Google and other big data companies face increased scrutiny

Jeewon Kim Serrato (US)Vic Domen (US)By Jeewon Kim Serrato (US) and Vic Domen (US) on Posted in Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.

A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.

There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.

Get all the details at the full legal update, “Big data companies face increased state and federal scrutiny.”

ICO blog post on AI and solely automated decision-making

Lara White (UK)Marcus Evans (UK)Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”). Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA). Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

Ffion Flockhart (UK)Marcus Evans (UK)Lara White (UK)Steven Hadwin (UK)By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on Posted in Data breach

The Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2338. Continue reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Cécile Auvieux (FR)Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Dispute resolution and litigation, Enforcement
Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations. Continue reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Lara White (UK)Marcus Evans (UK)Sven Jacobs (DE)By Lara White (UK), Marcus Evans (UK) and Sven Jacobs (DE) on Posted in Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’ Continue reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Christoph Ritzer (DE)Cornelia Marquardt (DE)Natalia Filkina (DE)By Christoph Ritzer (DE), Cornelia Marquardt (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose Fulbright

A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on 20 December 2018 but has just been published in full text.) Continue reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Jeewon Kim Serrato (US)Daniel Rosenzweig (US)By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on Posted in Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blog

With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.

To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:

  1. two noteworthy recent EU and US regulator enforcement actions;
  2. changes in the US state data privacy law landscape, including the proposal from the California Attorney General’s Office to expand enforcement authority and class action litigation under the California Consumer Privacy Act; and
  3. US Congress’ consideration of a first-ever comprehensive US federal privacy law.

Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

David Kessler (US)Christoph Ritzer (DE)Sven Jacobs (DE)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the development of a fully functional EU clinical trials portal and database which is projected to be operational in 2020. In anticipation of the CTR’s applicability, the EDPB’s Opinion 3/2019 provides much needed clarification on the interplay between the GDPR and the CTR[1] and allows companies to update their processes and agreements to conduct clinical trials that comply with both regulations. Continue reading

LexBlog