Data Privacy


EU US privacy

EU regulators beef up SCCs as temporary Privacy Shield alternative

2021-01-15T19:41:00+00:00By

The key data regulators that oversee the European Union’s strict privacy regulation agreed to a beefed up set of contractual terms to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.

British Airways

British Airways breach could cost billions in landmark class-action push

2021-01-15T15:12:00+00:00By

British Airways faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.

skillsoft white paper cover img

White paper: Managing compliance for a remote workforce

2021-01-15T05:26:00+00:00Provided by

In 2020, companies are experiencing new dilemmas regarding compliance. With COVID-19, millions of workers have shifted from working in an office space — an employer-controlled environment — to working from home offices.

Nailedit1200x800

Video: Gensler a strong choice for SEC; Flo’s alleged privacy lapses inexcusable

2021-01-14T21:27:00+00:00By Compliance Week

Aaron Nicodemus explains why President-elect Joe Biden’s SEC chairman pick, Gary Gensler, is getting rave reviews, while Aly McDevitt criticizes the alleged privacy misdeeds of Flo Health that led to an FTC settlement.

Big Tech

CJEU opinion could further expose Big Tech under GDPR

2021-01-13T19:24:00+00:00By

Any European Union data protection authority should be allowed to pursue legal action against Big Tech firms over privacy issues, according to an opinion from the advocate general of the region’s top court.

Screen Shot 2021-01-12 at 3.09.39 PM

Survey: Cyber-risk and data privacy in the age of COVID

2021-01-12T20:43:00+00:00By Compliance Week

In the wake of the SolarWinds hack and in the middle of a pandemic, it’s critical to ensure your most important data is protected—particularly when you’re collecting and storing more of it than ever. Take 2 minutes to let us know how you think you’re doing.

Employee monitoring

German laptop retailer fined $12.7M under GDPR for employee surveillance

2021-01-11T19:08:00+00:00By

A German data regulator fined an online laptop and electronic goods retailer €10.4 million (U.S. $12.7 million) for video-monitoring employees for at least two years without legal basis.

columnist icons - kyle

Temper expectations on a U.S. federal privacy law in 2021

2020-12-30T19:04:00+00:00By

With the collapse of the EU-U.S. Privacy Shield comes an opportunity for the United States to address its data protection shortcomings. Just don’t expect a quick fix, as a litany of issues remain.

Global

Report: Fines against financial institutions hit $10.4B in 2020

2020-12-22T21:14:00+00:00By

Financial institutions have been hit with $10.4 billion in global fines and penalties related to AML, KYC, data privacy, and MiFID regulations in 2020, according to a recent Fenergo report.

Europedata

GDPR priorities for 2021: Twitter ruling stresses need for harmonization

2020-12-22T20:43:00+00:00By

European data protection authorities need to speed up their decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the GDPR.

archive360 300x200

CPE Webcast: Schrems II: The end of the EU-U.S. Privacy Shield

2020-12-22T14:00:00+00:00Provided by

The invalidation of the EU-U.S. Privacy Shield has many U.S. companies wondering if they will ever be able to take possession of EU data again.

New Zealand

New Zealand’s new privacy law comes with a refreshing twist—it allows for apologies

2020-12-21T17:02:00+00:00By Mary Shirley, CW guest columnist

New Zealand’s new data privacy law allows an apology to be made without admitting guilt, a provision that follows with the island’s non-traditional form of leadership as one that focuses on empathy and the well-being of the people.

nailedit1200x800_778257

Video: Twitter GDPR fine too little or just right?

2020-12-17T20:03:00+00:00By Compliance Week

Aaron Nicodemus and Dave Lefort debate whether the Irish Data Protection Commission’s €450,000 (U.S. $547,000) fine against Twitter under the GDPR is an appropriate figure or way too small for the social media company.

aparavi300x200

CPE Webcast: CCPA year in review

2020-12-17T14:00:00+00:00Provided by

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and is currently the most comprehensive consumer data privacy law in the United States.

