NY A.G. settles with online retailer Bombas which failed to notify data breach involving credit cards details

  On June 6, 2019 Attorney General Letitia James, announced a $65,000 settlement with online retailer Bombas LLC for failing to provide notice of payment cards consumers’ data breach occurred to 39,561 consumers. In 2014 unauthorized intruders inserted malicious software code to steal payment card information into the ecommerce platform supporting Bombas’ website. Intruders accessed […]

Nigeria’s extensive data protection law is in force

On April 25, 2019, the Nigeria Data Protection Regulation 2019 entered into force. The Regulation was issued by the National Information Technology Development Agency, NITDA, and it mirrors the EU General Data Protection Regulation (GDPR). The Regulation’s scope of application is quite broad. It applies to all transactions intended for the processing of personal data […]

FTC’s investigation into Facebook data practices could result in a fine up to 5 billion, Facebook estimates

On April 24, 2019, Facebook published its financial results for the first quarter, where it estimated a probable loss and recorded an accrual of $3 billion  in connection with an investigation by the Federal Trade Commission  (FTC).  The investigation could result in a penalty of up to 5 billion. The FTC began its investigation into […]

EDPS’s Guidelines on Article 6(1)(b) lawful basis for processing in online services open for comments until May 24

On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context […]

UK DPA fined “parenting club” company for violation of the principle of “fairness” in processing

  On April 9, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served a monetary penalty notice under section 55A of the Data Protection Act 1998 (DPA) of around $ 520,000. The fined company (Bounty) shared the personal data of over 14 million individuals to a number of organizations including credit reference […]

Dutch DPA is the first European DPA to publish fining policy under GDPR

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy. It is the first European Union (EU) country to do so. Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines […]