Webinar | November 21, 2019
The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular. READ MORE
The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.
In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.
This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision). READ MORE
The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE
With the January 1, 2020 effective date of the California Consumer Privacy Act (the “CCPA”) rapidly approaching, all eyes have been on the California legislature’s consideration of a robust suite of amendments that would clarify ambiguities and address discrepancies underlying the prominent privacy statute. On October 11, 2019, six CCPA amendments were signed into law by the California Governor, as well as an amendment to the state’s breach notification statute. The rest of the CCPA amendments have either failed or will have to wait until next year for further consideration.
On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE
This alert will analyze the CJEU’s decision, provide a summary of the current regulators’ views and give practical guidance on what website operators should do. READ MORE
On August 21, 2019, the U.S. Court of Appeals for the Seventh Circuit held in FTC v. Credit Bureau Center, LLC, 2019 WL 3940917 (7th Cir. 2019) that the Federal Trade Commission (“FTC”) lacks authority to obtain monetary relief under Section 13(b) of the FTC Act. The FTC has relied on Section 13(b) to seek money relief in consumer protection enforcement actions, including privacy and cybersecurity matters, and had, prior to the Credit Bureau decision, suggested an intent to do so more frequently in the future. READ MORE