Welcome back to our two-part series examining CNIL vs. Google: 10 lessons from the largest data protection fine ever issued.  In this post we continue our analysis of CNIL vs. Google by taking a closer look at the additional lessons we can learn from this important decision. 

6. …tell data subjects exactly what you’re doing with their data

CNIL found that it was hard for users to understand what Google was doing with their data. They commented: “Users are not able to fullly understand the extent of the processing operations… the purposes of processing are described in too generic and vague a manner and so are the categories of data processed for these various purposes.”

The lesson here is: tell data subjects clearly what data you are collecting and what you are using it for. Do not try to obfuscate it. Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued Part Two

In January 2019, the French data protection authority, CNIL (Commission Nationale de l’informatique et des libertés), announced that it had fined Google 57 million euros (approximately £44 million or USD$65 million) for breaching the EU’s General Data Protection Regulation (GDPR) through its use of targeted advertising.

The fine arose out of complaints made against Google to CNIL by privacy activists immediately after the GDPR came into force in May 2018. At the time of writing, it is the largest data protection fine ever issued – but what can we learn from CNIL’s decision? Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms. Continue Reading Implications of Brexit on GDPR

As previously discussed, the General Data Protection Regulation (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects.  When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous.  Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes.  This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked”  (withdrawing their consent).

While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM).  The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM.  As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.

Continue Reading How Direct Marketing is Impacted by GDPR and PECR

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

Continue Reading FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Continue Reading Retailers, Consent and the GDPR: Is Your Business in Breach?

On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?

Who’s affected?  

Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.

If you collect personal data or behavioral information from someone in the EU (also referred to as a “data subject” in the GDPR), your company will be subject to the requirements of GDPR. The extended scope of GDPR will apply to your company even if:

  1. the processing of personal data takes place outside of the EU;
  2. no financial transaction takes place; or
  3. your company has no physical operations or employees in the EU.

The definition of “personal data” is broader than the definition of “personally identifiable information”, commonly used in U.S. information security and privacy laws.

Why should you care?

Failing to comply with GDPR may result in a maximum fine of €20,000,000 euros or 4% of global turnover, whichever is higher.

There are questions over how EU regulators will enforce these fines on companies outside of the EU. However, it would be ill-advised to underestimate the EU’s desire to create uniform data privacy laws for its market and the lengths to which regulators may go to accomplish this goal. GDPR extraterritorial enforcement mechanisms with authorities in non-EU countries is very possible.

The potential reputational damage that may result from noncompliance is also something organizations should consider. Non-EU companies, especially those with a strong online presence, should think whether action is required now to avoid the possibility of unfavorable headlines down the line.

How to mitigate risk?

  1. Conduct a Data Privacy Audit (DPA). A DPA should show you the location of data in your company and map the flows of this data. A DPA should also map your current data processing activities against the rights of data subjects which are mandated by GDPR. Examples being, the rights of data subjects to access their personal data and the right to be forgotten. The UK information commissioner’s office has provided helpful guidance on DPAs which can be accessed here.
  2. Put in place processes for deleting data.   One of the 7 principles of GDPR is data minimization. Organizations must not keep data for longer than necessary and data subjects have the right to request the deletion of the personal data that you hold about them (known as the “right to be forgotten”). If not already in place, you should establish processes for deleting personal data: (i) on request; and (ii) if its retention is no longer necessary.
  3. Re-examine consent mechanisms. Consent of the relevant data subject is the basis upon which many organizations comply with the requirements of existing EU data protection laws relating to the processing and storing of such data subject’s personal data. If this is true of your organization you should note that the requirements under GDPR for obtaining consent are more stringent. For example, if you use pre-checked opt-in boxes to gain consent, GDPR clarifies that this is not an indication of valid consent. If your current mechanisms for obtaining consent or the consents that you already have do not meet the standards set by GDPR, you should consider updating such mechanisms and seeking new consents which satisfy the requirements of GDPR.
  4. Appoint a data processing officer (DPO).   If your core activities call for either: (i) regular and systematic monitoring of data subjects on a large scale, or (ii) processing on a large scale of certain categories of data you may be required to appoint a DPO.

If you have any questions or concerns regarding GDPR compliance please email EUDataProtection@mcguirewoods.com.

The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.

In order to reassure companies and as a first step, the French Data Protection Authority (DPA), the CNIL, assured that the application of the GDPR in France will be flexible. This declaration was made on its website this Monday, February 19, 2018.  The CNIL also assured companies that it will provide some assistance to companies in the first months after the entry into application of the GDPR. In this way, an accompanying information guide will be published by the CNIL (co-edited with the French public investment bank) to help companies.

Finally, the CNIL assured companies that it will not sanction by any means each company that does not comply with the GDPR. The approach will be pragmatic with a distinction between the existing fundamental principles (existing under the current law) and the new requirements that need adjustments within companies.

The existing principles for which there will be no flexibility or tolerance are, for example, the obligation to process in a lawful, fair and transparent manner, the obligation to collect data for an explicit and legitimate purpose, the principles of accuracy and data retention and the principle of ensuring appropriate security when processing data. For these principles, the CNIL will control the companies and will apply the GDPR sanctions as of May 25, 2018. The CNIL announced strong verifications of company compliance with these principles.

However concerning new principles, such as the right to data portability, the requirement to nominate a Data Protection Officer (DPO) and the requirement of maintaining a record of processing activities, the goal of the first verifications will be to assist companies and help them in understanding and implementing  these new principles. The French DPA’s intention will not be to take sanctions immediately on each infringement. Indeed, if a company is acting in good faith and cooperate with the CNIL, these verifications will not lead to procedure of sanctions.

This tolerance only concerns the year 2018 at this time.

The CNIL emphasized that the GDPR will lead to the disappearance of the duty of notification to the national DPA. These notifications will be replaced by the record of processing activities and, where the processing is likely to result in a high risk, by the Data Protection Impact Assessment (DPIA).

In this way and as a first step, it will exist as a tolerance for implementing a DPIA for current processing. This tolerance will be time limited. Indeed, the GDPR will impose a reassessment of risks in a dynamic way. As a result, this DPIA will be carried out within a reasonable time of three years.

A few days before this statement, the French National Assembly adopted the draft law on personal data protection, effective on May 25, 2018.

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency. Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield

In early 2017, the EU Commission published a communication about “Exchanging and Protecting Personal Data in a Globalized World” in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017. A first step appears to be taking place by the fact that South Korea has agreed to join – as an observer in the first instance- the Council of Europe Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). South Korea does not exclude a future step towards an inclusion as a party to the Convention 108.

On November 2017, the Commissioner for Justice, Consumers and Gender Equality, the Chairman of the Korea Communication Commission and the Vice-President of the Korea Internet & Security Agency met, in Brussels, to discuss the possibilities of further strengthening cooperation between the EU and South Korean around data protection, including data flows.

Both sides expressed the need to ensure a high level of privacy and data security. Each assured they are ready to enhance cooperation in promoting strong data protection standards as soon as personal data is a central factor of consumer trust in the data economy.

EU and South Korean privacy legislation has recently reformed, increasing the convergence between the data protection regimes. New opportunities now exist to further facilitate data flows, including through an adequacy decision of the EU Commission.

The EU Commission and South Korea have reaffirmed their commitment to intensify their efforts towards achieving their common objective in 2018.