EU regulators beef up SCCs as temporary Privacy Shield alternative
The key data regulators that oversee the European Union’s strict privacy regulation agreed to a beefed up set of contractual terms to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.
British Airways breach could cost billions in landmark class-action push
British Airways faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.
White paper: Managing compliance for a remote workforce
In 2020, companies are experiencing new dilemmas regarding compliance. With COVID-19, millions of workers have shifted from working in an office space — an employer-controlled environment — to working from home offices.
Video: Gensler a strong choice for SEC; Flo’s alleged privacy lapses inexcusable
Aaron Nicodemus explains why President-elect Joe Biden’s SEC chairman pick, Gary Gensler, is getting rave reviews, while Aly McDevitt criticizes the alleged privacy misdeeds of Flo Health that led to an FTC settlement.
CJEU opinion could further expose Big Tech under GDPR
Any European Union data protection authority should be allowed to pursue legal action against Big Tech firms over privacy issues, according to an opinion from the advocate general of the region’s top court.
Survey: Cyber-risk and data privacy in the age of COVID
In the wake of the SolarWinds hack and in the middle of a pandemic, it’s critical to ensure your most important data is protected—particularly when you’re collecting and storing more of it than ever. Take 2 minutes to let us know how you think you’re doing.
German laptop retailer fined $12.7M under GDPR for employee surveillance
A German data regulator fined an online laptop and electronic goods retailer €10.4 million (U.S. $12.7 million) for video-monitoring employees for at least two years without legal basis.
Temper expectations on a U.S. federal privacy law in 2021
With the collapse of the EU-U.S. Privacy Shield comes an opportunity for the United States to address its data protection shortcomings. Just don’t expect a quick fix, as a litany of issues remain.
Report: Fines against financial institutions hit $10.4B in 2020
Financial institutions have been hit with $10.4 billion in global fines and penalties related to AML, KYC, data privacy, and MiFID regulations in 2020, according to a recent Fenergo report.
GDPR priorities for 2021: Twitter ruling stresses need for harmonization
European data protection authorities need to speed up their decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the GDPR.
CPE Webcast: Schrems II: The end of the EU-U.S. Privacy Shield
The invalidation of the EU-U.S. Privacy Shield has many U.S. companies wondering if they will ever be able to take possession of EU data again.
New Zealand’s new privacy law comes with a refreshing twist—it allows for apologies
New Zealand’s new data privacy law allows an apology to be made without admitting guilt, a provision that follows with the island’s non-traditional form of leadership as one that focuses on empathy and the well-being of the people.
Video: Twitter GDPR fine too little or just right?
Aaron Nicodemus and Dave Lefort debate whether the Irish Data Protection Commission’s €450,000 (U.S. $547,000) fine against Twitter under the GDPR is an appropriate figure or way too small for the social media company.
CPE Webcast: CCPA year in review
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and is currently the most comprehensive consumer data privacy law in the United States.
FTC data requests could pave way to federal privacy law, experts say
FTC requests issued to nine social media and video streaming services for information about how they collect and use personal information could be a step toward the U.S. government enacting federal privacy legislation.
Twitter’s tiny $547K GDPR fine leaves many scratching their heads
Ireland’s first major decision against a Big Tech company under the GDPR has stirred controversy as the country’s data regulator hit Twitter with an underwhelming €450,000 (U.S. $547,000) fine for a 2018 data breach.
Facebook reserves $366M for expected GDPR fines in Ireland
Facebook Ireland has set aside €302 million (U.S. $366 million) for possible fines from the Irish Data Protection Commission for violations of the General Data Protection Regulation.
France sidesteps GDPR in fining Google, Amazon $163M combined
Data privacy watchdog CNIL utilized the French Data Protection Act in fining Google and Amazon a combined €135 million (U.S. $163 million) for illegal cookie practices, sidestepping the “one-stop shop” provision of the GDPR.
Five challenges for European CCOs heading into 2021
Many of the problems European compliance officers faced in 2020 will remain in place going into the new year, but new risks and new regulations will also present new challenges.
CPE Webcast: Conquering data privacy’s biggest challenge
Addressing data retention is the surest way to mitigate risks and costs of a data breach. With numerous regulations such as GDPR and California’s ballot initiative CCPRA requiring organizations to provide up-to-date and enforced retention schedules, it’s more important than ever that your organization maintains compliant practices to minimize damages.
Ten things I’d like to see happen in 2021 (2020 in review)
Many of the things I’d like to see in 2021 are directly related to regulatory changes we anticipate are coming under a Biden administration, but they’re mixed with a few lessons from the pandemic we hope carry into a post-COVID world.
Video: Praise for Nasdaq diversity push; Vodafone’s GDPR woes prove costly
In our inaugural video edition of Nailed It or Failed It, Dave Lefort praises Nasdaq’s efforts to get the SEC to require board diversity disclosures, while Kyle Brasseur critiques Vodafone’s numerous run-ins with the GDPR.
Trio of U.K. fines expose third-party risks under GDPR
Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.
Feb. 4 | Adapting your compliance program for the next new normal
With the global workplace in a fractious state in 2020, many companies transitioned employees to working from home. This created new challenges for compliance leaders from providing clear data security guidance to reinforcing HR policies like harassment prevention for the remote work environment.
CPE Webcast: Right to be forgotten versus need for backups
Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?
Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit
Children’s clothing retailer Hanna Andersson has agreed to pay $400,000 in what is believed to be the first monetary settlement for a lawsuit related to the California Consumer Privacy Act.
Vodafone Italy fined $14.5M under GDPR for telemarketing tactics
The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.
WhatsApp Ireland reserves $91.8M for potential GDPR fine
The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.
German court cuts 1 & 1 Telecom GDPR fine by 90 percent
Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 & 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.
Ticketmaster UK fined $1.6M under GDPR for 2018 data breach
The U.K. Information Commissioner’s Office fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach by a third party.
Guidance for safe data transfers post-Privacy Shield
The European Data Protection Board has issued guidance to help companies transfer data to the United States and other third countries safely after Europe’s top court in July ruled key methods used up until then were either invalid or unsafe.
BA, Marriott fine reductions latest wrench in GDPR enforcement harmony
Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.
California voters approve creation of new state agency to enforce CCPA
California voters approved a ballot measure that will add new layers of responsibility for businesses attempting to comply with the state’s first-in-the-nation data privacy law, the California Consumer Privacy Act.
In second drastic reduction, ICO fines Marriott $23.8M
The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.
Experian to appeal ICO enforcement notice over data protection failures
The U.K. Information Commissioner’s Office issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services.
Choose your ending: What to do when your systems are hacked and ransom is demanded
What should you do if your firm is hit by ransomware? Choose your own ending to this tale about a clinic, a criminal, and coronavirus to learn the risks and rewards of each choice.
Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty
The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?
Corrective action could trump fines as GDPR evolves
Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.
White paper: The Data Trinity: Governance, Security & Privacy
Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets.
EY allegedly flubbed Wirecard dealings worse than we thought
In this week’s “Nailed It or Failed It,” we take down EY and JPMorgan Chase for apparently ignoring whistleblowers and give the SEC a nod for rewarding them.
H&M Germany fined $41.3M in one of largest GDPR penalties
In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.
Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine
Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.
BoA a silver lining in damning ‘FinCEN Files’ report; Wells Fargo CEO puts foot in mouth
Bank of America gets a pat on the back for going beyond an “observe and report” approach to filing a SAR, and we learned this week that Wells Fargo’s CEO needs a little unconscious bias training.
Companies face greater risk as GDPR class actions emerge
In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.
Déjà vu: Senate committee revisits need for federal privacy law
Nearly a year since their last hearing to discuss the urgent need for a federal privacy law in the United States, the Senate Committee on Commerce, Science, and Transportation largely remains stuck in neutral.
What CCPA-affected businesses need to know about California’s next privacy initiative
Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.
e-Book: Companies still wrestle with data privacy regulation
This e-Book offers results from a recent Compliance Week and OpenText survey exploring why companies are still struggling with California Consumer Privacy Act compliance.
U.K. lawsuit seeks $3.2B from YouTube for violating children’s privacy
A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.
Credit to JPMorgan Chase in this week’s banking-themed naughty/nice list
JPMorgan Chase, Danske Bank, Deutsche Bank, and Bank of America all either “Nailed It” or “Failed It” this week.
Ireland’s order to Facebook to halt data transfers could have ‘profound’ impact
The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.