Federal Trade Commission Announces Settlements in Privacy Shield Enforcement Actions

The Federal Trade Commission sent an important message to companies participating in the EU-U.S. Privacy Shield when earlier this year, the agency announced that settlements had been finalized with five companies regarding separate allegations that they had falsely claimed certification under the framework. The EU-U.S. and Swiss-U.S. Privacy Shield frameworks make it possible for companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. (In compliance with the EU –…

READ MORE

Be Prepared: New Tech Enables Floods of Subject Access Requests

In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for…

READ MORE

Issues Remain to Be Resolved as Congress Considers Comprehensive Privacy Protections in 2020

As 2020 begins, Congress continues on a path toward providing consumers with greater protections for their data, lawmakers have exhibited a rare willingness to work toward consensus on the issue. Bills introduced by members of Congress in 2019 often shared more in common than not. But a hearing (https://www.commerce.senate.gov/2019/12/examining-legislative-proposals-to-protect-consumer-data-privacy) held late in the year by the Senate Committee on Commerce, Science and Transportation revealed differences that remain to be resolved before any bill will pass.…

READ MORE

Data Protection Conference in Tirana Forecasts an International Focus in 2020 on Converging Privacy Laws and Accountability

Last fall, the International Data Protection and Privacy Commissioners’ Conference convened in Tirana, Albania. Achieved Compliance once again participated in this annual meeting, which brings together regulators, experts, advocates and practitioners from around the globe. By attending this meeting, Achieved Compliance benefits from the opportunity to understand what concerns data protection authorities and on what issues they will focus their attention over the coming year. The theme of this year’s meeting was Convergence and Connectivity: …

READ MORE
Dutch DPA Report

Dutch Report Provides a Window on GDPR-Related Complaints and DPA Response

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the Dutch DPA) published a report on privacy complaints it received between January 2019 and June 2019. The report reviews the rate of consumer complaint activity since the enactment of the GDPR, the nature of those complaints, and how they are handled by the Dutch data authority. Overview of the Dutch DPA Report During the first half of 2019, just over 19,000 individuals and organizations contacted…

READ MORE
Privacy Guidelines

New Privacy Guidance From NIST and ISO

National Institute of Standards and Technology, ISO Release Privacy Guidance Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law…

READ MORE
GDPR Identity Verification

Loose Identity Verification Puts You at Risk for Fraud

Subject Access Requests (SARs) under the GDPR Now is the time to tighten up your identity verification methods. Without tight verification methods, you open yourself up to GDPR regulators and you put your customers at risk of being a victim of fraud. Individuals Can Request Access to Their Personal Data Article 15 of the GDPR gives individuals a “right of access” to their personal data, under which they can request specifics about the personal data a…

READ MORE

Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact…

READ MORE