Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU
The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.
By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty
On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines
Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.
By James Lloyd and Sami Qureshi
In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and
The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.
By Brian A. Meenagh and Lucy Tucker
The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.
Companies subject to India’s new data protection law should assess practical implications.
By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:
The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.
By Myria Saarinen and Charlotte Guerin
On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.
Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.
The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.
By Brian A. Meenagh and Lucy Tucker
An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.
The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.
The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.
On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).
Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.
By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]
The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]
The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.
In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).