FTC

FTC data requests could pave way to federal privacy law, experts say

2020-12-15T22:16:00+00:00By

FTC requests issued to nine social media and video streaming services for information about how they collect and use personal information could be a step toward the U.S. government enacting federal privacy legislation.

Twitter

Twitter’s tiny $547K GDPR fine leaves many scratching their heads

2020-12-15T20:19:00+00:00By

Ireland’s first major decision against a Big Tech company under the GDPR has stirred controversy as the country’s data regulator hit Twitter with an underwhelming €450,000 (U.S. $547,000) fine for a 2018 data breach.

Facebookcrop

Facebook reserves $366M for expected GDPR fines in Ireland

2020-12-11T20:13:00+00:00By

Facebook Ireland has set aside €302 million (U.S. $366 million) for possible fines from the Irish Data Protection Commission for violations of the General Data Protection Regulation.

Google building

France sidesteps GDPR in fining Google, Amazon $163M combined

2020-12-11T18:35:00+00:00By

Data privacy watchdog CNIL utilized the French Data Protection Act in fining Google and Amazon a combined €135 million (U.S. $163 million) for illegal cookie practices, sidestepping the “one-stop shop” provision of the GDPR.

Europe

Five challenges for European CCOs heading into 2021

2020-12-10T21:13:00+00:00By

Many of the problems European compliance officers faced in 2020 will remain in place going into the new year, but new risks and new regulations will also present new challenges.

exterro300x200

CPE Webcast: Conquering data privacy’s biggest challenge

2020-12-10T14:00:00+00:00Provided by

Addressing data retention is the surest way to mitigate risks and costs of a data breach. With numerous regulations such as GDPR and California’s ballot initiative CCPRA requiring organizations to provide up-to-date and enforced retention schedules, it’s more important than ever that your organization maintains compliant practices to minimize damages.

2021

Ten things I’d like to see happen in 2021 (2020 in review)

2020-12-09T14:20:00+00:00By

Many of the things I’d like to see in 2021 are directly related to regulatory changes we anticipate are coming under a Biden administration, but they’re mixed with a few lessons from the pandemic we hope carry into a post-COVID world.

Nailedit1200x800

Video: Praise for Nasdaq diversity push; Vodafone’s GDPR woes prove costly

2020-12-03T21:52:00+00:00By Compliance Week

In our inaugural video edition of Nailed It or Failed It, Dave Lefort praises Nasdaq’s efforts to get the SEC to require board diversity disclosures, while Kyle Brasseur critiques Vodafone’s numerous run-ins with the GDPR.

Point the finger

Trio of U.K. fines expose third-party risks under GDPR

2020-11-30T21:34:00+00:00By

Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.

feb4

Feb. 4 | Adapting your compliance program for the next new normal

2020-11-29T17:40:00+00:00Provided by

With the global workplace in a fractious state in 2020, many companies transitioned employees to working from home. This created new challenges for compliance leaders from providing clear data security guidance to reinforcing HR policies like harassment prevention for the remote work environment.

archive360 300x200

CPE Webcast: Right to be forgotten versus need for backups

2020-11-24T14:00:00+00:00Provided by

Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?

California flag

Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit

2020-11-23T21:41:00+00:00By

Children’s clothing retailer Hanna Andersson has agreed to pay $400,000 in what is believed to be the first monetary settlement for a lawsuit related to the California Consumer Privacy Act.

Vodafone

Vodafone Italy fined $14.5M under GDPR for telemarketing tactics

2020-11-23T19:37:00+00:00By

The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.

WhatsApp

WhatsApp Ireland reserves $91.8M for potential GDPR fine

2020-11-20T19:17:00+00:00By

The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.

Germany privacy

German court cuts 1 & 1 Telecom GDPR fine by 90 percent

2020-11-16T18:23:00+00:00By

Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 & 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.

Ticketmaster

Ticketmaster UK fined $1.6M under GDPR for 2018 data breach

2020-11-13T18:18:00+00:00By

The U.K. Information Commissioner’s Office fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach by a third party.

