Data Protection Report

Data protection legal insight at the speed of technology

Latest from Data Protection Report - Page 3

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) & Ally Corbridge (UK)

October 7, 2020

authorization on virtual screen with blue matrix

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation…

Data Protection Report

Germany: New 35 million fine for breaching employee privacy

By Christoph Ritzer (DE) & Natalia Filkina (DE)

October 5, 2020

On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M. The German subsidiary operates a central service centre in Nuremberg. The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data…

Data Protection Report

101 Problems and Schrems Ain’t One

By Steve Roosa (US) & Daniel Rosenzweig (US)

September 29, 2020

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.…

Data Protection Report

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

By David Kessler (US) & Susan Ross (US)

September 23, 2020

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020). 2019 Complaint According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker…

Data Protection Report

CCPA – Health Research Bill Passes Legislature

By David Kessler (US), Susan Ross (US) & Anna Rudawski (US)

September 9, 2020

Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that will be of interest to anyone involved in medical research as the new bill would ease some CCPA restrictions on research. The changes pertaining to healthcare data are expected to pass and are clearly responsive…

Data Protection Report

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) & Janine Regan (UK)

September 9, 2020

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment. Companies can no longer “do nothing” in the hope that the difficult implications will go away. Regulators are…

Data Protection Report

Algorithmic Decision-making and the UK ICO’s Guidance on AI

By Magdalene Lie (UK)

September 8, 2020

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been reminded of the potential backlash that could result from decisions that are perceived as incorrect or unfair…

Data Protection Report

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

By Lara White (UK) & Janine Regan (UK)

August 27, 2020

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police. The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply with Article 8 of the European Convention on Human Rights (the right to respect for private and family life)…

Data Protection Report

An “enhanced” Privacy Shield is being negotiated – third time a charm?

By Lara White (UK) & Janine Regan (UK)

August 13, 2020

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure. By way of recap, in Schrems II, the court made clear that Privacy Shield was…

Data Protection Report

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) & Christoph Ritzer (DE)

July 27, 2020

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions. Our recent briefing provides a detailed analysis on the judgement, but here are…

Data Protection Report

Data protection legal insight at the speed of technology

ICO provides guidance on calculating monetary penalties

Germany: New 35 million fine for breaching employee privacy

101 Problems and Schrems Ain’t One

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

CCPA – Health Research Bill Passes Legislature

Schrems II: recent developments – waiting is harder

Algorithmic Decision-making and the UK ICO’s Guidance on AI

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Schrems II landmark ruling: our recommendations

Stay Connected

Company

Products

Support

New to the Network