A German subsidiary of H&M was fined over €35 million ($41.3 million) for violation of the GDPR in the use of its employees’ data. It was found that since 2014, H&M had been processing a considerable amount of data about its employees’ persona life (such as holiday experiences, family issues, religious beliefs, and illness […]

The EDPB issued two drafts decisions on BCR (binding corporate rules), one submitted by the Norwegian SA and one by the Swedish SA. They are available here europa.eu/!tU46hy

The City of Paris will not be able to sue the drones to monitor social distance any more. In a lawsuit filed by Human Rights League and Quadrature du Net against the city of Paris for its use of drones to monitor social distance, the Conseil d’Etat (State Council, France’s highest administrative court) ruled on […]

The Spanish DPA (AEPD) publishes a report on coronavirus data treatments. The report states that the GDPT explicitly recognizes in its Recital 46 as a legal basis for the legal treatment of personal data in exceptional cases, such as the control of epidemics and their spread, the mission carried out in the public interest (art. […]

On 4 May 2020, the EDPB adopted the Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0. The Guidelines are based on the WP29 guidelines For more information Francesca Giannoni-Crystal      edpb_guidelines_202005_consent_en

April 10, 2020, the Committee on Legal Ethics and Professional Responsibility of the Pennsylvania Bar Association issued, Formal Opinion 2020-300 “Ethical Obligations For Lawyers Working Remotely” The Committee noticed that When Pennsylvania Governor Tom Wolf ordered all “non-essential businesses,” including law firms to close their offices during the COVID-19 pandemic, and also ordered all persons […]

On 28 April 2020, the Belgian DPA sanction Proximus SA (previously Belgacom) for €50,000 on two basis:  non-cooperation under Article 31 of the GDPR and violation of Article 38(6) of the GDPR by appointing as DPO the director of one of its departments (Head of Compliance, Risk and Audit). The problem with the latter was conflict […]

On April 23, 2020 a federal court officially approved the agreement reached between Facebook and the Federal Trade Commission (FTC) last July. FTC’s investigation began after the events of Cambridge Analytica in 2018. See here for more about this investigation. The reached settlement agreement received some criticism. Facebook agreed to shift its approach to  privacy, […]

  UPDATE – March 2020 – Washington Privacy Act fails again It was almost given for granted that the Washington Privacy Act would have passed this time. The Washington State House and Senate were debating two similar bills. The difference was in the enforcement mechanism: while in the House’s Bill both the Attorney General’s office and any […]

EDPB’s Guidelines on the processing of data related to Covid-19 research data. More here 

On January 31, 2020 the EDPS published Revised Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines). Recognizing that for “most people, electronic communications (eCommunications) such as email, internet and telephony, occupy a central role in their day-to-day professional and personal activities” and that “eCommunications are essential for organisations to operate […]

On  28 January 2020 adopted the European Data Protection Board (“EDPB”) adopted the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. The EDPB states that “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers […]

In Formal Opinion 2019-5, the New York City Bar Ethics Committee advised that agreements requiring the client to pay the lawyer’s fees in cryptocurrency amounted to transactions in which the fee is paid in property rather than standard fee agreements. The Ethics Committee had been asked to opined on the question: Is a fee agreement requiring the […]

The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)). In line with the risk-based approach embodied by the GDPR, carrying out a […]

The Italian DPA (“Garante per la Protezione dei dati Personali”) issued a penalty of € 27,802,946 to cell phone carrier Tim Sp.A. for numerous and serious violations of data protection related to processing for marketing activities. The violations affected a few million people overall. From January 2017 to the first months of 2019, the DPA […]

On December 19, 2019, ECJ’s Advocate General (“AG”)Saugmandsgaard Øe delivered his opinion in case Case C‑311/18. In particular, the AG notes that the request for a preliminary ruling submitted by the High Court of Ireland (‘the High Court’) relates to one of the forms that the “appropriate safeguards” may take: a contract between the exporter and the importer […]

Opining in a case in which the ECJ is asked to interpret Directive on privacy and electronic communications to activities relating to national security and combatting terrorism on four references for a preliminary ruling [1] the Advocate General Campos Sánchez-Bordona clarifies the means and methods of combating terrorism must be compatible with the requirements of […]

Update: On September 9, 2019, the Department of Health and Human Services’ Office for Civil Rights settles its first HIPAA violation case under its 2019 Right of Access Initiative. Bayfront Health St. Petersburg (Bayfront), a Florida hospital, paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of the right […]

On 24 September 2019 the Court of Justice of the European Union (ECJ) issued two decisions  concerning Google: Cases C-507/17 (Google v CNIL) and C-136/17 (GC v CNIL) . See comments to Case C-507/17 here. Apparently, both decisions are a success for Google. Not a complete success in Case C-507/17, however. And not a complete success […]

    On May 23, 2019, Nevada’s Senate approved NV SB 220; an act prohibiting website operators collecting information from consumers from making any sale of certain information about a consumer-like address, email, SSN or phone number – if so directed by the consumer. SB 220 modifies the Nevada Privacy of Information Collected Online (NPICIC) […]

  On October 3, 2019 in Case C-18/18, Eva Glawischnig-Piesczek v. Facebook Ireland Limited, the European Court of Justice (EDJ) held that — under Directive 2000/31, the Directive on electronic commer – cefor a platform (host provider) to be considered hosting provider (and so benefit from liability exception), while it must play a passive role (having no knowledge of the content), must […]

On Nov 8, 2019 also the Spanish DPA (Agencia espanola de proteccion de datos – AEPD) issued a guidance on cookies. The guidance (“Guia Sobre el Uso del las Cookies”, “Guia”) applies to cookies and other technologies. After an introduction, the Guia consists of 4 sections:1. ALCANCE DE LAS NORMAS (scope); 2 TERMINOLOGÍA Y DEFINICIONES […]

On November 12 and 13, 2019, the European Data Protection Board (EDPB) met in its fifteenth plenary session. The EDPB discussed important topics. Adoption of EU-US Privacy Shield Third Annual Review Report. After the Third Annual Joint Review of the Shield, the EDPB adopted its report. The EDPB appreciates the improvements by the US Authorities[i] […]

The Personal Data Protection Bill has been listed to be tabled in the Winter Session of the Indian Parliament which will begin on November 18, as published on Lok Sabha website. This Bill applies to the processing of consumer data by corporate entities. The businesses will be required to obtain consent from consumers to use […]

On November 7, 2019, the European Data Protection Supervisor (EDPS) [i] issued the Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Guidelines”). As a background, Regulation (EU) 2018/1725[ii] (“Regulation”) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. The Guidelines aim at providing […]

This guidance aims at helping controllers “to decide when to rely on legitimate interests as … basis for processing personal data and when to look at alternatives.” The entire Guidance is helpful but particularly helpful are the sections: “Are there cases when legitimate interests is likely to apply?” The GDPR highlights some processing activities where […]

On October 31, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an opinion on live facial recognition (“LFR”) by enforcement authorities: The use of live facial recognition technology by law enforcement in public places (“Opinion”) The ICO points out that a statutory and binding code of practice issued by government, modelled on […]

On October 2, 2019, the UK Court of Appeal unanimously overturned a block on a “class-action” lawsuit (technically a “collective action”) brought by a veteran on behalf of millions iPhone users against  Google for the latter’s use of “Safari Workaround” . Now the case can be heard. The lawsuit alleges that Google secretly tracked some […]

On October 8th and 9th, 2019, the European Data Protection Board (“EDPB“), which is the EU body in charge of the application of the General Data Protection Regulation (“GDPR) and consists of a representative of each EU DPA and of the European Data Protection Supervisor (EDPS), met for its fourteenth plenary session and: – adopted the final […]

The Cayman Islands data protection law 2017 (“DPL”) came into effect on September 30, 2019 and applies to all organizations, businesses and public authorities that use personal data. The DPL is centered on the following principles: Fair and lawful use Purpose limitation Data accuracy Storage limitation Respect for the individual’s rights Security – integrity & confidentiality International transfers (i.e., Personal […]

UPDATE: On September 24, 2019, the European Court of Justice ruled in favor of Google after the company appealed. The Court found that Google is not forced to censor its search results on a global scale and is only required to remove outdated or irrelevant links on its European sites. The ruling stated, “Currently, there […]

The EDPB (European Data Protection Board) made public its agenda for the Thirteenth Plenary Meeting of the 10 September 2019. The agenda includes a tribute to Giovanni Buttarelli, former European Data Protection Supervisor and one of the most respected figures in data protection, after his death last month. The agenda includes a discussion on the guidelines on data subject […]

European Parliament publishes a paper on blockchain and the GDPR, titled “The General Data Protection Regulation  Can distributed ledgers be squared with European data protection law?” Here is the link to this interesting paper: http://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf   More information. on GDPR and blockchain, Francesca Giannoni-Crystal 

