GDPR


Nailedit1200x800

Video: SEC on right path with climate disclosures; alleged privacy lapses at Amazon troubling

2021-02-25T22:39:00+00:00By Compliance Week

Aaron Nicodemus applauds the SEC for taking steps to clarify how companies should disclose economic risks posed by climate change, while Dave Lefort is critical of alleged lapses in data security at Amazon.

Social media

Ireland GDPR report: Big fines coming soon for Big Tech?

2021-02-25T21:48:00+00:00By

Ireland’s data regulator has 27 ongoing cross-border inquiries into Big Tech firms, according to its latest annual report. It expects several cases to be resolved in the coming year.

TikTok

TikTok faces more backlash, now from EU consumer group

2021-02-16T20:12:00+00:00By

TikTok has come under the scrutiny of European consumer advocacy organization BEUC, which is urging authorities to put an end to the video sharing platform’s abuse of EU users’ rights—especially those of children.

Spain and Italy

Spain, Italy setting new standard for GDPR enforcement

2021-01-28T20:36:00+00:00By

While big fines against big companies make headlines, Spain and Italy have flown under the radar as two of the most frequent enforcers of the GDPR, instead primarily focusing on smaller penalties. Might other countries follow suit?

Grindr

Norwegian DPA warns Grindr of $11.7M GDPR fine

2021-01-26T20:38:00+00:00By

Norway’s data privacy watchdog issued gay dating app Grindr with a notice of intention to fine it NOK 100 million (U.S. $11.7 million) for sharing personal data with third parties without users’ consent.

CaixaBank

Spanish DPA fines CaixaBank record $7.3M under GDPR

2021-01-25T20:31:00+00:00By

Spain’s data protection authority recently fined CaixaBank €6 million (U.S. $7.3 million) for misuse of customer data, the largest GDPR fine the country has handed out.

Privacy data access

Three best practices for handling GDPR and CCPA ‘right of access’ requests

2021-01-22T18:36:00+00:00By

A panel discussion on a recent Webcast analyzed common data subject access request compliance challenges, as well as leading practices designed to best comply with the EU’s GDPR and the CCPA in the United States.

EU US privacy

EU regulators beef up SCCs as temporary Privacy Shield alternative

2021-01-15T19:41:00+00:00By

The key data regulators that oversee the European Union’s strict privacy regulation agreed to a beefed up set of contractual terms to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.

British Airways

British Airways breach could cost billions in landmark class-action push

2021-01-15T15:12:00+00:00By

British Airways faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.

Big Tech

CJEU opinion could further expose Big Tech under GDPR

2021-01-13T19:24:00+00:00By

Any European Union data protection authority should be allowed to pursue legal action against Big Tech firms over privacy issues, according to an opinion from the advocate general of the region’s top court.

Employee monitoring

German laptop retailer fined $12.7M under GDPR for employee surveillance

2021-01-11T19:08:00+00:00By

A German data regulator fined an online laptop and electronic goods retailer €10.4 million (U.S. $12.7 million) for video-monitoring employees for at least two years without legal basis.

Europedata

GDPR priorities for 2021: Twitter ruling stresses need for harmonization

2020-12-22T20:43:00+00:00By

European data protection authorities need to speed up their decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the GDPR.

nailedit1200x800_778257

Video: Twitter GDPR fine too little or just right?

2020-12-17T20:03:00+00:00By Compliance Week

Aaron Nicodemus and Dave Lefort debate whether the Irish Data Protection Commission’s €450,000 (U.S. $547,000) fine against Twitter under the GDPR is an appropriate figure or way too small for the social media company.

Twitter

Twitter’s tiny $547K GDPR fine leaves many scratching their heads

2020-12-15T20:19:00+00:00By

Ireland’s first major decision against a Big Tech company under the GDPR has stirred controversy as the country’s data regulator hit Twitter with an underwhelming €450,000 (U.S. $547,000) fine for a 2018 data breach.

Facebookcrop

Facebook reserves $366M for expected GDPR fines in Ireland

2020-12-11T20:13:00+00:00By

Facebook Ireland has set aside €302 million (U.S. $366 million) for possible fines from the Irish Data Protection Commission for violations of the General Data Protection Regulation.

