Over the past few days, commentators and, in some cases, government ministers have stated that the GDPR (and by association the Data Protection Act 2018) are preventing some organisations from providing a comprehensive response to the COVID-19 crisis. READ MORE
The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.
However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK’s Information Commissioner’s Office (the “ICO”) against British Airways, Marriott and Dixons Carphone, all three companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.
In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.
Since the first enforcement actions have been initiated, some with significant fines, many companies may find themselves somewhat at a loss as they may not fully know how to assess the risks involved and how to react should an enforcement action be initiated against them. Here we will give a high-level overview on risks and strategies in enforcement actions. READ MORE
At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.
Data breach notification requirements are going global. By spring 2018, companies operating in the European Union must comply with the new General Data Protection Regulation’s (GDPR) data breach notification requirements and the Network and Information Security (NIS) Directive’s security incident notification requirements. Stricter and more far-reaching notification obligations underscore the importance of establishing a proactive Security Incident Response Policy to analyze potential legal obligations and prepare to respond to incidents long before they occur.
The Düsseldorfer Kreis, a committee made up of representatives of German data protection authorities, recently published guidance on the requirements for obtaining valid consent to the collection, processing and use of personal data under the relevant German data protection provisions, the Federal Data Protection Act (Bundesdatenschutzgesetz) (“BDSG”) and the Telemedia Act (Telemediengesetz).
The Düsseldorfer Kreis frequently publishes guidelines on topics of relevance for data privacy law which are broadly recognized as good practices (and from the supervisory authorities’ viewpoint, mandatory interpretations of the applicable law). The German data protection authorities found the topic of consent to be particularly relevant, noting that while it is common for companies to rely on obtaining consent from their customers to justify the processing of personal data, in many cases these companies fail to implement compliant data privacy consent language into their business processes. To ensure that such data processing can be performed in compliance with data privacy law, the procedure of obtaining valid consent should be the focus of any company active in processing personal data.