European Commission Comments on GDPR’s One-Year Anniversary

On the one-year anniversary of the GDPR, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality has released a joint statement on the momentous law: “The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”  The entire statement can be found here.

FTC Extends Comment Deadline on Proposed Changes to Safeguards Rule

The FTC has extended the deadline to submit comments on proposed changes to the Safeguards Rule by 60 days until August 2nd.  In March, the FTC announced it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. These regulations require financial institutions to inform customers about its information-sharing practices. More information can be found here.

FBI Reports That Cybercrime Cost $2.7B in 2018

The FBI’s annual Internet Crime Report, states that IC3 received 351,936 complaints in 2018 which is about 900 every day. The statement released with the report said, “[t]he most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.” More information can be found here.
Continue Reading

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms.
Continue Reading

As previously discussed, the General Data Protection Regulation (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects.  When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous.  Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes.  This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked”  (withdrawing their consent).

While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM).  The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM.  As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.


Continue Reading

The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to EU data protection requirements). The Privacy Shield replaced the Safe Harbour scheme and came into effect almost two years ago in August 2016. Since then it has faced numerous criticisms and legal challenges and is under scrutiny once again, facing possible suspension and even invalidation.


Continue Reading

The General Data Protection Regulation (GDPR) is now in effect.  On the 25th of May, the day the GDPR took effect, Commissioner Jourová made a speech, in Brussels, at the General Data Protection Regulation conference to mark the beginning of a new chapter in data protection’s history in the EU. In her speech, the Commissioner recalled that data protection is of vital importance for EU citizens as personal data protection is a fundamental right in the EU and that this matter is also crucial for businesses as personal data protection is an issue for trust in the digital market.

However, some EU countries, including Belgium, Greece and Hungary for example, missed the May 25th deadline and are not ready to fully enforce the GDPR. This creates legal uncertainty for both citizens and companies.


Continue Reading

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.


Continue Reading

On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?

Who’s affected?  

Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.

If you collect personal data or behavioral information from someone in the EU

The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.

In

From April 1, 2018, all new cars in the European Union (EU) must be equipped with eCall technology.

What is eCall?

eCall is a service designed to provide quick emergency response. In the event of a serious accident, the in-vehicle eCall system automatically communicates to the emergency services; the vehicle’s exact location; the time of

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading