Tag archives: EU

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und InformationsfreiheitBerlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

No surprises in the recent Planet49 European Court of Justice judgment

Data Protection Report - Norton Rose Fulbright

On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent with the recent regulatory guidance issued by the UK and French data protection authorities in this area.… Continue Reading

The right to be forgotten: the CJEU sides with Google in two landmark cases

Norton Rose Fulbright - Data Protection Report blog

On 24 September 2019 the Court of Justice of the European Union (CJEU) gave two judgments (Cases C-507/17 and C-136/17) ruling that: (i) de-referencing by Google should be limited to EU Member States’ versions of its search engine with some important qualifications; and (ii) when Google receives a request for de-referencing relating to a link to a web page on which sensitive data are published, a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information.

Google has already faced the issue … Continue Reading

The UK ICO updates its cookie guidance

Norton Rose Fulbright - Data Protection Report blog

On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely to require many organisations to make changes to their current cookies practices.… Continue Reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

Data Protection Report - Norton Rose Fulbright

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly … Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’… Continue Reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Norton Rose Fulbright - Data Protection Report blog

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.… Continue Reading

European Commission adopts adequacy decision on Japan

Data Protection Report - Norton Rose Fulbright

On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of dialogue and negotiations between both parties.

According to a joint statement issued by  Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) and Haruhi Kumazawa (Commissioner of the Personal Information Protection Commission of Japan), “these mutual adequacy findings create the world’s largest Continue Reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Data Protection Report - Norton Rose Fulbright

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.

Had the UK Parliament approved the Withdrawal Agreement, it … Continue Reading

Vicarious liability in the data breach context – bad news for UK employers?

Data Protection Report - Norton Rose Fulbright

The Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading

UK Government guidance on continued EU-UK data flows upon a no deal Brexit

Data Protection Report - Norton Rose Fulbright

On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the UK leaves the EU in March 2019 with no exit agreement in place. If this happens, there would be no immediate change in the UK’s own data protection laws because the Data Protection Act 2018 would remain in place and – more importantly – … Continue Reading

One week into GDPR – what you need to know

Norton Rose Fulbright - Data Protection Report blog

Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR

The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation.  Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law.  Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy … Continue Reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Data Protection Report - Norton Rose Fulbright

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms … Continue Reading

Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR

Norton Rose Fulbright - Data Protection Report blog

On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new FDPA in the next month, without major changes.  Once approved by the Federal Council, the new FDPA will become effective on May 25, 2018, the same date as the GDPR.

The new FDPA seeks to enhance privacy protections in areas where the GDPR … Continue Reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Data Protection Report - Norton Rose Fulbright

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.… Continue Reading

German DPAs: 500 Companies to be Audited on Data Exports

Data Protection Report - Norton Rose Fulbright

Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a common practice for major international, as well as small and medium sized companies, without, as the authorities say, adequate attention being paid to the unique data privacy issues raised by cloud computing and software as a service (SaaS).… Continue Reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Data Protection Report - Norton Rose Fulbright

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”

Summary of the NIS Directive

The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved … Continue Reading

EU Network & Information Security Directive Expected to Become Effective in August 2016

Data Protection Report - Norton Rose Fulbright

The EU Network & Information Security Directive (NISD) (also known as the “Cyber Security Directive”) got one step closer to adoption today when, on May 17, 2016, the EU Council confirmed at first reading the agreement reached with the European Parliament in December 2015. To be enacted, the text must be approved by the European Parliament at second reading. A press release from the European Council states that the NISD is expected to enter into force in August 2016.

The NISD establishes minimum obligations for all Member States on the prevention of, handling of, and response to, risks … Continue Reading

EU GDPR will apply beginning May 25, 2018: Norton Rose Fulbright publishes GDPR Checklist, announces events and master classes

Data Protection Report - Norton Rose Fulbright

Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing legislation.

Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The final official texts … Continue Reading

EU Data Protection Reform: EU Council of Ministers Publishes Updated Version of the GDPR, Formally Adopts Its Position at First Reading, Announces Crucial Second Reading to Take Place on 14 April

Data Protection Report - Norton Rose Fulbright

On 8 April 2016 (see here), the Council of the European Union announced that it has formally adopted its position at the first reading on the EU General Data Protection Regulation, a key step in the data protection reform process.

The Council’s position will now be sent to the European Parliament who will vote on whether they approve the Council’s position at first reading. This is expected to take place on Thursday 14 April. If the text is adopted in the European Parliament, it will be scheduled for formal adoption in Council shortly thereafter (which should be a mere … Continue Reading

LexBlog