Tag Archives: GDPR

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

GDPR Complaints Filed Against Netflix & Amazon

GDPR Complaints Filed Against Netflix & Amazon

Video steaming leaders including Netflix, Amazon, and Apple have been accused of breaking the EU’s data regulations.

General Data Protection Regulation (GDPR) rules mandate EU individuals have the right to access a copy of the personal data companies collect about them through the regulation’s right of access. However, Max Schrems’ privacy group NOYB (None Of Your Business) has said it found that most of the big streaming companies have not fully complied and has filed formal complaints – which, if upheld, could result in substantial fines for the streaming giants.

Lack of Compliance

After GDPR went into effect in May 2018, many of the biggest names in tech including Amazon, Apple, Google and Spotify began allowing customers to download a copy of their data. NOYB, however, has said it found many of these streaming industry leaders did not do enough to comply with the new law. Continue reading GDPR Complaints Filed Against Netflix & Amazon

Dissecting 2018’s Mid-Year Data Breach Statistics

After the first six months of 2018, 4.5 billion data records have already been compromised according to a recent report. Data breaches have affected businesses large and small, from Adidas (two million records compromised) to Facebook (up to two billion accounts affected) to municipal airports and accounting firms, and 2018 has already seen more than its fair share of massive global data breaches.

The Gemalto Report

Digital security specialist Gemalto revealed in a new report that 945 data breaches led to a staggering 4.5 billion data records being compromised worldwide in the first half of 2018.

Although the total number of breaches were down from the same period the year before, the number of records compromised were up over 130 percent as the severity of individual incidents increased. Continue reading Dissecting 2018’s Mid-Year Data Breach Statistics

FTC to Enforce Voluntary GDPR Compliance Statements

U.S. based companies that have updated their privacy policies to reflect increased consumer privacy protections intending to match the European Union’s GDPR protections may have unknowingly opened themselves up to added scrutiny from the Federal Trade Commission, according to FTC spokesperson Juliana Gruenwald Henderson.

Several organizations that collect consumer data on a large scale, including Facebook and Microsoft, have taken it upon themselves to increase personal data use transparency for their consumers through clearer privacy policies. This increase in transparency is designed, in part, to increase trust among their users, as well as potentially staying one step ahead of future U.S. regulation. That domestic regulation, however, might be coming sooner than anticipated.

The FTC’s Statement

Gruenwald Henderson explained, “If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices they must live up to those commitments.” She added that this enforcement, although broad in nature, would only by applied towards specific and appropriate situations and “the FTC could initiate an enforcement action if the company does not comply with the EU data protection promises for U.S. customers.”

The FTC’s statement shows the government takes seriously companies’ privacy promises to their consumers. “If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” said David Vladeck, former director of the FTC’s Bureau of Competition. Continue reading FTC to Enforce Voluntary GDPR Compliance Statements

The Ordinance: Chicago’s Proposal to Protect Personal Data

With the passage of the General Data Protection Regulation (GDPR), many government entities here in the US have joined the bandwagon in strengthening data protection laws concerning personal information. The city of Chicago is the latest municipality to actively take on the threat of data breaches.

Chicago’s Personal Data Collection and Protection Ordinance (“the Ordinance”)  was recently introduced to its city council and is designed to equip consumers with control over their information, informed consent to its disclosure, awareness of its use, and redress for its misuse.

Data Collection & Disclosure

The purpose of the Ordinance is to regulate operators that collect sensitive customer personal information through the Internet about individual consumers in the City of Chicago.

Some of the major provisions of the Ordinance include:

  1. Obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information;
  2. Notify affected Chicago residents and the City of Chicago in the event of a data breach;
  3. Register with the City of Chicago if they qualify as “data brokers;”
  4. Provide specific notification to mobile device users for location services; and
  5. Obtain prior express consent to use geolocation data from mobile applications.

Continue reading The Ordinance: Chicago’s Proposal to Protect Personal Data

United Kingdom Expects to Adopt GDPR

Brexit brought about a lot of uncertainty, especially in the legal arena with regard to privacy laws. Recently, some of that uncertainty cleared up.

On September 14, 2017, a new bill in the UK was introduced that would adopt the EU’s General Data Protection Regulation (GDPR) and replace Data Protection Act 1998, the UK’s current data protection law. This move answers lingering questions on the status of UK data protection post Brexit.

