Turkish Data Protection Board announces extension of VERBİS registration deadline – once again
Posted in Regulatory responseTag archives: data protection
Posted in Regulatory responseRussian Data Localization law: now with monetary penalties
Posted in Compliance and risk management
On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements. Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.… Continue reading
First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place
Posted in Enforcement
On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading
German Data Protection Authorities publishes a new GDPR model for fines
Posted in Enforcement
The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.… Continue reading
No surprises in the recent Planet49 European Court of Justice judgment
Posted in Dispute resolution and litigation
On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent … Continue reading
Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence
Deadline extended for compulsory registration on Data Controller registry
Posted in Compliance and risk management
Obligations We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior … Continue reading
ICO joins other data protection authorities in issuing statement on Facebook’s cryptocurrency Libra project
Posted in Compliance and risk management
On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.… Continue reading
Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey
Posted in Regulatory response
Obligations Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal … Continue reading
The CNIL publishes new guidelines on cookies and other similar technologies
Posted in Compliance and risk management
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on … Continue reading
Website operators joint controllers with third-party plugin providers
Posted in EnforcementOn 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading
Cyber law firm of the year nomination
Posted in General
We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading
FTC to levy unprecedented $US5bn fine against Facebook
Posted in Data breach, Regulatory response
The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading
German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data
Posted in Compliance and risk management
The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, … Continue reading
New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR
Posted in Data breach, EnforcementFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading
New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments
Posted in Cybersecurity, Data breachICO blog post on AI and solely automated decision-making
Posted in Compliance and risk management
The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading
Parenting support club Bounty fined in ‘unprecedented’ data breach
Posted in Enforcement
On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading
UK Supreme Court grant Morrisons permission to appeal vicarious liability finding
Posted in Data breach
The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading
EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR
Posted in Dispute resolution and litigation
The opinion includes whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and GDPR and insight on what constitutes ‘informed consent.'… Continue reading
Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups
Posted in Compliance and risk management
On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading
First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading
European Commission adopts adequacy decision on Japan
Posted in Regulatory responseOn January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of … Continue reading
Parliament fails to approve the EU Withdrawal Agreement: Data protection implications
Posted in Compliance and risk management
On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading
