Francesca Gaudino, a partner in Baker McKenzie’s Milan office, joins this episode of Connect on Tech to discuss the December 18th opinion issued by the Advocates General (AG) of the Court of Justice of the European Union on Data Protection Commissioner v Facebook Ireland (Shrems II). In this episode you will learn: What this opinion means for the resolution of the case View of the AG on standard contractual clauses and how this may affect…
The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…
The European Union Commission (Commission) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to…
On 20th June 2019 the Information Commissioner’s Office (ICO) published its “Update report into adtech and real time bidding” setting out the ICO’s findings and views on data protection practices in the adtech industry. This follows a review by the ICO of the adtech industry including engagement with industry stakeholders. The review focused specifically on real time bidding (RTB) as, according to the ICO, this type of online behavioural advertising appears particularly challenging from a…
Please click here to read Part I of this article. Future GDPR regulatory landscape Higher risk of enforcement on the horizon? In the GDPR’s first year we have seen a large number of complaints and data breach notifications to regulators but comparatively few enforcement actions and fines. There are likely several reasons why enforcement activity has been relatively slow so far. First, a number of DPAs will have faced challenges in preparing for GDPR themselves;…
The GDPR celebrated its first anniversary on 25 May 2019 – a good time to take stock. In this article, we look at how the GDPR has been enforced so far, what the regulators’ future direction of travel might be, and the key areas organisations will need to focus on in the coming months. EU enforcement trends The local data protection authorities (DPAs) are facing a heavy caseload. As at 22 May 2019, there had…
The German Data Protection Authority in the state of Baden-Württemberg (DPA) imposed the first fine under the GDPR in Germany. The fine of EUR 20,000 was imposed on a chat platform provider for storing its users’ passwords without encrypting them. The unencrypted storing of passwords was revealed by the provider itself in conjunction with submitting a breach notification to the DPA following a hacker attack.It began with a security breachThe chat platform provider “knuddels.de” was…
In light of the GDPR, the German data protection authorities (German DPAs) have issued new guidance regarding the implementation of whistleblowing hotlines. The new position of the German DPAs is so fundamentally different from their pre-GDPR position that German companies should review, and likely implement changes to, any existing whistleblowing hotlines offered to their employees.The general EU position before the GDPR came into effect was that whistleblowers were encouraged to disclose their identity rather than…
On 25 April 2018, Japan’s data protection authority published draft guidelines relating to adequacy findings for international personal data transfers from Europe to Japan (Guidelines). If the Guidelines come into force in their current form, subject to the EU’s adequacy decision, they will allow for personal data to be transferred from the EEA (which includes the EU, Iceland, Liechtenstein and Norway) to Japan without measures such as specific data subject consent or standard contractual clauses. These Guidelines…
The Ukraine Government has published a plan of measures (“Plan”) on the implementation of the EU–Ukraine Association Agreement approved on 25 October 2017.The Plan (para. 11) requires the Ukrainian Parliament Commissioner for Human Rights, the government entity responsible for data protection in Ukraine, to implement Article 15 of the EU–Ukraine Association Agreement and revise legislation on the protection of personal data to bring it into compliance with the GDPR by 25 May 2018.The detailed action…