U.S. District Court Judge Matthew Kennelly in Illinois vacated USD228 million in damages awarded in the first-ever Biometrics Information Privacy Act case, Reuters reports. Rail workers alleged that BNSF Railway collected their biometric information without informed consent. The judge upheld the verdict that the company violated the BIPA but said damages were discretionary under the law and ordered a new trial so a jury could determine the appropriate fine. Meanwhile, the Chicago Sun-Times repor... Read More

In another unexpected twist concerning California Privacy Rights Act regulations, covered entities need not stress about enforcement of the rules this month as anticipated. A last-minute decision from the Sacramento County Superior Court 30 June on a complaint filed by the California Chamber of Commerce pushed enforcement of CPRA regulations from 1 July to 29 March 2024. The court-ordered delay pertains only to CPRA rules, not the body of the CPRA statute or regulations previously finalized un... Read More

Ireland's Data Protection Commission handed down a long-awaited enforcement action against Meta Platforms Ireland early Monday morning with a record fine of 1.2 billion euros. The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compli... Read More

There's no doubt the rapid growth of generative artificial intelligence and large language systems like ChatGPT is getting the attention of the privacy profession and taking the business world by storm. During her keynote address at the IAPP Global Privacy Summit 2023 in Washington, D.C., author and generative AI expert Nina Schick demonstrated the eye-opening growth of ChatGPT, pointing out it only took five days for it to reach 1 million users and two months to reach 100 million users. This g... Read More

Europol published a report warning about the exploitation of OpenAI's ChatGPT and other generative artificial intelligence systems by cybercriminals, Euractiv reports. "While all of the information ChatGPT provides is freely available on the internet, the possibility to use the model to provide specific steps by asking contextual questions means it is significantly easier for malicious actors to better understand and subsequently carry out various types of crime," the report said.Full Story... Read More

Data protection officers could be "solicited" by their data protection authority in the "weeks and months to come" as part of the European Data Protection Board’s freshly launched 2023 coordinated enforcement action, Deputy Head of the EDPB Secretariat Gwendal Le Grand told DPOs at the IAPP Data Protection Intensive: France 2023. Le Grand's warning comes as the EDPB announced Wednesday that 26 data protection authorities will participate throughout the year in the coordinated action, focused on... Read More

Last September, the European Data Protection Board announced it will focus coordinated enforcement on data protection officer appointments. Starting mid-March 2023, and for about a year after, European data protection authorities will prioritize joint actions focusing on the position of DPOs, with activities ranging from awareness raising and information gathering to enforcement sweeps and joint investigations. The DPO function is an integral part of EU General Data Protection Regulation compli... Read More

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. "We haven't been able to resolve the objections raised on our draft decision and have to trigg... Read More

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

Privacy litigation and regulatory enforcement actions are booming. There has been a sharp increase in plaintiff's firms and consumer groups scanning through company websites, mobile apps and other features in search of privacy compliance issues with cookies, pixels, tags, software development kits and other technologies. Similarly, whether in response to individual complaints, media stories or on their own initiative, privacy regulatory authorities have increasingly undertaken market reviews on ... Read More

On Nov. 22, 2022, the Court of Justice of the European Union decided on two joined cases (Case C-317/21 G-Finance SARL, DV v Luxembourg Business Registers) brought against the Luxembourg authorities regarding its Register of Beneficial Ownership. The CJEU’s opinion carefully weighed privacy rights, the EU's anti-money laundering directive and many other factors. The CJEU went through a detailed legal analysis balancing numerous areas of concern and provided a comprehensive rationale regarding it... Read More

Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation. Notably, the decision that Meta’s contract-based request for personali... Read More

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

After years of developing under the surface, teen privacy safeguards in the United States may have finally reached puberty. Although headlines about the Federal Trade Commission’s enforcement action against Epic Games are likely to focus on the high price tag — $275 million in administrative penalties and $245 million in consumer refunds — privacy professionals should zoom in on the operational takeaways for any organization that runs an online site or service used by individuals under 18, wheth... Read More

On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece. The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Ho... Read More

New York’s Attorney General Letitia James is a longtime public servant who has regularly and repeatedly shown her commitment to protecting consumer rights and privacy. James began her legal career as a public defender for the Legal Aid Society before becoming an assistant attorney general. In 2013, James was elected as the Public Advocate for the City of New York, becoming the first woman of color to hold a citywide office in NYC. As public advocate, she sponsored privacy legislation that barred... Read More

The European Data Protection Board announced its next coordinated enforcement action will focus on the data protection officer designations. The 22 supervisory authorities across the European Economic Area, along with the European Data Protection Supervisor, will launch investigations into yet-to-be-determined aspects of DPO requirements under the EU General Data Protection Regulation. The EDPB said the individual actions will be "bundled and analysed, generating deeper insight into the topic an... Read More

Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Glob... Read More

There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale... Read More

The European Commission released a report on the "application and functioning" of the EU Law Enforcement Directive. The report carries focus on cross-border data transfers and transposition of the law by EU member states. The Commission reported that while transposition has been "satisfactory" there are "a number of outstanding issues" that remain, which resulted in infringement proceedings against Spain in 2021 and Germany in April. The review also revealed positive impacts on data subject righ... Read More

Seven state attorneys general announced shares of an $8 million settlement with convenience store chain Wawa related to a 2019 data breach. Individuals in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia, and Washington, D.C., were affected by the breach involving personal information from approximately 34 million payment cards. In addition to the fine, Wawa will adopt and maintain a series of data security practices while providing "security awareness and privacy training to all ... Read More

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More

Three EU privacy authorities have determined Google Analytics unlawfully transfers data to the United States, leaving companies with little to no alternatives and privacy professionals debating how to react as continued similar decisions are anticipated. “Cry and pray. I think that’s the only thing we can do — is cry and pray,” Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said. “Companies are really in a bind with no real good solutions.” Authorities in Austria and Franc... Read More

EU General Data Protection Regulation enforcement was at the center of a conference last week organized by the European Data Protection Supervisor. Stakeholders pointed out several structural problems within the GDPR’s architecture and potential ways to address them. "Some of you might ask: 'why is the EDPS organizing this conference?' There is a path we can follow to finally deliver what was started 10 years ago, in January 2012, when the GDPR proposal was announced," said the EDPS Wojciech Wi... Read More

Authorities from France, Lithuania, the Netherlands and Poland, with support from the European Data Protection Board, are jointly investigating potential EU General Data Protection Regulation violations by Vinted, the parent company of Lithuanian clothing website Vinted.com. Following a “significant number of complaints,” the authorities formed a working group to explore Vinted’s data storage related to data subjects' rights, as well as personal data processing related to blocking users’ account... Read More

As the EU General Data Protection Regulation celebrates its fourth anniversary since going into effect May 25, 2018, enforcement of the world's most comprehensive data protection regulation is still evolving.  No doubt, data protection authorities in the EU have been busy during the last four years. European Data Protection Board Chair Andrea Jelinek, who also serves as head of Austria's DPA, recently noted the EDPB has "invested a great deal of resources in the interpretation and consistent ap... Read More

Colorado Attorney General Philip Weiser said the political gridlock in Washington, D.C., that has come to define the national political landscape has all but paralyzed public policymaking in Congress. Where Congress has failed to deliver comprehensive national privacy legislation, Weiser said states have begun to assert their policymaking chops. Colorado was no exception when it became the third state to pass a privacy law in 2021. “If you're looking for public policy innovations, I wouldn’t r... Read More

In its most recent cybersecurity enforcement decision, the U.S. Federal Trade Commission announced a draft settlement agreement with the current and former operators of the customized merchandise website CafePress.com. Although the unanimous consent order focuses primarily on the company’s lax security practices, which allegedly led to multiple data breaches, there are also a few data privacy claims that are worthy of attention, not least because they could signal how the FTC will approach priva... Read More

The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement o... Read More

On Jan. 31, Greece’s data protection authority, the Hellenic Data Protection Authority, fined (here in Greek) Cosmote and OTE 9.25 million euros for multiple violations of the EU General Data Protection Regulation. OTE Group, which belongs to Deutsche Telekom, is the largest telecommunications conglomerate in Greece. In sum, these fines are the highest ever imposed by the DPA. The fines were the outcome of an investigation by the HDPA on a major data breach that occurred in 2020 after a success... Read More

In the 18-plus months since the "Schrems II" decision from the Court of Justice of the European Union, many Schrems-II-related EU enforcement actions primarily involved violations by public organizations, particularly around sensitive data or process failures. For the broader, private-sector portion of the privacy community, these enforcement actions may have been less concerning when assessing their organization's risk profile. In recent weeks, however, two enforcement actions — one from the A... Read More

On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the o... Read More

Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision. The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to ... Read More

U.S.-based companies and regulators should fully understand the impact of a decision from Norway’s data protection authority, Datatilyset, regarding how consent is “done,” what constitutes special category data and what “manifestly made public” means. With the new U.S. privacy laws in California, Virginia and Colorado borrowing the definitions of “consent” and “sensitive data” verbatim from EU General Data Protection Regulation, as well as adopting a consumer intent-based standard for determinin... Read More

Ten million dollars. Those three words probably sent a shiver down the spines of Australian boards and executives as they contemplated the Australian attorney general’s Review into the Privacy Act as the review’s consultation period drew to a close in January 2022. If adopted, the proposals would bring Australia’s federal privacy regime much more in line with the EU model and General Data Protection Regulation principles. It would also increase financial penalties from just over $2 million to a... Read More

Last month, the Austrian data protection authority fired the starting gun by issuing the most impactful post-“Schrems II” enforcement decision to date. Privacy professionals are racing – to assess, to comply, to enforce, and to find a more workable long-term solution for data transfers. The many runners in our field will recall, perhaps with some nostalgic butterflies, that a starter’s pistol can signify three things: 1) the start of the race; 2) a fault and disqualification for one or many; 3... Read More

