Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”). It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”). The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of the areas where the DPC seems likely to focus its enforcement efforts which is discussed below.
The French data protection authority (CNIL) adopts a new standard on whistleblowing systems
At the end of 2019, following a public consultation, the CNIL adopted its much-anticipated “standard” on whistleblowing systems. The “standard” is essentially a reference document which serves as guidance for those implementing whistleblowing systems.
The CNIL releases draft practical guidance on cookies consent
The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).
The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good practices” that will enable businesses to go even further in their compliance process.
The right to be forgotten: the CJEU sides with Google in two landmark cases
On 24 September 2019 the Court of Justice of the European Union (CJEU) gave two judgments (Cases C-507/17 and C-136/17) ruling that: (i) de-referencing by Google should be limited to EU Member States’ versions of its
The CNIL publishes new guidelines on cookies and other similar technologies
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.
Online advertising targeting : a CNIL priority for 2019
Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.
New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR
Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.
French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law
Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations.
EU GDPR will apply beginning May 25, 2018: Norton Rose Fulbright publishes GDPR Checklist, announces events and master classes
Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing legislation.
Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The final official texts can be found here.
The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU that target EU residents. The export regime will ensure the GDPR’s impact is felt where such organizations transfer personal data to the EU. The maximum fines for non-compliance are the higher of €20 million (approximately $23 million U.S. dollars) and 4% of the organization’s worldwide turnover.
The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or program that allows them to achieve compliance.
To assist our clients with navigating the GDPR’s requirements, we have developed a GDPR Checklist, linked below, and have planned introductory events and master classes to be held via webinar, and in-person in London, Paris, Frankfurt, Munich, and Amsterdam. Registration information may be found below.
French National Assembly adopts “Digital Republic” bill
On January 26, 2016, the French National Assembly adopted the “Digital Republic” bill — a comprehensive bill introducing various provisions to regulate the digital sphere within the French society. Access to public data, neutrality of the Internet, access to the