On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.
Continue Reading Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing
2021 Privacy and Cybersecurity Year in Review
By Maneesha Mithal on
Posted in Cybersecurity, Privacy
FTC Activities in 2021 and Likely Trends for 2022
2021 saw the kickoff of the Khan era at the Federal Trade Commission (FTC). During FTC Chair Lina Khan’s first nine months on the job, she has announced privacy and security initiatives that offer important insights into her priorities. Companies should pay close attention to FTC activity in 2021 and public statements from FTC’s leadership to prepare for 2022. Here’s a list of 10 likely trends we can expect to see in 2022 (in no particular order):
Continue Reading 2021 Privacy and Cybersecurity Year in Review
Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling
By Jan Dhont, Nikolaos Theodorakis & Joanna Jużak on
Posted in Cybersecurity, Privacy
On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but the UK GDPR arguably does not change the essence of the Court’s ruling.[2]
Continue Reading Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling
European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing
Posted in European Union, Privacy
On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2]
The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under the Unfair Commercial Practices Directive[3] when those advertising messages are displayed to users without prior consent, on a frequent and regular basis.
Continue Reading European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing
EU Regulators Define Data Transfers
By Cédric Burton, Jan Dhont, Laura De Boel & Rossana Fol on
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR
On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers
FTC Releases Updated Safeguards Rule for Financial Institutions
By Libby Weingarten & Roger Li on
Posted in Privacy
On October 27, 2021, the Federal Trade Commission (FTC) released a final rule that updates the Safeguards Rule of the Gramm-Leach-Bliley Act (Final Rule). This Final Rule comes after the FTC sought comment on proposed changes to the Safeguards Rule in 2019 and held a public workshop in 2020.
Continue Reading FTC Releases Updated Safeguards Rule for Financial Institutions