Category Archives: EU Privacy

Subscribe to EU Privacy RSS Feed

CNIL Issues Record-Keeping Guidance

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to … Continue Reading

Processor or Controller? It Really Depends

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main … Continue Reading

EDPB Seeks Comment On Online Services Guidance

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of … Continue Reading

UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had … Continue Reading

UK ICO Settles with Marketer Over Unsolicited Email Messages

Grove Pension Solutions Ltd is a UK-based company that helps people get “pension releases,” i.e. getting money out of their pensions. The company uses a vendor to conduct lead generation. That vendor would identify individuals who had given consent to get messages on a variety of third party websites (including for example, soapboxsurvey.co.uk). None of … Continue Reading

France Continues to Focus on Use of Biometrics

The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe, and like the biometric laws in the US (in particular in Illinois, which we have written about here), it has fallen … Continue Reading

European Data Protection Board’s Priorities for 2019/2020

The European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about privacy-related issues, to help with the “consistent application” of GDPR, and to promote cooperation among the EU Member States’ supervisory authorities. Among … Continue Reading

UK’s ICO Brings Texting Enforcement Action, Fines Vote Leave 40,000 Pounds

Prior to the “Brexit” vote in 2016, the pro-Brexit campaign, Vote Leave, sent almost 200,000 unsolicited texts in violation of the Privacy and Electronic Communications Regulations (PECR), according to a recent settlement it reached with the ICO. Under those regulations, as the ICO outlines in its PECR guidance, consumers must either have opted into receiving … Continue Reading

Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations

In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive.  The fines, totaling £120,000,  were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent.  Leave.EU had sent marketing emails … Continue Reading

Cyber Concerns Lead to EU Recall of a Connected Kids Devices

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location … Continue Reading

EU and Japan Finalize Data Transfer Deal

As we previously reported the EU and Japan reached a tentative deal last summer to ease data transfer restrictions between them. That deal has now been approved by both the European Commission and by Japan and is effective immediately. When the tentative deal was reached, Japan promised to add several new data protection safeguards. Those included … Continue Reading

UK Regulator Issues Guidance About Encryption Under GDPR

The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. … Continue Reading

Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, … Continue Reading

UK Issues Fine for Unsolicited Funeral Marketing Emails

The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the … Continue Reading

France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French … Continue Reading

UK’s Data Protection Authority Enforces GDPR

The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 … Continue Reading

FTC Signals that It Will Enforce Statements of GDPR Compliance

Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. … Continue Reading
LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree