GDPR one-stop shop ‘unsustainable,’ says key regulators
Irish Data Protection Commissioner Helen Dixon and European Data Protection Supervisor Wojciech Wiewiórowski are among those who believe the one-stop shop provision of the GDPR needs to be reformed for the long term.
Fines key attention to data privacy from boards, says ICO head
The threat of fines has done more to focus boardroom attention on data privacy and effective cyber-security than any other measure, U.K. Information Commissioner Elizabeth Denham believes.
Facebook facing 10th GDPR probe over data leak
The Irish Data Protection Commission has launched an inquiry into Facebook over concerns the social media giant may not have properly disclosed the full extent of its recent data leak.
Facebook’s new leak: Assessing its liability under the GDPR
Old personal data of more than 533 million Facebook users was recently made publicly available on a hacker forum. Could the social media giant face a new investigation under the GDPR in response?
Irish DPC seeking answers on Facebook breach
The Irish Data Protection Commission has reached out to Facebook seeking to determine whether the social media giant’s weekend data breach should receive scrutiny under the General Data Protection Regulation.
Italian DPA fines Fastweb $5.3M under GDPR for aggressive telemarketing
The Italian Data Protection Authority announced a fine of €4.5 million (U.S. $5.3 million) against telecommunications company Fastweb for misusing customer data for telemarketing purposes.
Booking.com fined $557K under GDPR for reporting data breach late
Online reservation Website Booking.com has been fined €475,000 (U.S. $557,000) by the Dutch Data Protection Authority for reporting a data breach 22 days later than the 72 hours required under the GDPR.
Local laws proving to be roadblocks for GDPR harmonization
Recent cases in Germany, France, and Austria underscore the difficulty of getting EU members on the same page regarding GDPR enforcement—particularly when other local laws take priority.
Popular Clubhouse app being probed for GDPR violations
France’s data privacy watchdog adds to a growing list of regulators that have launched investigations into Alpha Exploration, the publisher of the Clubhouse application, regarding measures it has taken (or not taken) to comply with the GDPR.
Vodafone Spain fined record $9.72M for data protection failures
Vodafone Spain has been fined €8.15 million (U.S. $9.72 million) for aggressive telemarketing tactics and other data protection failures under the GDPR. The penalty is the highest the Spanish Data Protection Agency has handed out.
GDPR fines by industry: Telecoms far outpace Big Tech
Since the GDPR came into force in 2018, Big Tech firms have not been on the receiving end of fines as frequently as expected. Meanwhile, other industries have shown to be more prone to data privacy violations, namely telecommunications.
‘An invaluable asset’: Participants praise opportunity for feedback via GDPR sandboxes
Regulatory sandboxes launched by EU data protection authorities provide firms the opportunity to collaborate and make use of the regulator’s expertise to reduce GDPR compliance risks.
GDPR dealt blow as German court drops $17.2M Deutsche Wohnen fine
A €14.5 million (U.S. $17.2 million) fine against Deutsche Wohnen has been dropped after a German court found under German law the company could not be held responsible for violating the GDPR unless blame could be attached to a specific individual or executive.
Ask a CCO: How has your company prioritized data privacy compliance?
Five senior compliance practitioners tell us how their companies have reacted to recent privacy legislation like the GDPR, CCPA, and other state regulations in the pipeline.
Video: SEC on right path with climate disclosures; alleged privacy lapses at Amazon troubling
Aaron Nicodemus applauds the SEC for taking steps to clarify how companies should disclose economic risks posed by climate change, while Dave Lefort is critical of alleged lapses in data security at Amazon.
Ireland GDPR report: Big fines coming soon for Big Tech?
Ireland’s data regulator has 27 ongoing cross-border inquiries into Big Tech firms, according to its latest annual report. It expects several cases to be resolved in the coming year.
TikTok faces more backlash, now from EU consumer group
TikTok has come under the scrutiny of European consumer advocacy organization BEUC, which is urging authorities to put an end to the video sharing platform’s abuse of EU users’ rights—especially those of children.
Spain, Italy setting new standard for GDPR enforcement
While big fines against big companies make headlines, Spain and Italy have flown under the radar as two of the most frequent enforcers of the GDPR, instead primarily focusing on smaller penalties. Might other countries follow suit?
Norwegian DPA warns Grindr of $11.7M GDPR fine
Norway’s data privacy watchdog issued gay dating app Grindr with a notice of intention to fine it NOK 100 million (U.S. $11.7 million) for sharing personal data with third parties without users’ consent.
Spanish DPA fines CaixaBank record $7.3M under GDPR
Spain’s data protection authority recently fined CaixaBank €6 million (U.S. $7.3 million) for misuse of customer data, the largest GDPR fine the country has handed out.
Three best practices for handling GDPR and CCPA ‘right of access’ requests
A panel discussion on a recent Webcast analyzed common data subject access request compliance challenges, as well as leading practices designed to best comply with the EU’s GDPR and the CCPA in the United States.
EU regulators beef up SCCs as temporary Privacy Shield alternative
The key data regulators that oversee the European Union’s strict privacy regulation agreed to a beefed up set of contractual terms to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.
British Airways breach could cost billions in landmark class-action push
British Airways faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.
CJEU opinion could further expose Big Tech under GDPR
Any European Union data protection authority should be allowed to pursue legal action against Big Tech firms over privacy issues, according to an opinion from the advocate general of the region’s top court.
German laptop retailer fined $12.7M under GDPR for employee surveillance
A German data regulator fined an online laptop and electronic goods retailer €10.4 million (U.S. $12.7 million) for video-monitoring employees for at least two years without legal basis.
GDPR priorities for 2021: Twitter ruling stresses need for harmonization
European data protection authorities need to speed up their decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the GDPR.
Video: Twitter GDPR fine too little or just right?
Aaron Nicodemus and Dave Lefort debate whether the Irish Data Protection Commission’s €450,000 (U.S. $547,000) fine against Twitter under the GDPR is an appropriate figure or way too small for the social media company.
Twitter’s tiny $547K GDPR fine leaves many scratching their heads
Ireland’s first major decision against a Big Tech company under the GDPR has stirred controversy as the country’s data regulator hit Twitter with an underwhelming €450,000 (U.S. $547,000) fine for a 2018 data breach.
Facebook reserves $366M for expected GDPR fines in Ireland
Facebook Ireland has set aside €302 million (U.S. $366 million) for possible fines from the Irish Data Protection Commission for violations of the General Data Protection Regulation.
France sidesteps GDPR in fining Google, Amazon $163M combined
Data privacy watchdog CNIL utilized the French Data Protection Act in fining Google and Amazon a combined €135 million (U.S. $163 million) for illegal cookie practices, sidestepping the “one-stop shop” provision of the GDPR.
Five challenges for European CCOs heading into 2021
Many of the problems European compliance officers faced in 2020 will remain in place going into the new year, but new risks and new regulations will also present new challenges.
Video: Praise for Nasdaq diversity push; Vodafone’s GDPR woes prove costly
In our inaugural video edition of Nailed It or Failed It, Dave Lefort praises Nasdaq’s efforts to get the SEC to require board diversity disclosures, while Kyle Brasseur critiques Vodafone’s numerous run-ins with the GDPR.
Trio of U.K. fines expose third-party risks under GDPR
Recent GDPR fines against British Airways, Marriott, and Ticketmaster by the U.K. Information Commissioner’s Office each saw the regulator dismiss claims by the companies that third parties were primarily responsible for the data breaches in question.
CPE Webcast: Right to be forgotten versus need for backups
Do the EUs GDPR and California’s CCPA privacy regulations include the right of a data subject to have their personal information completely erased from all enterprise backups as well?
Vodafone Italy fined $14.5M under GDPR for telemarketing tactics
The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation for aggressive telemarketing practices.
WhatsApp Ireland reserves $91.8M for potential GDPR fine
The Irish arm of WhatsApp has set aside $91.8 million for possible administrative fines arising from long-standing investigations by Ireland’s data regulator into the way the messaging platform shares data with Facebook.
German court cuts 1 & 1 Telecom GDPR fine by 90 percent
Continuing a recent trend of massive fine reductions under the General Data Protection Regulation, 1 & 1 Telecom in Germany had its €9.55 million penalty issued last year reduced to €900,000 (U.S. $1.06 million) by a German court.
Ticketmaster UK fined $1.6M under GDPR for 2018 data breach
The U.K. Information Commissioner’s Office fined Ticketmaster £1.25 million (U.S. $1.6 million) for its failures relating to a 2018 data breach by a third party.
Guidance for safe data transfers post-Privacy Shield
The European Data Protection Board has issued guidance to help companies transfer data to the United States and other third countries safely after Europe’s top court in July ruled key methods used up until then were either invalid or unsafe.
BA, Marriott fine reductions latest wrench in GDPR enforcement harmony
Lack of clarity on fines has dogged the GDPR since it took effect in May 2018, and the recent dramatic penalty reductions handed down by the U.K. in the cases of British Airways and Marriott certainly won’t help.
In second drastic reduction, ICO fines Marriott $23.8M
The Marriott GDPR fine handed down by the U.K. Information Commissioner’s Office is less than 20 percent of the original number the regulator proposed, the second time this month such a drastic reduction has taken place.
Experian to appeal ICO enforcement notice over data protection failures
The U.K. Information Commissioner’s Office issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services.
Anatomy of a 90% fine reduction: How BA saved $200M on GDPR penalty
The U.K. Information Commissioner’s Office agreed to slash its intended GDPR fine for British Airways from £183.39 million (U.S. $230 million) to just £20 million (U.S. $26 million). What was behind the massive reduction?
Corrective action could trump fines as GDPR evolves
Experts discuss whether EU data protection authorities would be better served using corrective actions other than eye-watering fines to encourage companies to commit to best (and legal) GDPR practices.
H&M Germany fined $41.3M in one of largest GDPR penalties
In one of the largest GDPR fines imposed, a regional data protection authority in Germany fined H&M Germany €35.2 million (U.S. $41.3 million) for excessive monitoring of several hundred employees by one of the retailer’s subsidiaries.
Companies face greater risk as GDPR class actions emerge
In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of the GDPR. Neil Hodge explores the trend and what to expect moving forward.
U.K. lawsuit seeks $3.2B from YouTube for violating children’s privacy
A first-of-its-kind lawsuit in the U.K. alleges YouTube unlawfully collects personal information from children without parental consent and harvests their data for advertising purposes, in violation of British and European data privacy laws.
Ireland’s order to Facebook to halt data transfers could have ‘profound’ impact
The Irish DPC’s order to Facebook to halt the transfer of European citizens’ personal data to the United States could pose operational and legal challenges that set a precedent for not only other tech giants, but companies generally.
European Commission: No Privacy Shield replacement in sight
The European Commission this week warned there will be “no quick fix” to replace the now-invalidated Privacy Shield, which governed data transfers between the European Union and United Sates.
EU data authorities take different approaches to Privacy Shield ruling
It appears Europe’s data authorities are prepared to interpret a key court judgement as they see fit in the absence of definitive guidance from the bloc’s primary privacy regulator.