On July 16, the European Court of Justice (CJEU) issued a highly-anticipated decision evaluating the validity of two popular mechanisms for transferring personal data from the EU to the United States: Privacy Shield and Standard Contractual Clauses (SCCs). The Court struck down Privacy Shield, but upheld the validity of SCCs – although not without providing
As we mark Data Privacy Day, today is a good time to take stock of where U.S. privacy legislation stands in relation to the developments of the past few years. In less than two years, the GDPR and the CCPA became the most comprehensive privacy laws in effect, granting individuals extensive rights over their information,…
In the 2010s, Kelley Drye’s Ad Law Access blog posted approximately 1500 entries. Below are the most popular by year. To give you a sense of beginning to end, the first post came one month after Apple announced the iPad and the last just days before the first all-female spacewalk by astronauts Christina Koch and…
In 2019, Ad Law Access published 124 stories on a wide range of topics. However, two topics stood out above the others:
- California Consumer Privacy Act (CCPA)
CCPA was far and away the most popular topic of 2019 and, as mentioned in one of our last posts of the year, “businesses and privacy professionals
On Tuesday, September 24, 2019, the European Court of Justice issued two rulings that further defined the right to be forgotten under European laws. The right to be forgotten, also known as the right to erasure, is a fundamental tenet of the General Data Protection Regulation (GDPR). The right allows, among other things, consumers to…
Kelley Drye & Warren LLP announced the launch of the Ad Law Access podcast – a new podcast from its advertising law and privacy law groups. Hosted by Kelley Drye attorneys, including Christie Grymes Thompson, Alysa Hutnik, John Villafranco, Gonzalo Mon, and Kristi Wolff, the podcast provides updates on advertising and policy law trends, issues,…
The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.
In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete…
On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR). The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.
How Does Google Violate GDPR, According to CNIL?
- Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
- Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
- Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
- Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
- Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
- Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
- Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
- Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
What Does This Mean for Other Companies?
The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit. Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services. Less obvious is the impact on trade of the “no deal” scenario from potentially restricted data flows. With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.
Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy. In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).…
Continue Reading No Post-Brexit Arrangement on Data Protection Will Affect UK-EU Trade
Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.
Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.
Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda.…
Continue Reading Big Government? FTC Advocates for More Authority in Congressional Hearing