Following the European Data Protection Board's dispute resolution decision, Ireland's Data Protection Commission in September adopted its final decision against TikTok Technology Limited related to the company's processing of children's personal data.  The findings build on many positions established in the DPC's September 2022 decision concerning Instagram's processing of children's personal data. For example, regarding transparency information for child users, the DPC found that stating "peop... Read More

The EU General Data Protection Regulation, which came into effect pre-Brexit in May 2018, introduced a consistent framework of fines to enforce compliance with data protection regulations across the EU. Some five years later, the European Data Protection Board released new guidelines on calculating administrative fines under the GDPR 24 May. These new guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states and, in the EDPB's own words, "aim to ha... Read More

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. "We haven't been able to resolve the objections raised on our draft decision and have to trigg... Read More

Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation. Notably, the decision that Meta’s contract-based request for personali... Read More

Organizations can use artificial intelligence to make decisions about people for a variety of reasons, such as selecting the best candidates from many job applications. However, AI systems can have discriminatory effects when used for decision making. For example, an AI system could reject applications of people with a certain ethnicity, even though the organization did not plan such discrimination. In Europe, an organization can run into a problem when assessing whether its AI system accidenta... Read More

The proposed EU Artificial Intelligence Act is anticipated to pave the way for a regulated approach to the future development of artificial intelligence. One means of testing new AI technologies is through regulatory sandboxes created by various data protection authorities around Europe. To explore how AI regulatory sandboxes are helping companies develop their machine-learning models, IAPP Managing Director, Europe, Isabelle Roccia hosted a Linkedin Live session Dec. 12 with Secure Practice co... Read More

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

Members of the European Data Protection Board met in Vienna, Austria, last month to forge closer cooperation on strategic cases and increase the methods available to data protection authorities for enhancing enforcement. The initial result from the two-day meeting was a statement on enforcement cooperation, in which authorities "will collectively identify cross border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and suppor... Read More

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

A ruling by the Court of Justice of the European Union confirming consumer groups have a right to file representative actions over alleged EU General Data Protection Regulation violations, when permitted under national law, unblocks dozens of cases and puts an end to a lingering enforcement question. The court’s April 28 judgment allows consumer protection organizations to autonomously bring forward lawsuits on behalf of consumers against an individual or entity claimed to be responsible for “a... Read More

On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the o... Read More

The Information Accountability Foundation believes the EU General Data Protection Regulation should be amended to explicitly include knowledge creation and scientific research as legal bases to process personal data, providing a foundation for the responsible use of artificial intelligence. The IAF’s blog summarizing its comments on the European Commission’s proposed regulation on artificial intelligence suggested that the GDPR “should make possible technology applications such as AI” and that “... Read More

The EU’s General Data Protection Regulation took effect three years ago today, elevating awareness of privacy and data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world. “Broadly, it’s been really good. It’s been good for the privacy profession, it’s been good for individuals who are at the heart of the GDPR, it’s driven an acceleration of privacy program maturity and privacy technology development, and for privacy professionals i... Read More

The German Federal Constitutional Court has ruled the Court of Justice of the European Union needs to clarify if the EU General Data Protection Regulation provides for a materiality threshold for GDPR damage claims. Background The Federal Constitutional Court's decision overturns a judgment of the Goslar Local Court of Sept. 27, 2019, regarding the unlawful sending of an advertising email. The Local Court had held that the plaintiff had not suffered any compensable damage under Article 82 of t... Read More

Russian law mandates data controllers store and update data collected from Russian citizens using Russian servers. Not only is this obligation technically complicated and often costly from the business perspective, but it is also a headache for the data protection officer. After all, keeping a portion of your user database located outside of the EU in a country that is not deemed adequate under Article 45 of the EU General Data Protection Regulation may conflict with data minimization and may ne... Read More

Uncertainty is a common theme in the privacy community, but it seems one thing that can always be counted on is a difference of opinion on how to apply the EU General Data Protection Regulation. This butting of heads recently revealed itself again as European data protection authorities triggered the dispute-resolution mechanism in Article 65 of the GDPR. The mechanism was invoked by the Irish Data Protection Commission in relation to its ongoing case against Twitter, one of the first high-prof... Read More

Spanning more than 100 pages and 50,000 words — that’s 20,000 words more than Shakespeare’s "Hamlet" — the EU General Data Protection Regulation is more a hike up Mont Blanc than a stroll in the Jardin du Luxembourg. Adopted to great fanfare in 2016 and launched two years ago, May 25, 2018, it is often heralded as the most important technology-legal reform in a generation. With a broad geographical scope sweeping across national borders and industrywide application straddling even the public-pri... Read More

With the EU General Data Protection Regulation being in force for quite a while and its "controller" and "processor" concepts for yet much longer, there seems to be a well-established practice for identifying third parties and where they fit into that picture. However, there are still situations in which this remains a significant challenge, both to organizations concerned and to the data protection authorities. The California Consumer Privacy Act, on the other hand, is a completely new legal a... Read More

Privacy technology vendors have had plenty of success creating tools to tackle one component of the EU General Data Protection Regulation rather than the entirety of the law. Perhaps a vendor will focus on a handful of articles in order to create a specialized compliance tool that handles a specific aspect of the law really well, such as data subject access requests or privacy impact assessments. SafeGuard Privacy CEO and Co-Founder Richy Glassberg and Executive Vice President, General Counsel ... Read More

Information security, risk and compliance are in focus and one of the core issues for many companies. For obvious reasons it has been early recognized that people are one of the key factors and often times the weakest link in organizational security. From this point of view, it was natural to conclude that by knowing more about your employees and future employees you mitigate, to a degree, risks arising from internal threats, and you are employing people with proven records and sufficient level ... Read More

The way companies use personal data is somewhat reminiscent of how people approach their wardrobes. You start buying clothes of a particular style or brand, but over time, your sense of fashion changes, and you buy based on new needs and desires. The use of personal data works in the same way, as companies collect data for one purpose and then use it differently as new needs arise. In both instances, the sudden change in direction merits some type of justification, and that's especially the cas... Read More

One the issues when applying the specific EU General Data Protection Regulation provisions, including the very principles relating to processing of personal data and data subject rights, is how to make these provisions work in practice when it comes to publicly available personal data. This is important, as clearly the GDPR applies in full irrespective of if the data are or were publicly available or not. There are various provisions of the GDPR that refer to such types of data, but as they co... Read More

Late May is a good time for privacy regulations to come into effect. Prior to May, short days, cold weather and rain typically keep us indoors anyway, so what better to do than work on data protection? But, after May, it’s helpful to have things mostly in order to allow for more time wandering in and thinking about nature instead of data. Isn’t it? Well (wistfully), for many data protection officers, May 25, 2018, was hardly an ending. At the IAPP, we kept working into the summer and beyond to ... Read More

Artificial intelligence is rapidly transforming the global economy and society. From accelerating the development of pharmaceuticals to automating factories and farms, many countries are already seeing the benefits of AI. Unfortunately, it is becoming increasingly clear that the European Union’s data-processing regulations will limit the potential of AI in Europe. Data provides the building blocks for AI, and with serious restrictions on how they use it, European businesses will not be able to... Read More

On April 27, 2016, the European Parliament passed Regulation (EU) 2016/679, better known as the EU General Data Protection Regulation. The extensive consumer data privacy bill has an overarching goal to give European Union residents control over their personal data and to provide transparency between companies and consumers, causing wide-reaching effects on businesses and organizations worldwide. Further, many other jurisdictions have introduced their own consumer data privacy bills in line with... Read More

Privacy professionals will probably never be able to forget the lead up to the EU General Data Protection Regulation, no matter how hard they try. Plenty of studies showed companies were not ready for the May 25, 2018, implementation date, which led to speculation about what would happen when the European rules finally arrived. One of those studies was conducted by McDermott Will & Emery and the Ponemon Institute. In their survey, released in April 2018, 40 percent of respondents said they ... Read More

Last month, the European Data Protection Board released its first overview of the implementation and enforcement of the General Data Protection Regulation and the roles and means of the national supervisory authorities. The report indicates that the GDPR cooperation and consistency mechanisms are working quite well in practice due to the EDPB and national supervisory authorities’ ongoing efforts to facilitate collaboration and communication. Since May 25, 2018, the total number of cases reporte... Read More

In Josh Gresham’s recent piece for the IAPP, he opined that encrypted data should not be considered personal data under the EU General Data Protection Regulation. Encryption of data cannot, however, be deterministic as to whether that information is personal. As Josh correctly discusses, the GDPR provides existing factors for controllers to make that determination. First and foremost, a controller must decide whether the data relates to an “identified or identifiable natural person.” Putting as... Read More