UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis. By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech … Continue Reading
China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading
Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe. By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated … Continue Reading
If adopted efficiently, the PCPD’s Ethical Accountability Framework should help organizations to demonstrate and enhance trust with individuals. By Kieran Donovan In October, 2018, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) presented the findings of an inquiry into the ethics of data processing, commissioned by the PCPD with the help of the Information Accountability … Continue Reading
UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading
The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt. By Myria Saarinen and Camille Dorval On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance … Continue Reading
Delicate balance required, as regulators and lobbyist warn of the risks of over-regulation while research indicates users seek greater protection. By Alain Traill Both the ICO and the outgoing Chief Executive of Ofcom have sounded a cautious note regarding the possible consequences of UK proposals to introduce a new regulatory regime intended to combat online … Continue Reading
The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties. By Alain Traill and Gail Crawford The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own … Continue Reading
Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information. By Fiona M. Maclean and Ksenia Koroleva On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. … Continue Reading
Online services have until 31 May to respond to 16 draft standards of age-appropriate design. By Fiona Maclean and Olga M. Phillips The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to … Continue Reading
UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms. By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to … Continue Reading
The closure of four cases involving targeted advertising provides lessons for navigating compliance standards under the GDPR. By Myria Saarinen and Elise Auvray Four French advertising technology companies that received a warning in 2018 from the French Data Protection Authority (CNIL) have all implemented the regulator’s required changes. The recent closure of the cases highlights … Continue Reading
Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices. By Fiona M. Maclean and Jane Bentham Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event … Continue Reading
The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading
The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”. By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden What Do DIFC-Registered Entities Need to Know? In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing … Continue Reading
EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019. By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest … Continue Reading
The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”. By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden The Complaints Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came … Continue Reading
Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal. By Gail E. Crawford and Jane Bentham “No Deal” Brexit Unless the UK can agree on a deal with the EU that meets the approval of the … Continue Reading
Germany’s first GDPR fine offers lesson for companies planning a data breach policy. By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company … Continue Reading
GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together. By Christian F. McDermott, Calum Docherty and Brett Carr There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% … Continue Reading
FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon. By Nicola Higgs, Fiona Maclean and Terese Saplys Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems … Continue Reading
Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law. By Jennifer Archie, Michael Rubin, and Scott Jones Key Points: A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018. … Continue Reading
California ballot initiative, Consumer Right to Privacy Act of 2018, gathers momentum for a November vote, spurring some telecom and internet businesses to organize opposition. By Michael H. Rubin, Roxana Mondragón-Motta, and Scott C. Jones Businesses are preparing to oppose a California ballot measure that could impose new data privacy and security obligations, with the … Continue Reading
By Gail Crawford and Mark Sun The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently … Continue Reading