While UK companies who operate in Europe or process European citizen data would have been subject to GDPR either way, this decision will impose GDPR requirements on smaller UK companies who only handle UK citizen data.

Under GDPR, organizations who process the personal data of EU citizens must, for example:

  • Get opt-in from customers before collecting and using customer personal data;
  • Notify the Information Commissioner’s Office (UK’s independent authority designed to uphold information rights in the public interest) within 72 hours of a data breach; and
  • Face severe non-compliance penalties.

For individuals, the new bill provides more control over one’s personal information, including the ability to access, transfer, and delete personal data while in the hands of organizations who process it.

The proposed UK law does include some exemptions aimed at protecting journalists, scientific and historical researchers, and anti-doping agencies who handle personal information.

GDPR will be effective May 25, 2018 and the UK Bill is intended to take effect prior to that date.

ePlace’s next webinar will focus on how to implement and comply with GDPR requirements. To learn how this might affect your organization in the UK, register for the webinar on October 18th 2017.

UK Government Confirms GDPR Implementation

As Brexit uncertainty continues to surround the UK, plans are being pushed forward to incorporate the EU’s General Data Protection Regulation (GDPR) into UK national law.

During the Queen’s recent speech to Parliament, the UK government reiterated their intentions to implement the GDPR as scheduled. The plan layout is detailed here.

The Queen added in her remarks, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

The UK’s proposed Data Protection Bill will aim to continue the free flow of data between the UK and other EU member states post-Brexit. It will also replace the Data Protection Act of 1998.

Working Party Releases Final GDPR Guidance Materials

The Article 29 Working Party adopted the final versions of several guidance documents related to GDPR compliance. The first versions were initially released last December for comment.

The guidance documents provide organization covered under GDPR with guidelines on the following topics:

  • Data Protection Officers
  • Data Portability
  • Lead Supervisory Authorities

In conjunction with these documents, the Working Party also released their draft guidelines on Data Protection Impact Assessments. The guidance aims to help organizations determine when a data protection impact assessment is required under GDPR. Focus areas include:

  • Scope of a DPIA
  • Processing operations subject to a DPIA
  • Steps to conduct a DPIA
  • Consultation requirements with Supervisory Authorities
  • Further recommendations

UK Government on GDPR Implementation

In the privacy community, everyone is keeping a close watch on how Brexit – Britain’s departure process from the EU – is going to affect data protection legislation going forward.

The UK Government Minister responsible for data protection – Matt Hancock – recently provided insight into the UK’s implementation plan for the EU’s GDPR in the midst of the looming Brexit process.

Here are the key takeaways:

GDPR Support

Hancock confirmed the UK Government’s continued support for GDPR. He reaffirmed the GDPR will come into effect in the UK on May 25, 2018. He also noted the UK would seek to implement the GDPR in full, providing the UK with the greatest chance to secure a free flow of data with the EU.

UK Data Protection Law

Hancock admitted some provisions of the existing UK Data Protection Act will need to be addressed before GDPR comes into effect. The UK Government wants to ensure there is no duplication or contradictions between the two laws.

Data Transfers

Hancock also addressed the issue of data transfers outside the EU. Specifically, he expects to see development of a data transfer framework between the UK and U.S. to ensure uninterrupted flow of data between the two countries.

Hancock frequently used the phrase, “to ensure unhindered data flows after Brexit.” It appears the goal is to have a seamless transition into GDPR to ensure normal business operations and economic activity isn’t disrupted.

Article 29 Working Party Sets 2017 Goals

The Article 29 Working Party released their 2017 plans for continuing the implementation of the EU General Data Protection Regulation (GDPR). The Working Party’s 2017 Action Plan has two main areas of focus:

Finalizing 2016 Topics

In its 2017 Action Plan, the Working Party has committed to finalize its work on topics undertaken in 2016, including guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up the European Data Protection Board (EDPB) structure in terms of administration (e.g. IT, human resources, service level agreements and budget) and the preparation of the one-stop-shop and the EDPB consistency mechanism.

New 2017 Priorities

In the 2017 Action Plan, the Working Party has committed to produce guidelines on the topics of consent and profiling and transparency in the second part of 2017. At the same time, the Working Party will work on the update of already existing opinions and referentials on data transfers to third countries and data breach notifications.