The Federal Court of Australia rejected an appeal by Facebook to dismiss claims lodged by the Office of the Australian Information Commissioner alleging violations of the Privacy Act 1988. Facebook was objecting to a prior ruling in September 2020 that allowed OAIC's claims to proceed, saying it did not do business or collect data in Australia. The disputed allegations focus on potential unlawful personal data disclosures by Facebook to Cambridge Analytica via third-party application sharing.Ful... Read More

The Australian attorney general’s department completed its review into the Privacy Act at the end of January. Data Compliance Executive Advisor David Mesman writes that if the proposals are adopted, Australia’s privacy regulations would be brought closer to European Union standards under the General Data Protection Regulation. Financial penalties for violations would be increased from AU$2 million to AU$10 million. However, Mesman argued privacy needs to be embedded into all “business-as-usual” ... Read More

The Hellenic Data Protection Authority fined Cosmote and OTE, Cosmote's network provider, 6 million euros and 3.25 million euros, respectively, for their roles in a data breach. The HDPA found the breach involved customer call data stored on a Cosmote server that was moved to an IP address of a hosting provider in Lithuania. The investigation further revealed an OTE website was hacked from the same IP address by a user who gained administrative access. The hacker ran queries on Cosmote's data sy... Read More

The rally for heightened U.S. enforcement against so-called "dark patterns" pushed forward Monday with a group of state attorneys general filing or preparing to file lawsuits over alleged dark patterns linked to Google's location data practices. Washington, D.C., Attorney General Karl Racine announced he and attorneys general from Indiana, Texas and Washington State were staging a coordinated effort to address Google's alleged work on "deceiving and manipulating consumers to gain access to their... Read More

From prospects for a new Privacy Shield agreement between the EU and U.S., to new laws in China and India, to rising EU General Data Protection Regulation enforcement, and much, much more, there’s undoubtedly a lot happening in the field of data protection and privacy. In recognition and celebration of all the happenings in the space, on Data Privacy Day 2022 IAPP President and CEO J. Trevor Hughes, CIPP, explored what’s to come with IAPP Ireland Country Leader Kate Colleary, CIPP/E, CIPM, Nort... Read More

U.S. Federal Trade Commission Chair Lina Khan has shown big aspirations while making some forward-thinking moves for the regulation of Big Tech firms during her first year at the helm. What remains to be seen is whether Khan's plans to hold technology companies accountable in the areas of privacy and antitrust will be executed as boldly as they were drawn up. Khan sought to explain the commission's actions to date and her overall vision in an appearance on CNBC's "Capital Exchange" Wednesday, h... Read More

The European Data Protection Supervisor sanctioned the European Parliament for violating regulations on data transfers and cookie consent. The EDPS found fault with a COVID-19 testing website launched by Parliament in September 2020 which attracted complaints over third-party trackers and cookie consent banners that did not meet consent standards. The EDPS ordered Parliament to update the website’s data protection notices related to personal data processing within one month. The EDPS did not iss... Read More

The new year for EU data protection enforcement has rung in with an early bang courtesy of the France's data protection authority, the Commission nationale de l'informatique et des libertés. The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive. Allegations against the companies focus on French users' inability to easily decline tracking via cookies. Google's U.S. and Irish operations received penalties of up to 90 and 6... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, has made regulating user tracking via cookies a clear priority in recent years. Last week's move to fine Google and Facebook up to a combined 210 million euros for cookie violations under the ePrivacy Directive shows the CNIL's cookie enforcement focus will continue, and potentially increase, in 2022. IAPP Staff Writer Joe Duball broke down the new fines and prior CNIL work on cookies while exploring ... Read More

The summary of action for WhatsApp's appeal of a 225 million euro EU General Data Protection Regulation fine was published in the Official Journal of the European Union. In its filing to the Court of Justice of the European Union, WhatsApp is seeking full annulment of the penalty on various allegations of improper procedures by the European Data Protection Board. Notably, WhatsApp alleges the EDPB "exceeded its competence" under Article 65 of the GDPR while accusing the board of violating the GD... Read More

European Data Protection Supervisor Wojciech Wiewiórowski spoke with El País on a range of topics concerning enforcement of the EU General Data Protection Regulation. Wiewiórowski touched on challenges and proper approaches to GDPR enforcement, but he noted "we will never have a situation where privacy and data are properly protected" due to the complexity and changing nature of technology. The Wall Street Journal reports on a potential increase in collaboration and cooperation between data p... Read More

The turn of the calendar may prove transformative for U.S. privacy enforcement as the U.S. Federal Trade Commission filed an Advanced Notice of Proposed Rulemaking for potential rules on privacy and artificial intelligence. Details are limited, but the commission indicated it is seeking "to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination." IAPP Staff Writer Joe Duball sheds light on the new filing and offer... Read More

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn. Part one of this two-part series ... Read More

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More