The key data regulators that oversee the European Union’s strict privacy regulation agreed to a beefed up set of contractual terms to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.
British Airways faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.
In 2020, companies are experiencing new dilemmas regarding compliance. With COVID-19, millions of workers have shifted from working in an office space — an employer-controlled environment — to working from home offices.
Aaron Nicodemus explains why President-elect Joe Biden’s SEC chairman pick, Gary Gensler, is getting rave reviews, while Aly McDevitt criticizes the alleged privacy misdeeds of Flo Health that led to an FTC settlement.
Any European Union data protection authority should be allowed to pursue legal action against Big Tech firms over privacy issues, according to an opinion from the advocate general of the region’s top court.
In the wake of the SolarWinds hack and in the middle of a pandemic, it’s critical to ensure your most important data is protected—particularly when you’re collecting and storing more of it than ever. Take 2 minutes to let us know how you think you’re doing.
A German data regulator fined an online laptop and electronic goods retailer €10.4 million (U.S. $12.7 million) for video-monitoring employees for at least two years without legal basis.
With the collapse of the EU-U.S. Privacy Shield comes an opportunity for the United States to address its data protection shortcomings. Just don’t expect a quick fix, as a litany of issues remain.
Financial institutions have been hit with $10.4 billion in global fines and penalties related to AML, KYC, data privacy, and MiFID regulations in 2020, according to a recent Fenergo report.
European data protection authorities need to speed up their decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the GDPR.
The invalidation of the EU-U.S. Privacy Shield has many U.S. companies wondering if they will ever be able to take possession of EU data again.
New Zealand’s new data privacy law allows an apology to be made without admitting guilt, a provision that follows with the island’s non-traditional form of leadership as one that focuses on empathy and the well-being of the people.
Aaron Nicodemus and Dave Lefort debate whether the Irish Data Protection Commission’s €450,000 (U.S. $547,000) fine against Twitter under the GDPR is an appropriate figure or way too small for the social media company.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and is currently the most comprehensive consumer data privacy law in the United States.
FTC requests issued to nine social media and video streaming services for information about how they collect and use personal information could be a step toward the U.S. government enacting federal privacy legislation.
Ireland’s first major decision against a Big Tech company under the GDPR has stirred controversy as the country’s data regulator hit Twitter with an underwhelming €450,000 (U.S. $547,000) fine for a 2018 data breach.
Facebook Ireland has set aside €302 million (U.S. $366 million) for possible fines from the Irish Data Protection Commission for violations of the General Data Protection Regulation.
Data privacy watchdog CNIL utilized the French Data Protection Act in fining Google and Amazon a combined €135 million (U.S. $163 million) for illegal cookie practices, sidestepping the “one-stop shop” provision of the GDPR.
Many of the problems European compliance officers faced in 2020 will remain in place going into the new year, but new risks and new regulations will also present new challenges.
Addressing data retention is the surest way to mitigate risks and costs of a data breach. With numerous regulations such as GDPR and California’s ballot initiative CCPRA requiring organizations to provide up-to-date and enforced retention schedules, it’s more important than ever that your organization maintains compliant practices to minimize damages.
Many of the things I’d like to see in 2021 are directly related to regulatory changes we anticipate are coming under a Biden administration, but they’re mixed with a few lessons from the pandemic we hope carry into a post-COVID world.
In our inaugural video edition of Nailed It or Failed It, Dave Lefort praises Nasdaq’s efforts to get the SEC to require board diversity disclosures, while Kyle Brasseur critiques Vodafone’s numerous run-ins with the GDPR.
Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.
With the global workplace in a fractious state in 2020, many companies transitioned employees to working from home. This created new challenges for compliance leaders from providing clear data security guidance to reinforcing HR policies like harassment prevention for the remote work environment.
Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?
Children’s clothing retailer Hanna Andersson has agreed to pay $400,000 in what is believed to be the first monetary settlement for a lawsuit related to the California Consumer Privacy Act.
The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.
The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.
Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 & 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.
The U.K. Information Commissioner’s Office fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach by a third party.
The European Data Protection Board has issued guidance to help companies transfer data to the United States and other third countries safely after Europe’s top court in July ruled key methods used up until then were either invalid or unsafe.
Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.
California voters approved a ballot measure that will add new layers of responsibility for businesses attempting to comply with the state’s first-in-the-nation data privacy law, the California Consumer Privacy Act.
The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.
The U.K. Information Commissioner’s Office issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services.
What should you do if your firm is hit by ransomware? Choose your own ending to this tale about a clinic, a criminal, and coronavirus to learn the risks and rewards of each choice.
The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?
Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.
Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets.
In this week’s “Nailed It or Failed It,” we take down EY and JPMorgan Chase for apparently ignoring whistleblowers and give the SEC a nod for rewarding them.
In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.
Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.
Bank of America gets a pat on the back for going beyond an “observe and report” approach to filing a SAR, and we learned this week that Wells Fargo’s CEO needs a little unconscious bias training.
In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.
Nearly a year since their last hearing to discuss the urgent need for a federal privacy law in the United States, the Senate Committee on Commerce, Science, and Transportation largely remains stuck in neutral.
Businesses with operations in California should expect their data privacy compliance obligations to get a lot more complicated next year with the California Privacy Rights Act expected to pass in November.
This e-Book offers results from a recent Compliance Week and OpenText survey exploring why companies are still struggling with California Consumer Privacy Act compliance.
A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.
JPMorgan Chase, Danske Bank, Deutsche Bank, and Bank of America all either “Nailed It” or “Failed It” this week.
The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.