On June 4, 2019, the Corte di Cassazione, the Italian Supreme Court, clarified the scope of the right of the public to be informed (also known as public right’s to know)  in relation to the right of the individual to be forgotten with reference to old news, which are being republished after many years. In this […]

  On July 29, 2019, the Court of Justice of the European Union (ECJ) published its judgement in case C-40/17, holding – like Advocate General Bobek (see here) suggested – that an organization who embeds a Facebook “Like” button on its website may be considered a data controller. In this case, a German fashion online […]

  On June 20, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an update report into adtech and real time bidding. The ICO is waiting for the adtech sector response to the report and will then undertake a “further industry review in six months’ time”. The report focuses on Real-Time Bidding (RTB). […]

  On July 16, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), opened a consultation on a data sharing code of practice. The consultation closes on September 9, 2019. The data sharing code is a practical guide for controllers sharing personal data. It gives guidance on the applicable law and provides good […]

  On July 4, 2019, the Commission Nationale de l’informatique et des Libertés (CNIL), the French Data Protection Authority (DPA) adopted new guidelines on cookies and other tracking devices (“Guidelines”). According to the press release, the scrolling down or swiping through a website or application is no longer viewed as a valid expression of consent to […]

On July 17, 2019, the European Data Protection Supervisor (EDPS) adopted and published a list of the types of processing operations that require a data protection impact assessment (DPIA) under Article 39 of Regulation (EU) 2018/1725 for the EU institution. The EDPS also adopted a list of those processing that at first sight do not […]

  On July 9, 2019, the Court of Justice of the European Union heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. See here for more info. The oral hearing took place in […]

On February 14, 2019, the United States District Court for the Northern District of California ordered a United Kingdom citizen, party to a U.S. litigation, to produce in unredacted form e-mails containing personal information that could be protected under the GDPR. By way of background. In this patent infringement suit, Plaintiff owned patents involving computer […]

  On July 9, 2019, the Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), the Hessian Commissioner for Data Protection and Freedom of Information, banned the use of Office 365 from Hessian schools because its cloud solution is not compliant with EU individuals’ data protection rights. The HBDI’s concern is whether schools – acting as a […]

On May 30, 2019, Oregon Governor signed HB 2395 containing security measures required for devices that connect to the Internet and that are assigned an Internet Protocol address or another number that identifies the connected device. The manufacturer shall equip the connected device with “reasonable security features”, which may consist of means for authentication from […]

    UPDATE ICO was requested the status of this proposed penalties on Nov 12, 2019. ICO issued a response ICO Disclosure Log – Response ENQ0889841: “[Marriott] made representations to the Information Commissioner regarding these notices in accordance with Schedule 16, paragraph 3(3) of the Data Protection Act 2018. The Information Commissioner is considering those representations in […]

On July 9, 2019, the European Court of Justice (CJEU) heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. The CJEU’s decision — will have tangible consequences for businesses performing data transfers from […]

On June 6, 2019 Maine’s governor signed into law LD 946, “An Act To Protect the Privacy of Online Customer Information.” The Act applies to broadband internet service providers (ISPs) defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all […]

  On June 28, 2019, the Garante per la protezione dei dati personali, the Italian Data Protection Authority issued a EUR 1 million fine against Facebook following the scandal of Cambridge Analytica. See here for more info. According to the Italian DPA, 57 Italian users downloaded the incriminated application through the Facebook login function. This […]

On October 8, 2018, the Italian Garante per la Protezione dei Dati Personali, the Italian data protection authority, DPA, released instructions on how to maintain a record of processing activities, as well as a sample document compliant with Regulation (EU) no. 679/2016, the General Data Protection Regulation, GDPR. The record – to be maintained by […]

  On May 28, 2019, Attorney General Mark Brnovich announced a settlement with healthcare software providers Medical Informatics Engineering Inc. and NoMoreClipboard, LLC regarding some claims brought against them under the federal Health Insurance Portability and Accountability Act (HIPAA). By way of background. Defendants were business associates that were providing health records services that enabled […]

  On June 14, 2019, the FTC reached a settlement with  SecurTest, Inc., a background screening company over allegations that it falsely claimed to be a participant in the EU-U.S. Privacy Shield program. This is the result of the FTC taking action against false claims of participating to the EU-US Privacy Shield Framework. See here. […]

  On June 6, 2019 Attorney General Letitia James, announced a $65,000 settlement with online retailer Bombas LLC for failing to provide notice of payment cards consumers’ data breach that affected 39,561 consumers. In 2014 unauthorized intruders inserted malicious software code to steal payment card information into the ecommerce platform supporting Bombas’ website. Intruders accessed […]

The “Ethics Guidelines for Trustworthy ArtificialI Intelligence” is a document prepared by the independent high-level expert group on artificial intelligence set up by the European Commission, the High-Level Expert Group on Artificial Intelligence (AI HLEG) presented its ethics guidelines for trustworthy artificial intelligence. According to the AI HLEG, Trustworthy AI has three components: it should be […]

  On June 6, 2019, the Republic of San Marino approved the Blockchain Decree of the Republic of San Marino (Delegate Decree n. 86, dated May 23, 2019). No official press statement has been released yet, but this source revealed the news. The Blockchain Decree provides a regulatory framework formulating specific rules for two different […]

    On April 30, 2019, the Department of Health and Human Services (HHS) announced that it would be using its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health […]

On April 25, 2019, the Nigeria Data Protection Regulation 2019 entered into force. The Regulation was issued by the National Information Technology Development Agency, NITDA, and it mirrors the EU General Data Protection Regulation (GDPR). The Regulation’s scope of application is quite broad. It applies to all transactions intended for the processing of personal data […]

On May 8, 2019, the Brussel’s Court of Appeal referred certain questions to the Court of Justice of the European Union (CJEU) to ensure that the Belgian Data Protection Authority (DPA) can pursue the case against Facebook also after the GDPR entered into force. In particular, the questions is whether the one-stop shop mechanism (which […]

On April 16, 2019, North Carolina House of Representative introduced H.B. 904. The Bill amends the Identity Theft Protection Act. Among the many changes introduced, the Bill: amends the definition of security breach to include any incident of “unauthorized access to or acquisition of (was, access to and acquisition of) unencrypted and unreacted records or […]

    On April 17, 2019, the EU Parliament adopted the proposed EU Regulation on platform-to-business trading practices. The text adopted by the European Parliament still has to be formally approved by the Council of the European Union. Once approved, the Regulation will enter into force 12 months after its publication in the Official Journal. […]

  On April 22, 2019, the House of Representatives modified chapter 19.255 RCW to amend its data breach notification law. The definition of “data breach” does not change. The security of the system means “unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” But […]

  On April 30, 2019, vpnMentor published an article revealing that hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 80 million American households (65% of US households). The 24 GB database was hosted by a Microsoft cloud server and included the number of people living in each household with their full […]

Blockchain companies successfully lobbied for legislation that recognized blockchain as a legitimate record-keeping technology. On April 26, 2019, Washington State Governor signed bill SB 563 recognizing the validity of distributed ledger technology. The bill adds a new chapter to the Revised Code of Washington and it introduces the definitions of Blockchain, which means a cryptographically […]

On April 16, 2019, the European Parliament informed that it decided to create the Common Identity Repository (CIR). The CIR will interconnect a series of data systems (listed below) into a gigantic biometric database containing data about EU and non-EU citizens to improve data exchange between EU information systems to manage borders, security and migration. […]

On April 24, 2019, Facebook published its financial results for the first quarter, where it estimated a probable loss and recorded an accrual of $3 billion  in connection with an investigation by the Federal Trade Commission  (FTC).  The investigation could result in a penalty of up to 5 billion. The FTC began its investigation into […]

On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context […]

  With a decision published on March 18, 2019, the Danish Privacy Authority, Datatilsynet (DPA), found that a Danish Taxi App – Taxa 4×35 – did not respect the principle of data minimization envisaged by the GDPR (art. 5.1(c)), keeping the personal data of the customers beyond the expected retention period. The company deleted the […]

  On April 9, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served a monetary penalty notice under section 55A of the Data Protection Act 1998 (DPA) of around $ 520,000. The fined company (Bounty) shared the personal data of over 14 million individuals to a number of organizations including credit reference […]

On March 27, 2019, the Utah Governor signed H.B.57 into law. The Bill modifies provisions related to privacy of electronic information or data and their access by law enforcement. H.B 57 defines electronic information and data as being any “information or data including a sign, signal, writing, image, sound, or intelligence of any nature transmitted […]

