Global Privacy & Security Compliance Law Blog

EDPB Issues New Guidance on Storing Credit Card Data for Future Purchases

Posted in Legislative & Regulatory Developments, Security

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679. Continue Reading

New Standard Contractual Clauses and Final EDPB Recommendations – Next Steps

Posted in Legislative & Regulatory Developments

Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth

On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses (SCCs) for the transfer of personal data to third countries, which will enter into effect on 27 June 2021. Organisations may continue to use the existing SCCs until 27 September 2021, after which time the new SCCs must be used for relevant new data transfers. Organisations have an 18-month grace period (until 27 December 2022) during which they must migrate any existing SCC arrangements to the new SCCs.

Continue Reading

Austrian Court Submits Questions on GDPR Civil Damages Claims to CJEU

Posted in GDPR

The CJEU’s decision is likely to have significant implications for ongoing and future proceedings for damages claims under Art. 82 GDPR.

By Tim Wybitul, Christoph Baus, Stefan Patzer, and Isabelle Brams

On April 15, 2021, the Austrian Supreme Court (OGH) referred key questions regarding non-material damages for data protection infringements under Art. 82 GDPR to the European Court of Justice (CJEU) for a preliminary ruling under Art. 267 TFEU. So far, a number of claims for non-material damages based on violations of the GDPR have been dismissed by the courts in Austria and Germany because the plaintiffs did not allege or prove any noticeable immaterial impairment. The OGH makes reference to a decision of the German Federal Constitutional Court (BVerfG) dated January 14, 2021 in which the court overturned a decision by the Goslar Local Court (AG). The BVerfG ruled that the AG would have had submit significant questions about damages to the CJEU before making a decision in the final instance. Whilst the OGH disagreed with the finding of the BVerfG, it considered it helpful to refer question to the CJEU in order to ensure a harmonized application of the law within the EU. Continue Reading

Privacy Group Launches Cookie Complaints Campaign Against EU Website Operators Based on Its Interpretation of Cookie Rules

Posted in GDPR, Privacy

The privacy organisation noyb will file more than 10,000 complaints for use of cookies contrary to its interpretation of compliance.

By Gail Crawford, Myria Saarinen, Tim Wybitul, Wolf Boehm, Charlotte Guerin, and Amy Smyth

On 31 May 2021, the nonprofit privacy organisation noyb (short for “none of your business”) launched a large-scale campaign to combat allegedly unlawful cookie banners and practices. According to a press release, noyb has already sent draft complaints to the operators of more than 500 frequently visited websites, and is intending to send a further 10,000 complaints this year. This is space where website operators arguably have considerable room for interpretation and to develop a variety of approaches for providing cookie information and obtaining cookie consent. Noyb’s campaign seeks to impose its interpretation of applicable cookie rules across the EU through threats of complaints to supervisory authorities.

Affected companies that fail to bring their cookie practices into compliance with noyb’s interpretation of the legal requirements will face complaints brought by noyb to the competent data protection supervisory authorities. Continue Reading

UAE’s New Consumer Protection Law: An End to Direct Marketing?

Posted in Legislative & Regulatory Developments

The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

By Brian A. Meenagh and Avinash Balendran

With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation — Federal Law No. (15) of 2020 (the New CPL) — entered into force on 16 November 2020, repealing Federal Law No. (24) of 2006. In particular, the New CPL extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

One stand-out provision in the New CPL is Article 4(5), which places an obligation on Entities (as defined below) to protect “consumers’ privacy and data security”. Article 4(5) also implies that Entities should not use consumer data for “the purposes of promotion or marketing”. Continue Reading

Virginia Consumer Data Protection Act: Second US State Passes Comprehensive Data Privacy Legislation

Posted in Legislative & Regulatory Developments, Privacy

The Act represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA.

By Jennifer C. Archie, Michael H. Rubin, Marissa R. Boynton, and Alexander L. Stout

On March 2, 2021, Virginia Governor Ralph Northam signed comprehensive state privacy legislation titled the Consumer Data Protection Act (CDPA). Previously, the Virginia Senate unanimously passed the bill on February 5, 2021, and the Virginia House of Delegates followed suit in a special legislative session on February 18, 2021. The law will take effect on January 1, 2023. This post addresses some key provisions. Continue Reading

German Court: CJEU Must Clarify Whether GDPR Provides Materiality Threshold

Posted in GDPR

The decision means the CJEU will need to clarify the framework for GDPR damages claims.

By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams

The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a materiality threshold for GDPR damage claims. The decision overturns a judgment of the Goslar Local Court of 27 September 2019 regarding the unlawful sending of an advertising email. Continue Reading

Extensive Changes to Singapore’s Data Protection Regime Take Effect

Posted in Legislative & Regulatory Developments

Amendments to the PDPA significantly change Singapore’s data protection landscape, including mandatory data breach notification and criminal offences for mishandling of personal data.

By Farhana Sharmeen, Esther Franks, and Gen Huong Tan

On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 (the Act) took effect, implementing the following changes to the Personal Data Protection Act in 2012 (PDPA):

   •  Strengthened enforcement powers for the Personal Data Protection Commission (PDPC)

   •  New criminal offences for individuals for egregious mishandling of personal data

   •  Mandatory data breach notification requirements

   •  New provisions for “deemed” (i.e., implied) consent and exceptions to the PDPA consent requirements, namely the “legitimate interests” exception and “business improvement” exception

Other changes from the Act have yet to take effect but are expected to be introduced in phases. These include:

  • Increased financial penalties for companies in breach of the PDPA
  • A new right of data portability for individuals

Continue Reading

FTC Chair Rebecca Slaughter Outlines Data Privacy Enforcement Agenda

Posted in Legislative & Regulatory Developments, Privacy

Slaughter discusses the FTC’s priorities under the new administration, including ed-tech, health apps, and racial equity.

By Jennifer Archie, Michael Rubin, Marissa Boynton, and Jimmy Smith

On February 10, 2021, in her first major speech as acting chair of the Federal Trade Commission (the Commission, or the FTC), Rebecca Slaughter discussed the Commission’s enforcement priorities under the new administration — with a particular focus on deterring problematic data practices.

In her opening remarks at the Future of Privacy Forum, Slaughter stated that she would urge innovation and creativity and the use of all tools available to the Commission in order to bring about the best outcomes for consumers and to deter problematic privacy and data security practices.[i] She also noted that enhanced enforcement around ed-tech, health apps, and racial equity would be priorities for the new administration. In particular, Slaughter mentioned two types of relief that she believes the Commission should focus on going forward: disgorgement and effective consumer notice.

Continue Reading

Data Protection Brexit Checklist: Businesses Can Rely on Personal Data Transfer Grace Period

Posted in Legislative & Regulatory Developments, Privacy

As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes.

By Gail Crawford, Fiona Maclean, and Amy Smyth

The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one of the more significant implications — the UK becoming a third country for the purposes of EU-to-UK personal data transfers — has been mitigated by a four to six-month grace period in the EU & UK Trade and Cooperation Agreement (the Trade Agreement).

The Trade Agreement’s grace period states that personal data may be transferred from the EU to the UK as if the UK has not become a third country on 1 January 2021 (Article FINPROV.10A). This provision means that the requirement for a data transfer mechanism to legalise such transfers under the European General Data Protection Regulation (GDPR) will not be triggered on 1 January 2021, and these transfers may continue as during the Brexit transition period.

Continue Reading

LexBlog