As with anything Brexit-related, the UK government is facing a dilemma in relation to data protection law. Shall we follow the direction of travel of the past 25 years and opt for the continuity and certainty provided by the GDPR or shall we use the departure from the EU to make radical changes to the regulation of data uses and privacy? On the one hand, it would be reassuring to know that despite Brexit’s uncertainties, the current…

On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data. Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and…

The French Data Protection Authority (CNIL) published new Guidelines (French only) on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation (GDPR). The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines.…

Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 (also known as the Washington Privacy Act, or WPA) gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle (D), chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised…

            It was a very busy year on the robocall front and, on 30 December 2019, President Trump signed into law the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act (S. 151), which the House and Senate passed by wide, bipartisan margins earlier this year.…

Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so some assume it should not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither approach is per se correct.…

The legal requirements for the use of cookies have been subject to discussion over the last few years, with little to no enforcement and guidance from European data protection authorities (DPAs). That has changed recently. In the last few months, there have been interesting developments concerning the use of cookies. Upon investigating 175 websites, the Dutch DPA concluded that half of those websites did not comply with cookie requirements. The Bavarian DPA (Germany) initiated a…