Privacy

Subscribe to Privacy via RSS

Overview

On June 25, 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, which held that even when a statute has been violated, and that statute provided a private right of action, plaintiffs still need a concrete injury in fact to have standing to bring a lawsuit in federal court. In this case, the statutory framework at issue is the Fair Credit Reporting Act (FCRA). Though this case arises in the context of the FCRA, its outcome is likely to have a sweeping impact on many areas of class action litigation where the concreteness of injury is at issue, such as data breach litigation.
Continue Reading No Harm, No Foul: Supreme Court Narrows Article III Standing to Require That All Class Members Suffer a Concrete Injury in Fact

On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their adherence to the code to demonstrate compliance with the GDPR as a data processor. Although the EU Cloud CoC does not yet qualify as an appropriate safeguard for international data transfers, a separate module is currently under discussion and should, when adopted, accommodate such transfers.
Continue Reading Belgian DPA Approves Code of Conduct for the Cloud Industry

On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.
Continue Reading EU Commission Publishes Template Data Processing Agreement

On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”).
Continue Reading Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The SA’s findings could indicate how European regulators approach the use of SCCs post-Schrems II.
Continue Reading Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here.
Continue Reading Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach