Thought Leaders In Privacy: An interview with Rosa Barcelo

Partner Rosa Barcelo sat down with OneTrust DataGuidance for their “Thought Leaders In Privacy” segment, to discuss major data privacy issues that have been a focus over the past year, as well as provide insights for organisations looking to comply with recent guidance issued by the CNIL and ICO, key points regarding proposed ePrivacy Regulations and share her opinion on the developments we will see with global privacy laws in 2020.

The full interview can be viewed here.

 

ICO Issues Fine Against National Retailer for Security Failings

 An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the maximum available to the Commissioner, under the Data Protection Act 1998, who in her findings observed that “but for the statutory limitation on the amount, it would have been reasonable and proportionate to impose a higher penalty”. This decision is important for retailers, particularly on payment information. It is also helpful to understand the factors involved in the breach of security, and offers some insight as to the ICO’s assessment of “appropriate technical and organisational measures” which of course remain crucial requirements for the security of personal data under the GDPR.

Continue Reading

CCPA: Data Brokers Must Register Now

When A.B. 1202 was signed into law last fall, it was expected that the data broker registration requirement would not go into effect until 2021. However, the California Attorney General’s Office has taken the position that organizations that qualify as data brokers must register on or before January 31, 2020.

Our Client Alert on this topic delves into this requirement as well as the definition of a data broker, definitions of what constitutes “Sale” of personal information, what is a “Direct Relationship” as well as other important and relevant information.

Heightened Risk of Cyberattacks – What You Should Do Now

In recent days, all eyes have been on the escalating tension between Iran and the US.  While we wait and watch politics unfold, the Department of Homeland Security (DHS), New York’s Department of Financial Services and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued notices concerning the heightened risk of an Iranian cyberattack.

Given these warnings, it is important for organizations to take the appropriate steps necessary to protect themselves against cyberattacks.   Our client alert, Why the Threat of an Iranian Cyberattack Should Matter to Your Organization discusses the steps you can take now and in the future to ensure that your organization is adequately prepared.

Russia Increases Fines for Violation of its Data Localization Law

Russia’s Federal Law No. 242-FZ, On the Introduction of Amendments to Certain Legislative Acts of the Russian Federation with regard to the Clarification of the Procedure for the Processing of Personal Data in Data Telecommunications Networks, took effect on September 1, 2015 and requires that Russian citizens’ personal data gathered by operators, be stored by servers/data centers located in the Russian Federation (the “Localization Requirement”).  The fine for violation of the Localization Requirements was relatively small (approximately US$160).

On December 2, 2019, President Vladimir Putin signed Federal Law No. 405-FZ, On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation.  As of December 13, 2019, the Code has introduced new constituent element of an administrative offense – breach of localization requirements. Continue Reading

CCPA Coming Soon… Is Your Organization Ready?

In just a few short weeks (January 1, 2020), the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees.  Is your organization ready?

We have prepared a number of client alerts and blog posts to help you determine if your organization is subject to the CCPA and, if so, the steps necessary to comply. Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

Article 3(2) of the GDPR and the second criterion: Targeting criterion

 

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.

Two Types of Targeting Activities Relating to Data Subjects in the EU

Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.

Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required

There are two important issues in this respect:

  • Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
  • It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.

Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.

The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.

Continue Reading

ICO Consults on Draft Subject Access Request Guidance

Padlock and EU flag

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February 2020.

Importantly, the ICO recognises some of the issues that businesses are facing in relation to DSARs, in that the guidance:

  • Explains when a request may be considered complex. The guidance states that a large volume of data may add (emphasis is ours) to the complexity of a request, but notes that the volume of data alone is not a reason by itself to consider a DSAR complex;
  • Provides greater clarity on what a business can take into consideration when it is considering the monetary value of a fee. For example, photocopying and printing are generally valid administration costs, but a business cannot charge for the time taken to deal with the request;
  • Includes a section on what businesses should do when a request involves information about another identifiable individual. It provides further guidance on the DPA exception relating to third-party data; and
  • Contains some practical guidance about the DPA exceptions, such as negotiations and management information.

Whilst this is a valuable update from the ICO, which might provide some helpful additional information, it should be noted that it is only a draft for consultation. The ICO is seeking views from stakeholders and the public about the proposed guidance. In particular, it wishes to understand what specific issues businesses have faced in responding to DSARs since the GDPR was implemented in May 2018. If you are interested in responding, please use this link.

 

LexBlog