  On February 25, 2019, an Illinois Senator introduced SB2134 to amend the Biometric Information Privacy Act (740 ILCS 14/1 et seq., BIPA) creating a  private right of action. The bill is currently in Committee. The majority of BIPA claims have been brought against businesses as class actions seeking statutory damages.   Synopsis Amends the […]

On March 26, 2019, Urzędu Ochrony Danych Osobowych (UODO), the Polish Data Protection Agency (DPA) imposed a fine of around $250,000 on a company for failure to fulfill its information obligation as a controller. The UODO explained that the controller did not meet the information obligation (Art. 14 (1) – (3), GDPR) in relation to […]

  On Friday, March 22, 2019,  the Washington State House of Representative’s Committee on Innovation, Technology and Economic Development held its first public hearing on the proposed privacy legislation, SB 5376. The Washington privacy act, SB 5376, was introduced January 17, 2019 and passed its third reading in the Senate with 46 votes (against 1) on […]

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy. It is the first European Union (EU) country to do so. Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines […]

Regulation (EU) 2018/1807 of 14 November 2018, which deals with “non personal data” in the framework of the EU’s digital single market strategy; it aims at removing obstacles to data mobility and the internal single market. In particular, it prohibits data localization requirements by place EU Member States in point of storage or processing of non-personal data, […]

  On February 27, 2019, the American Federal Trade Commission (FTC) published a proposed stipulated order for civil penalties and other reliefs against Musical.ly for violation of the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from kids without parental consent. The $5.7 million civil penalty is the FTC’s largest ever under COPPA. […]

  On February 2, 2019, the Spanish Data Protection Agency (AEPD) published a Survey on Device Fingerprinting. (“Survey“) “Device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user’s activity for the purpose of profiling.” The data set […]

On February 20, 2019, Bulgaria adopted the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) harmonization law. The law amends and supplements the previous data protection act from 2002. It also transposes the EU Law Enforcement Directive (Directive (EU) 2016/680). The new Law on Personal Data Protection (LASLPDP) entered into force on March 2, 2019 […]

  On February 7, 2019, the Bundeskartellamt, the German antitrust authority, prohibited Facebook from combining data concerning German Facebook users gathered also from third party websites when the user didn’t give voluntary consent to this practice. The decision concerns all private users of Facebook based in Germany. According to the Bundeskartellamt’s decision, until now, individuals […]

  On February 28, 2019, Thailand’s National Legislative Assembly passed the Personal Data Protection Act (PDPA). According to this source, the PDPA will be signed and endorsed by the monarch, and will then be published in the Government Gazette before to enter into force later this year. This article explains that the legislative text includes […]

Below a list of the harmonization laws enacted by each EU member state. Austria: the Datenschutz-Anpassungsgesetz 2018, the “Datenschutzgesetz“. Belgium: Framework Act (Dutch) Framework Act (French), DPA Act (Dutch), DPA Act (French) Croatia: Zakona O Provedbi Opće Uredbe O Zaštiti Podataka, the Act on Implementation of the General Data Protection Regulation (Official Gazette no. 42/2018) Cyprus: Law n 125(I)/2018 Czech […]

  In February 2019 there have been reports of violations of health data affecting thousands of patients in US medical centers. One of the major breaches affected 974,000 patients at the University of Washington clinic (see here), while the other involved 326,000 users of UConn Health, a large medical center academic (see here). In both […]

  On February 12, 2019, Law no. 12/2019, converting into law the so called Decreto Semplificazioni (“Simplification Decree”), Legislative Decree No. 135/2018 was published on the Italian Official Gazette no. 36/2019. Among other provisions, the Simplification Decree defines the concept of “technologies based on distributed ledgers (blockchain)” and “smart contracts”. “Technologies based on distributed ledgers” are technologies and […]

On February 12, 2019 the European Data Protection Board (EDPB) warned that in the absence of an agreement between the EEA and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. The EDPB provides 5 steps organizations that transfer data to the UK should take […]

  On January 25, 2015, the European Commission released a statement with an update about the effects of the adoption of Regulation 2016/679/EU (GDPR). See: Joint Statement by First Vice-President Timmermans, Vice-President Ansip, Commissioners Jourová and Gabriel ahead of Data Protection Day Since its entry into force on May 25, 2018, “citizens have become more […]

On December 19, 2018, Advocate General Bobek, published his opinion in case C-40/17, deeming that anyone who enters the Facebook “Like” button on his website can be considered a joint controller. In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the […]

