The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.

In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete

On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?


Continue Reading

The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit.  Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services.  Less obvious is the impact on trade of the “no deal” scenario from potentially restricted data flows. With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy.  In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).
Continue Reading

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country.
Continue Reading

The Federal Trade Commission recently announced settlements with Decusoft, LLC, Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, resolving allegations that the companies misrepresented their participation in the E.U.-US and Swiss-US Privacy Shield. The announcement comes just before the first Privacy Shield annual review (scheduled for September 2017) and marks the FTC’s first

An Update on the New EU General Data Protection Regulation

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016