Topic: Enforcement

Subscribe to Enforcement RSS feed

Deutsche Wohnen fine now declared invalid by a German court

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose Fulbright

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in Enforcement, General, Regulatory response
Data Protection Report - Norton Rose Fulbright

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

Photo of Fiona Bundy-Clarke (UK)By Fiona Bundy-Clarke (UK) on Posted in Data Transfer, Enforcement
Norton Rose Fulbright - Data Protection Report blog

On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.

The main points of the TCA relating to data protection are set out below.

1.) Data transfers from the EEA to the UK…

  • The
Continue Reading

Bill C-11: Canada proposes new data privacy legislation

Photo of Colin Hyslop (CA)By Colin Hyslop (CA) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading

German Court cuts multimillion GDPR fine by 90%

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Norton Rose Fulbright - Data Protection Report blog

In December 2019,  the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company.  On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate.  The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.

The facts

The Federal … Continue Reading

Hong Kong introduces a contact tracing app

Photo of Anna Gamvros (HK)Photo of Edward Yau (HK)By Anna Gamvros (HK) and Edward Yau (HK) on Posted in Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

ICO provides guidance on calculating monetary penalties

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Steven Hadwin (UK)Photo of Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Schrems II: recent developments – waiting is harder

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

  1. US surveillance rules are disproportionate
  2. There is a lack of proper oversight over US surveillance programmes
  3. EU individuals do not
Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

  1. Privacy Shield is invalid.  This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Photo of Susan Ross (US)Photo of Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)Photo of David Kessler (US)By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on Posted in Compliance and risk management, Enforcement, General

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und InformationsfreiheitBerlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

New York’s Breach Law Amendments and New Security Requirements

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.

Breach Law Changes

Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading

And then there were five: CCPA amendments pass legislature

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blog

Executive Summary

The wait is over:  Only five CCPA amendments made it through the California legislature.  The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

Website operators joint controllers with third-party plugin providers

Photo of Lara White (UK)Photo of Natalia Filkina (DE)Photo of Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, … Continue Reading

US CLOUD Act and International Privacy

Photo of Marcus Evans (UK)Photo of David Kessler (US)Photo of Jim Lennon (AU)Photo of Susan Ross (US)By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Photo of Nadège Martin (FR)Photo of Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

Google and other big data companies face increased scrutiny

Photo of Jeewon Kim Serrato (US)Photo of Vic Domen (US)By Jeewon Kim Serrato (US) and Vic Domen (US) on Posted in Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.

A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.

There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.

Get all the details at the full legal update, “Big data Continue Reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Photo of Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Photo of Cécile Auvieux (FR)Photo of Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Dispute resolution and litigation, Enforcement
Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations.… Continue Reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Photo of Christoph Ritzer (DE)Photo of Cornelia Marquardt (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE), Cornelia Marquardt (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose Fulbright

A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on … Continue Reading

LexBlog