    On January 15, 2019, the United States Court of Appeals for the Ninth Circuit held that websites and mobile applications (app) of places of public accommodation must be fully accessible to persons with disabilities. By way of background, Plaintiff – a blind man – alleged that Defendant Domino’s Pizza, LLC, (Domino’s) failed to […]

    On January 25, 2019, the Illinois Supreme Court found that data subjects do not need to allege a concrete injury in order to sue under the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq., BIPA). Contrary to the appellate court’s view, the Illinois Supreme Court found that “actual injury or adverse […]

On March 28, 2018, Alabama was the last State, after South Dakota, to adopt a data breach notification statute. The Alabama Data Breach Notification Act of 2018 (S.B. 318) went into effect on June 1, 2018. According to the Alabama Statute, any “covered entity” and “third-party agent” must comply. Written notification must be made to all affected […]

On 23 January 2019, the EU Commission adopted its adequacy decision on Japan, allowing personal data to flow freely between Europe and Japan. The adequacy decision started to apply as of January 23. The same will happen on the Japanese side. The adequacy decision includes: a set of Supplementary Rules to strengthen the protection of sensitive data, […]

On January 21, 2019, the CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority), restricted committee, for the first time applies the new sanctions limit provided by the GDPR and sanctions Google for EUR 50 million for two GDPR violations: 1. “violation of the obligations of transparency and information“ “First, the restricted […]

On December 14, 2018, New York Attorney General Barbara D. Underwood announced settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc., “for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet.” No fraud had happened with those […]

Washoe County, Reno, in the State of Nevada, uses Ethereum blockchain to provide immutable digital record of wedding certificates. The service allows certified copies of marriage certificates to be emailed. It requires no special technology besides the ability to view a plain PDF. The county uses the services of a company called TitanSeal. At https://www.washoecounty.us… you […]

On December 28, 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published several principles to help companies comply with the General Data Protection Regulation (GDPR) while transferring personal data to their commercial partners for electronic prospecting. Particularly, the CNIL highlights how: the data subject must give consent before the […]

The DC Attorney General alleged in lawsuit Facebook’s ‘misleading privacy settings’ allowed it to harvest information from DC residents, in violation of  violated the D.C. Consumer Protection Procedures Act. The AG alleged that “nearly half of all District residents’ data to manipulation for political purposes during the 2016 election”. The AG stated Facebook failed to […]

In November 2018, a German local court, the Amtsgericht Diez, decided on a claim for immaterial damages under Art. 82.1, GDPR.  According to this source, on May 25, 2018, Plaintiff received an e-mail in which Plaintiff’s consent to receive a newsletter was requested. An email of this sort is considered spam under German law and […]

On November 27, 2018, the European Consumer Organisation (BEUC), informed that seven EU consumer organizations filed complaints against Google with their national data protection authorities (DPAs) for breaching the General Data Protection Regulation (GDPR) in relation to how the company tracks its users’ location. The complaints are based on new research (Every step you take) […]

On November 16, 2018, the European Data Protection Board (EDPB) adopted guidelines on the territorial application of the GDPR. Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU- Version for public consultation. The guidelines are now open to public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data […]

On October 10, 2018, UK High Court blocked the class-action against Google over unlawful iPhone tracking allegations. The claimant, Richard Lloyd, alleged that, during 2011 and 2012, Google secretly tracked the internet activity of Apple iPhone users and then sold the data. The method by which Google was able to do this is generally referred […]

Expressing an opinion on a proposed bill aiming at substituting –in a 2015 Ministerial decree, Ministero dell’Interno del 23 dicembre 2015 – the words “father“ and “mother” in place of “parents or legal guardians” on the application for a minor’s ID, the Garante per la Protezione dei Dati (the Italian Data Protection Authority) highlights how the […]

On September 30, 2018, the DOJ filed net neutrality lawsuit against the State of California, alleging that Senate Bill 822, a bill signed into law by Governor Jerry Brown, unlawfully imposes burdens on the Federal Government’s deregulatory approach to the Internet. See more here. complaint here Francesca Giannoni-Crystal

Privacy needs to be reckoned with by “Advanced TV” industry. And this will be more and more the case. According to the press, marketers are investing more and more in advanced TV targeting. Rather than broadcasting the same ad to all households, advanced televisions serve targeted ads to each household. The term “advanced TV” is […]

On October 10, 2018, the Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital guilty of violating the integrity and confidentiality principle and the data minimization principle set forth by the GDPR. According to this source, the infringements were punished with a fine of €400,000. The hospital is going to fight the fine, this source […]