protections for individuals and new opportunities for organizations, (2) reviews preparatory work undertaken to date for GDPR implementation, (3) outlines remaining steps for successful preparation and (4) outlines measures the European Commission intends to take up until May 25, 2018. Continue Reading EU Commission Releases Communication on Remaining Issues for GDPR Preparation

On January 10, 2018, the Law of 3 December 2017 creating the Data Protection Authority (the “Law”) was published in the Belgian Official Gazette (available in French and Dutch). The Law was submitted in the Chamber of Representatives on August 23, 2017, and was approved by the Parliament in plenary meeting on November 16, 2017. Continue Reading Belgium Adopts Law Reforming the Belgian Privacy Commission

On December 18, 2017, the French data protection authority (“CNIL”) publicly announced that it served a formal notice to WhatsApp regarding the sharing of WhatsApp users’ data with Facebook Inc. (“Facebook”). This decision, dated November 27, 2017, follows the CNIL’s investigations regarding Facebook’s 2014 acquisition of WhatsApp. In 2016, WhatsApp updated its Terms of Service and Privacy Policy to reflect the sharing of information with Facebook. Following this update, the Article 29 Working Party (“Working Party”) requested explanations from WhatsApp on its data processing practices and data sharing, and asked the company to stop sharing data for targeted advertising purposes. The Working Party also gave a mandate to its subgroup in charge of the cooperation on investigations and sanctions to coordinate actions of the relevant national data protection authorities. It is in that context that the CNIL started its investigation of WhatsApp’s data processing practices. Continue Reading The CNIL Serves Formal Notice to WhatsApp Regarding Sharing Data with Facebook

Recently, the EU’s Article 29 Working Party (”Working Party”) held a plenary meeting to discuss, among other things, the implementation of the EU General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield. As well as adopting its first Joint Annual Review Report on the Privacy Shield, the Working Party has been working on a number of documents that offer review and/or guidance on the GDPR, including:

  • guidelines on (1) consent and transparency, (2) data protection certifications, and (3) derogations for personal data transfers under the GDPR;
  • updated “referentials” on adequacy and binding corporate rules for data controllers and processors; and
  • tools for cooperation between data protection authorities on data breach notifications.

Continue Reading Article 29 Working Party Meeting Sets Out State of Play on Privacy Initiatives

On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom. Continue Reading EU Data Protection Authorities Establish Task Force to Collaborate on Uber Data Breach

On October 17, 2017, the French Data Protection Authority (“CNIL”), after a consultation with multiple industry participants that was launched on March 23, 2016, published its compliance pack on connected vehicles (the “Pack”) in line with its report of October 3, 2016. The Pack applies to connected vehicles for private use only (not to Intelligent Transport Systems), and describes the main principles data controllers must adhere to under both the current French legislation and the EU General Data Protection Regulation (“GDPR”).    Continue Reading French DPA Publishes a Compliance Pack Regarding Connected Vehicles