Data globe

Guidance for safe data transfers post-Privacy Shield

2020-11-12T20:21:00+00:00By

The European Data Protection Board has issued guidance to help companies transfer data to the United States and other third countries safely after Europe’s top court in July ruled key methods used up until then were either invalid or unsafe.

GDPR

BA, Marriott fine reductions latest wrench in GDPR enforcement harmony

2020-11-10T18:03:00+00:00By

Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.

CCPAUpdate

California voters approve creation of new state agency to enforce CCPA

2020-11-04T21:26:00+00:00By

California voters approved a ballot measure that will add new layers of responsibility for businesses attempting to comply with the state’s first-in-the-nation data privacy law, the California Consumer Privacy Act.

Marriott

In second drastic reduction, ICO fines Marriott $23.8M

2020-10-30T19:44:00+00:00By

The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.

Experian

Experian to appeal ICO enforcement notice over data protection failures

2020-10-27T15:58:00+00:00By

The U.K. Information Commissioner’s Office issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services.

FourOptions

Choose your ending: What to do when your systems are hacked and ransom is demanded

2020-10-26T14:54:00+00:00By

What should you do if your firm is hit by ransomware? Choose your own ending to this tale about a clinic, a criminal, and coronavirus to learn the risks and rewards of each choice.

britishairways_216861912214608

Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty

2020-10-16T19:44:00+01:00By

The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?

GDPR

Corrective action could trump fines as GDPR evolves

2020-10-14T16:32:00+01:00By

Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.

erwin cover img

White paper: The Data Trinity: Governance, Security & Privacy

2020-10-14T07:50:00+01:00Provided by

Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets.

Nailedit1200x800

EY allegedly flubbed Wirecard dealings worse than we thought

2020-10-02T17:05:00+01:00By Compliance Week

In this week’s “Nailed It or Failed It,” we take down EY and JPMorgan Chase for apparently ignoring whistleblowers and give the SEC a nod for rewarding them.

H&M

H&M Germany fined $41.3M in one of largest GDPR penalties

2020-10-01T16:56:00+01:00By

In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.

Health records

Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine

2020-09-28T21:24:00+01:00By

Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.

Nailedit1200x800

BoA a silver lining in damning ‘FinCEN Files’ report; Wells Fargo CEO puts foot in mouth

2020-09-25T20:27:00+01:00By Compliance Week

Bank of America gets a pat on the back for going beyond an “observe and report” approach to filing a SAR, and we learned this week that Wells Fargo’s CEO needs a little unconscious bias training.

GDPR

Companies face greater risk as GDPR class actions emerge

2020-09-24T18:00:00+01:00By

In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.

Roger Wicker

Déjà vu: Senate committee revisits need for federal privacy law

2020-09-23T19:55:00+01:00By

Nearly a year since their last hearing to discuss the urgent need for a federal privacy law in the United States, the Senate Committee on Commerce, Science, and Transportation largely remains stuck in neutral.

California

What CCPA-affected businesses need to know about California’s next privacy initiative

2020-09-21T16:36:00+01:00By

Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.

opentext data privacy cover img

e-Book: Companies still wrestle with data privacy regulation

2020-09-15T04:15:00+01:00Provided by OpenText

This e-Book offers results from a recent Compliance Week and OpenText survey exploring why companies are still struggling with California Consumer Privacy Act compliance.

Youtube

U.K. lawsuit seeks $3.2B from YouTube for violating children’s privacy

2020-09-14T19:29:00+01:00By

A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.

Nailedit1200x800

Credit to JPMorgan Chase in this week’s banking-themed naughty/nice list

2020-09-10T21:14:00+01:00By Compliance Week

JPMorgan Chase, Danske Bank, Deutsche Bank, and Bank of America all either “Nailed It” or “Failed It” this week.

Facebook

Ireland’s order to Facebook to halt data transfers could have ‘profound’ impact

2020-09-10T16:06:00+01:00By

The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.