On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”).
Continue Reading Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative
Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach
The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here.
Continue Reading Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach
Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements
On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements
CJEU Advocate General Confirms Validity of EU Data Transfer Tools
On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.
At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools
UK’s Age Appropriate Design Code Pending
The Information Commissioner’s Office (ICO) has confirmed that by November 23, 2019, it will present its Age Appropriate Design Code of Practice to the UK Parliament for approval. Unless Parliament objects, this mandatory code will be issued and in force (albeit with a transition period) as early as January 2020.
The final code has been hotly anticipated since the call for input on the issue of age appropriate design in June 2018. Since then, the ICO has worked with a large number of stakeholders to understand the key challenges when designing child-accessible services. In that context, it published its draft iteration of the code for consultation earlier this year (the Draft Code). This Draft Code sets out 16 standards (the Standards) which must be followed when designing online services accessible to children under 18. In an August update, the ICO recognized that the code will cause shifts in the design processes for online services which make use of children’s data, such as the tech, e-gaming and interactive entertainment industries. In light of this the ICO, as well as providing clearer guidelines in the code itself, will provide additional guidance for designers and engineers. The ICO adds, however, that non-compliance is not an option, stressing that “[t]here is no room for companies who decide children’s privacy is a problem that’s simply too hard to solve.”
Continue Reading UK’s Age Appropriate Design Code Pending
Belgian Facebook Case Referred to the European Court of Justice
On May 8, 2019, the Brussels Court of Appeal referred the Belgian Data Protection Authority’s (DPA) case against Facebook to the European Court of Justice (CJEU) to address jurisdictional issues regarding which DPA is competent to bring enforcement actions against Facebook. The case deals with Facebook’s collection of individuals’ data through cookies stored in Facebook’s social plugins. The Belgian DPA alleges that Facebook’s data collection is unlawful as it lacks valid consent and does not provide appropriate notice to individuals. Several courts in Belgium have already examined the issues, but it now reaches a new phase as the Brussels Court of Appeal Court referred critical questions to the CJEU dealing with the interpretation of the concept of “Lead Supervisory Authority” under the General Data Protection Regulation (GDPR).
Continue Reading Belgian Facebook Case Referred to the European Court of Justice