After Alabama passed its data breach law, there is no American jurisdiction without a data breach statute

On March 28, 2018, Alabama was the last State, after South Dakota, to adopt a data breach notification statute. The Alabama Data Breach Notification Act of 2018 (S.B. 318) went into effect on June 1, 2018. According to the Alabama Statute, any “covered entity” and “third-party agent” must comply. Written notification must be made to all affected […]


NY A.G. settled with five companies whose mobile apps were not secure

On December 14, 2018, New York Attorney General Barbara D. Underwood announced settlements with Western Union Financial Services, Inc.,, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc., “for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet.” No fraud had happened with those […]

Tags: ,

CNIL publishes guidance on data transfer to third parties for electronic prospecting

On December 28, 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published several principles to help companies comply with the General Data Protection Regulation (GDPR) while transferring personal data to their commercial partners for electronic prospecting. Particularly, the CNIL highlights how: the data subject must give consent before the […]

Tags: ,

GDPR complaints against Google for tracking filed with seven EU DPAs

On November 27, 2018, the European Consumer Organisation (BEUC), informed that seven EU consumer organizations filed complaints against Google with their national data protection authorities (DPAs) for breaching the General Data Protection Regulation (GDPR) in relation to how the company tracks its users’ location. The complaints are based on new research (Every step you take) […]

Tags: ,

Italian DPA opines words “father-mother” contained in new bill could force disclosure of inaccurate and unnecessary data

Expressing an opinion on a proposed bill aiming at substituting –in a 2015 Ministerial decree, Ministero dell’Interno del 23 dicembre 2015 – the words “father“ and “mother” in place of “parents or legal guardians” on the application for a minor’s ID, the Garante per la Protezione dei Dati (the Italian Data Protection Authority) highlights how the […]

Portuguese hospital challenges GDPR EUR 400,000 fine

On October 10, 2018, the Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital guilty of violating the integrity and confidentiality principle and the data minimization principle set forth by the GDPR. According to this source, the infringements were punished with a fine of €400,000. The hospital is going to fight the fine, this source […]

Tags: , ,

Digital Single Market: European Parliament adopts new regulation on the free flow of non-personal data in the EU

On October 4, 2018, the European Parliament adopted the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The Regulation aims at removing obstacles to the free movement of non-personal data within the European Union. The Regulation does not cover data mobility outside the EU. The approved Regulation does not […]

Tags: ,

Report on the Blockchain and the GDPR by the European Union Blockchain Observatory and Forum

On October 16, 2018, the European Union Blockchain Observatory and Forum published a thematic report on the Blockchain and the GDPR (“Report”). The report includes the input of a number of different stakeholders and sources. The report aims at answering the question of whether GDPR compliant blockchain is possible. The paper highlights a fundamental point: […]

Tags: , ,

EDPS will open consultation on Guidelines on GDPR’s Territorial Scope

On September 26, 2018, the European Data Protection Board (EDPB) met for their third plenary session. During such session the EDPB adopted Guidelines on the GDPR’s Territorial Scope. The guidelines will be subject to a public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data controller or […]

Tags: ,

1 2 3 24