Google building

France sidesteps GDPR in fining Google, Amazon $163M combined

2020-12-11T18:35:00+00:00By

Data privacy watchdog CNIL utilized the French Data Protection Act in fining Google and Amazon a combined €135 million (U.S. $163 million) for illegal cookie practices, sidestepping the “one-stop shop” provision of the GDPR.

Europe

Five challenges for European CCOs heading into 2021

2020-12-10T21:13:00+00:00By

Many of the problems European compliance officers faced in 2020 will remain in place going into the new year, but new risks and new regulations will also present new challenges.

Nailedit1200x800

Video: Praise for Nasdaq diversity push; Vodafone’s GDPR woes prove costly

2020-12-03T21:52:00+00:00By Compliance Week

In our inaugural video edition of Nailed It or Failed It, Dave Lefort praises Nasdaq’s efforts to get the SEC to require board diversity disclosures, while Kyle Brasseur critiques Vodafone’s numerous run-ins with the GDPR.

Point the finger

Trio of U.K. fines expose third-party risks under GDPR

2020-11-30T21:34:00+00:00By

Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.

archive360 300x200

CPE Webcast: Right to be forgotten versus need for backups

2020-11-24T14:00:00+00:00Provided by

Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?

Vodafone

Vodafone Italy fined $14.5M under GDPR for telemarketing tactics

2020-11-23T19:37:00+00:00By

The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.

WhatsApp

WhatsApp Ireland reserves $91.8M for potential GDPR fine

2020-11-20T19:17:00+00:00By

The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.

Germany privacy

German court cuts 1 & 1 Telecom GDPR fine by 90 percent

2020-11-16T18:23:00+00:00By

Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 & 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.

Ticketmaster

Ticketmaster UK fined $1.6M under GDPR for 2018 data breach

2020-11-13T18:18:00+00:00By

The U.K. Information Commissioner’s Office fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach by a third party.

Data globe

Guidance for safe data transfers post-Privacy Shield

2020-11-12T20:21:00+00:00By

The European Data Protection Board has issued guidance to help companies transfer data to the United States and other third countries safely after Europe’s top court in July ruled key methods used up until then were either invalid or unsafe.

GDPR

BA, Marriott fine reductions latest wrench in GDPR enforcement harmony

2020-11-10T18:03:00+00:00By

Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.

Marriott

In second drastic reduction, ICO fines Marriott $23.8M

2020-10-30T19:44:00+00:00By

The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.

Experian

Experian to appeal ICO enforcement notice over data protection failures

2020-10-27T15:58:00+00:00By

The U.K. Information Commissioner’s Office issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services.

britishairways_216861912214608

Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty

2020-10-16T19:44:00+01:00By

The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?

GDPR

Corrective action could trump fines as GDPR evolves

2020-10-14T16:32:00+01:00By

Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.

H&M

H&M Germany fined $41.3M in one of largest GDPR penalties

2020-10-01T16:56:00+01:00By

In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.

GDPR

Companies face greater risk as GDPR class actions emerge

2020-09-24T18:00:00+01:00By

In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.

Youtube

U.K. lawsuit seeks $3.2B from YouTube for violating children’s privacy

2020-09-14T19:29:00+01:00By

A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.

Facebook

Ireland’s order to Facebook to halt data transfers could have ‘profound’ impact

2020-09-10T16:06:00+01:00By

The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.

EU US privacy

European Commission: No Privacy Shield replacement in sight

2020-09-04T15:57:00+01:00By

The European Commission this week warned there will be “no quick fix” to replace the now-invalidated Privacy Shield, which governed data transfers between the European Union and United Sates.

Privacy Shield

EU data authorities take different approaches to Privacy Shield ruling

2020-08-28T18:12:00+01:00By

It appears Europe’s data authorities are prepared to interpret a key court judgement as they see fit in the absence of definitive guidance from the bloc’s primary privacy regulator.

