On January 10, 2018, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.
On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions: Continue Reading CNIL Publishes Guidance on Data Sharing with Business Partners or Data Brokers
On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach. Continue Reading CNIL Fines Uber for Data Security Failure Related to 2016 Data Breach
The Agency of Access to Public Information (Agencia de Acceso a la Información Pública) (“AAIP”) has approved a set of guidelines for binding corporate rules (“BCRs”), a mechanism that multinational companies may use in cross-border data transfers to affiliates in countries with inadequate data protection regimes under the AAIP.
On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).
On November 20, 2018, the Illinois Supreme Court heard arguments in a case that could shape future litigation under the Illinois Biometric Information Privacy Act (“BIPA”). BIPA requires companies to (i) provide prior written notice to individuals that their biometric data will be collected and the purpose for such collection, (ii) obtain a written release from individuals before collecting their biometric data and (iii) develop a publicly available policy that sets forth a retention schedule and guidelines for deletion once the biometric data is no longer used for the purpose for which it was collected (but for no more than three years after collection). BIPA also prohibits companies from selling, leasing or trading biometric data.
On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]… that will protect individuals from wide-scale and systematic infringements of the GDPR.” Continue Reading Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers
On November 7, 2018, the Data Protection Authority of Bavaria for the Private Sector (the “BayLDA”) issued a press release describing audits completed and pending in Bavaria since the EU General Data Protection Regulation (“GDPR”) took force. Continue Reading BayLDA Publishes Review on Audits
On September 26, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Indian Ministry of Electronics and Information Technology on the draft Indian Data Protection Bill 2018 (“Draft Bill”). Continue Reading CIPL Submits Comments on Draft Indian Data Protection Bill
The Information Commissioner’s Office (“ICO”) in the UK has issued the first formal enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) on Canadian data analytics firm AggregateIQ Data Services Ltd. (“AIQ”). The enforcement action, in the form of an Enforcement Notice served under section 149 of the DPA, requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” Continue Reading ICO Issues First Enforcement Action Under the GDPR