Topic: Enforcement

Subscribe to Enforcement RSS feed

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

Photo of Steven Hadwin (UK)Photo of Tim JonesBy Steven Hadwin (UK) and Tim Jones on Posted in Cybersecurity, Data breach, Enforcement, Ransomware, Regulatory response
On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Rejecting cookies should be as easy as accepting cookies: new sanctions by the French authority (CNIL)

Photo of Barbara Ghebali (FR)By Barbara Ghebali (FR) on Posted in Compliance and risk management, Enforcement
The French Data Protection Authority (the “CNIL”) continues its campaign against companies that do not respect the rules relating to cookies and other trackers, which the CNIL has previously reminded the market about in multiple communications and decisions. The CNIL has already issued four sets of formal notices to over 90 organizations of various sizes … Continue reading

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

Photo of Lara White (UK)Photo of Barbara Ghebali (FR)By Lara White (UK) and Barbara Ghebali (FR) on Posted in Enforcement, Regulatory response
As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or … Continue reading

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

Photo of Seiko Hidaka (UK)Photo of Jay Modrall (BE)By Seiko Hidaka (UK) and Jay Modrall (BE) on Posted in Data Transfer, Enforcement, Regulatory response
European rulings on the use of Google Analytics and how it may affect your businessThe European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication.  The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital … Continue reading

Deutsche Wohnen fine now declared invalid by a German court

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose FulbrightThere has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid. The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a … Continue reading

EU Commission draft UK Data Protection Adequacy Decision published

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in Enforcement, General, Regulatory response
Data Protection Report - Norton Rose FulbrightFollowing nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here. The draft decision is welcome news to … Continue reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

Photo of Fiona Bundy-Clarke (UK)By Fiona Bundy-Clarke (UK) on Posted in Data Transfer, Enforcement
Norton Rose Fulbright - Data Protection Report blogOn Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the … Continue reading

Bill C-11: Canada proposes new data privacy legislation

Photo of Colin Hyslop (CA)By Colin Hyslop (CA) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to … Continue reading

German Court cuts multimillion GDPR fine by 90%

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Norton Rose Fulbright - Data Protection Report blogIn December 2019,  the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company.  On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate.  The … Continue reading

Hong Kong introduces a contact tracing app

Photo of Anna GamvrosPhoto of Edward Yau (HK)By Anna Gamvros and Edward Yau (HK) on Posted in Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogAs countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed. On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning … Continue reading

ICO provides guidance on calculating monetary penalties

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Steven Hadwin (UK)Photo of Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
Data Protection Report - Norton Rose FulbrightOn 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Schrems II: recent developments – waiting is harder

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response
In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General
On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the … Continue reading

NYDFS Requires COVID-19 Plans by April 9

Photo of Susan Ross (US)Photo of Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blogOn March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, … Continue reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)Photo of David Kessler (US)By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on Posted in Compliance and risk management, Enforcement, General
What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose FulbrightOn October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

New York’s Breach Law Amendments and New Security Requirements

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by … Continue reading

And then there were five: CCPA amendments pass legislature

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blogExecutive Summary The wait is over:  Only five CCPA amendments made it through the California legislature.  The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020. The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer … Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Data Protection Report - Norton Rose FulbrightOn August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment … Continue reading

Website operators joint controllers with third-party plugin providers

Photo of Lara White (UK)Photo of Natalia Filkina (DE)Photo of Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading
LexBlog