Global Privacy & Security Compliance Law Blog

French Data Protection Authority Issues €50 Million Fine in Landmark GDPR Case

By Latham & Watkins LLP on Posted in GDPR, Legislative & Regulatory Developments, Privacy

The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”.

By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden

The Complaints

Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018, the French data protection authority (CNIL) received separate complaints about Google LLC (Google) from two non-profit organisations —La Quadrature du Net’ and ‘None Of Your Business’, the latter founded by activist lawyer Max Schrems. The complaints, made by the organisations on behalf of nearly 10,000 individuals, can be summarised as follows:

  • None Of Your Business claimed that users of Android mobile devices had no choice but to accept Google’s privacy policy and terms of use, which included having to consent to the use of their data for targeted behavioural advertising, if they wanted to be able to use the devices.
  • La Quadrature du Net claimed that Google processed personal data for targeted advertising without a valid legal basis.

Continue Reading

What a ‘No Deal’ Brexit Means for UK Data Privacy

By Latham & Watkins LLP on Posted in GDPR, Legislative & Regulatory Developments, Privacy

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”. Continue Reading

Clinical Trials Under the GDPR: What Should Sponsors Consider?

By Latham & Watkins LLP on Posted in GDPR, Legislative & Regulatory Developments

Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them.

By Gail Crawford and Frances Stocks Allen

Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.

Is Key-Coded Data Personal Data?

The GDPR defines “personal data” broadly to include any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR). Continue Reading

EDPB Publishes Regulatory Guidance on Territorial Scope of GDPR

By Latham & Watkins LLP on Posted in GDPR, Security

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic.

By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe

Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). Under Article 3, the GDPR applies to the processing of personal data which meets the “establishment” test (Article 3(1)), or, failing that, meets the “targeting” test (Article 3(2))[i].

“Establishment” Test

The GDPR applies to the processing of personal data by a controller or processor established in the EU in the context of activities of that establishment, regardless of whether the processing itself takes place in the EU. “Establishment” is not defined in the GDPR, but the Guidance refers to pre-GDPR case law to assist with its interpretation. Continue Reading

German GDPR Fine Proceedings Conclude Favourably for Defending Company

By Latham & Watkins LLP on Posted in GDPR, Legislative & Regulatory Developments, Privacy, Security

Germany’s first GDPR fine offers lesson for companies planning a data breach policy.

By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams

In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company demonstrates that, with a proper defence strategy, GDPR infringements may not necessarily end in a worst-case scenario for companies.

In July 2018, Knuddels GmbH & Co. KG (Knuddels), operator of the chat community Knuddels.de, noted the loss of 1.8 million user data records (including a file with unencrypted user passwords) as the result of a cyberattack. After reporting this incident to the appropriate supervisory authority, Knuddels was investigated for infringement of the GDPR. Because the authority deemed that the company’s IT security was not state-of-the-art, there was a high risk that the supervisory authority would impose a large fine on Knuddels.

Continue Reading

GDPR & PSD2: Squaring the Circle

By Latham & Watkins LLP on Posted in Legislative & Regulatory Developments, Privacy, Security

GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi  and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

Continue Reading

A New Era for Data Protection in Brazil

By Latham & Watkins LLP on Posted in Legislative & Regulatory Developments, Security

Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity.

By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys

The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight years. The Senate approved the bill, known as the General Data Protection Act (GDPA), on 10 July 2018, and the bill was sent to the President for execution.  A window of 15 business days (i.e., up to and including 13 August 2018) within which the President may veto the bill now follows. If the President does not actively reject the bill, it automatically becomes law. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law before it becomes effective on 14 February 2020.

What Is the GDPA?

The GDPA was motivated in part by Brazil’s desire to be admitted to the OECD and to prevent disruption in its commerce with the European Union and other important trading partners. As such, the GDPA seeks to match the level of protection afforded to data subjects by the laws of these trading partners.

Continue Reading

FCA Speaks Out on the Ethics of Big Data

By Latham & Watkins LLP on Posted in Privacy, Security

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

Continue Reading

California Consumer Privacy Act of 2018 May Usher in Sweeping Change

By Latham & Watkins LLP on Posted in Legislative & Regulatory Developments, Privacy

Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law.

By Jennifer Archie, Michael Rubin, and Scott Jones

Key Points:

  • A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
  • The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
  • The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.

Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices. Continue Reading

Update: California’s Consumer Right to Privacy Ballot Initiative

By Latham & Watkins LLP on Posted in Legislative & Regulatory Developments, Privacy

California ballot initiative, Consumer Right to Privacy Act of 2018, gathers momentum for a November vote, spurring some telecom and internet businesses to organize opposition.

By Michael H. Rubin, Roxana Mondragón-Motta, and Scott C. Jones

Businesses are preparing to oppose a California ballot measure that could impose new data privacy and security obligations, with the threat of significant civil liability for non-compliance. Signatures are being gathered to put the Consumer Right to Privacy Act of 2018 (the “CRPA Measure”) on the November 2018 California ballot. The CRPA Measure, introduced by two California citizens, claims to give California consumers an “effective way to control their personal information” by providing them with (1) a right to request certain information about what personal information covered businesses have collected and sold or disclosed within the last year and (2) the right to opt-out from having their personal information disclosed by a covered business. The initiative also provides multiple avenues for enforcement (private civil actions; attorney general or local prosecutor enforcement; and whistleblower actions).
Continue Reading

LexBlog