Twitter

Clash over draft Twitter GDPR decision exposes differences among EU authorities

2020-08-26T14:23:00+01:00By

As Ireland’s first GDPR decision against Big Tech hangs in limbo, experts are scratching their heads as to why a seemingly straightforward case is headed to the EU’s data governing body to rule on.

Nailedit1200x800

Jury’s out on Wells Fargo compliance moves; Twitter #fail for Irish DPC

2020-08-20T18:33:00+01:00By Compliance Week

While it’s not yet clear whether Wells Fargo’s compliance moves (including the loss of its CCO) will pay off, we’re much more certain about the Irish Data Protection Commission’s stance on a potential Twitter fine.

EU US privacy

EU privacy advocate targets Facebook, Google in latest salvo

2020-08-19T20:02:00+01:00By

Privacy campaign group NOYB has filed complaints against 101 websites with European operators that it says are still sending data to the U.S. via Google and/or Facebook integrations—potentially in breach of the EU’s strict data privacy rules.

Salesforce

Oracle, Salesforce targeted in class-action GDPR lawsuits

2020-08-17T20:51:00+01:00By

A European privacy group is pursuing multiple class-action lawsuits against Oracle and Salesforce for alleged violations of the EU’s General Data Protection Regulation, estimating damages sought could exceed €10 billion (U.S. $11.9 billion).

Europedata

Five tips for EU-U.S. data transfers post-Privacy Shield

2020-08-04T15:21:00+01:00By

As the fallout from the demise of the Privacy Shield continues to play out, here are a handful of steps companies can take to protect themselves from potential GDPR violations when transferring data between the European Union and the United States.

British Airways

British Airways banking on drastic reduction of record GDPR fine

2020-08-03T21:04:00+01:00By

British Airways has hinted that it will qualify for a nearly 90 percent reduction of its original GDPR fine (U.S. $230 million) and end up paying just $26 million.

EU US privacy

Companies paying price for EU-U.S. Privacy Shield removal

2020-07-27T21:43:00+01:00By

The legal and financial burden for companies to comply with the recent ruling to invalidate the EU-U.S. Privacy Shield might actually be worse than first thought, if an FAQ from the European Data Protection Board is any indication.

Europe Justice

Europe’s top court strikes down U.S.-EU data transfer rule

2020-07-16T15:21:00+01:00By

In a surprise decision that will have a major impact on trans-Atlantic data transfers, Europe’s top court ruled Thursday that a mechanism used by thousands of companies to send data to the United States is unlawful.

GDPRgavel

Italian telecom fined $18.6M for violating GDPR data collection rules

2020-07-14T19:49:00+01:00By

Italian telecommunications operator Wind Tre S.p.A has been fined approximately €16.7 million (U.S. $18.6 million) for violating data collection provisions of the EU’s General Data Protection Regulation.

Googlecrop

Google fined $670K for violating GDPR’s ‘right to be forgotten’

2020-07-14T18:24:00+01:00By

Belgium’s Data Protection Authority fined Google Belgium €600,000 (U.S. $670,000) for refusing to delete search results linked to a Belgian public official, a provision of the GDPR know as the “right to be forgotten.”

Columnist_Hodge

Ireland’s GDPR report shows it’s yet to hold Big Tech accountable

2020-06-29T18:31:00+01:00By

The Irish Data Protection Commission review of its GDPR investigations has come under fire for ignoring Big Tech and lacking information pertinent to inquiries into firms like Apple, Facebook, Google, and more.

GDPR

EC report: More harmonization needed in GDPR efforts

2020-06-24T18:26:00+01:00By

The European Commission believes the General Data Protection Regulation is an “overall success” but points to harmonization among member states as an area for improvement.

Google

French court upholds Google’s $57M GDPR fine

2020-06-22T16:29:00+01:00By

The top administrative court in France shot down Google’s appeal of a €50 million (U.S. $57 million) fine the tech giant received last year for violations of the EU’s General Data Protection Regulation.

TikTok

EDPB task force to probe TikTok privacy practices

2020-06-10T17:11:00+01:00By

The European Data Protection Board will establish a task force to acquire a more comprehensive overview of TikTok’s privacy practices and coordinate any potential actions against the company.