Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe.

By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth

A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated into its Google Assistant product. More specifically, the Hamburg supervisory authority opened proceedings with the intention to “prohibit Google from carrying out corresponding evaluations by employees or third parties for a period of three months. This is intended to protect the personal rights of those concerned for the time being.

This blog post analyzes the procedure against Google in Germany, in the context of recent trends elsewhere in Europe to transfer cases to lead authorities, and the impact for other companies regulated by a lead supervisory authority. The proceedings against Google might be resolved amicably, but still raise substantial questions over the powers of supervisory authorities under the cooperation and consistency mechanism of the GDPR.

European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data.

By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev

In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR), which: (1) confirms that consent under the GDPR and CTR are different concepts; and (2) sets out the EDPB’s recommendations on the appropriate legal basis required for processing personal data in connection with clinical trials conducted in the EEA (which is unlikely to be consent).

Practical Takeaways

While the Opinion brings some much-needed certainty to the area of consent and other legal grounds for clinical trials, challenges remain. Outlined below are the key challenges and the steps that sponsors of clinical trials in the EEA (Sponsors) should take when designing their research activities:

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.

By Fiona M. Maclean and Jane Bentham

Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:

  • A general note on the various data transfer mechanisms (and exceptions) under the GDPR
  • A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules

The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU.

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance.

By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout

In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. Under the Children’s Online Privacy Protection Act (COPPA), even seemingly straightforward online data collection and storage practices such as logging an IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.

Under COPPA, obtaining proper consent can be technically or administratively burdensome, expectations shift with technological advancement, regulatory exceptions are vague, and penalties are calculated on a per-violation basis. COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, both of which are very active in this area. Although the FTC maintains a website with answers to frequently asked questions, the law is complicated, and companies should consult with an attorney.

The European Commission adopted its adequacy decision for Japan on 23 January 2019, opening the doors for personal data to flow freely between the two major global economies.

By Fiona M. Maclean and Laura Holden

The Adequacy Decision

Following two years of dialogue between the European Union (EU) and Japan, the European Commission (EC) adopted its mutual adequacy decision (Decision) for Japan on 23 January 2019. As noted in the EC’s press release, the decision is effective immediately.

Japan now joins a list of select jurisdictions recognised as adequate by the EC, notably: Andorra, Argentina, Canada (for private entities only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (EU-U.S. Privacy Shield). The Decision is the first of its kind adopted since the General Data Protection Regulation (GDPR) became applicable in May 2018.

EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019.

By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams

The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest fine to date — €50 million on 21 January 2019 — German federal data protection authorities have already imposed fines for GDPR infringements in 41 cases nationwide and say that they have “very many” additional fine proceedings in progress. This first wave of fines has come from five German authorities, with 11 authorities having not yet imposed any fines under the GDPR.

Under the former German data protection law, companies faced a maximum penalty of €300,000 for violations. However, the GDPR provides authorities with different disciplinary options and they can now impose fines of up to €20 million or more. The maximum fine may amount to up to 4% of the worldwide annual turnover. Hence, corporates with an annual revenue of more than €500 million may face fines exceeding the €20 million threshold.

The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”.

By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden

The Complaints

Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018, the French data protection authority (CNIL) received separate complaints about Google LLC (Google) from two non-profit organisations —La Quadrature du Net’ and ‘None Of Your Business’, the latter founded by activist lawyer Max Schrems. The complaints, made by the organisations on behalf of nearly 10,000 individuals, can be summarised as follows:

  • None Of Your Business claimed that users of Android mobile devices had no choice but to accept Google’s privacy policy and terms of use, which included having to consent to the use of their data for targeted behavioural advertising, if they wanted to be able to use the devices.
  • La Quadrature du Net claimed that Google processed personal data for targeted advertising without a valid legal basis.

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”.