GDPR’s Impact on Advertising Practices

The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants.

For further information on the forthcoming update to the CAP Code and its expected impact on advertising, please read the post prepared by my colleagues Carlton Daniel, Ailin O’Flaherty and me, which has published on Squire Patton Boggs  Global IP & Technology Law Blog.

California Passes First Cybersecurity Law Regulating IoT Devices

California has become the first state in the US to adopt a cybersecurity law governing Internet of Things (IoT) devices, or those capable of connecting to the internet. In this rapidly growing industry, the law is a first step toward developing regulations to improve the security of IoT.  While it does require manufacturers to equip devices with “reasonable” security features, it is short on details as to the type of security features that are expected. The bill will go into effect January 1, 2020.

Read more about the first US law guiding the security of IoT devices here.

EDPB Tries to Sort Out the DPIA Disaccord

Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.

Continue Reading

Data Protection Compliance: Do You Have an Appropriate Policy Document in Place?

Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs. Continue Reading

Why the ICO Fined Equifax £500,000

On 19th September 2018, the Information Commission Officer (“ICO”) fined credit reference agency Equifax Limited £500,000 for breaching the Data Protection Act 1998 (“DPA”). Finding that Equifax Limited failed to protect the personal data of up to 15 million UK individuals, the ICO awarded the maximum penalty for a breach under the DPA.

The ICO found that of the eight data protection principles established in the DPA, Equifax breached five. The finding considered how Equifax handled personal data, the purpose of processing the personal data and the transfer of the UK data to the US. Continue Reading

Amendments to the California Consumer Privacy Act of 2018: Progress toward Clarity

Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.

The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.

Continue Reading

Procedure Launched for Japan and the European Union to Become the World’s Largest Area of Safe Data Transfers

What’s New?

On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade negotiations between Japan and the EU, which concluded with a successful agreement on 17 July 2018.  Continue Reading

GDPR is Now EEA Wide!

European Economic AreaThe General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July.  The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland. Continue Reading

France Launches Consultation on Regulation for Biometrics at Work  

The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of  biometric data. The processing of biometric data for the purpose of “uniquely identifying a natural person”  is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment […] in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject “ Continue Reading

Australian Information Commissioner’s Office Releases Report on Notifiable Data Breach Scheme

The Office of the Australian Information Commissioner (OAIC) released its second quarterly statistics report into the Notifiable Data Breach Scheme on 31 July 2018 (Report). The Report provides further insight into the operation of the new scheme, which commenced February this year. The scheme provides for mandatory reporting of ‘eligible’ data breaches to the OAIC and to potentially affected individuals. Whether a data breach is eligible depends on whether the unauthorised disclosure, or loss, of data is likely to result in serious harm to affected individuals. Continue Reading

LexBlog