Privacy Guidelines

New Privacy Guidance From NIST and ISO

National Institute of Standards and Technology, ISO Release Privacy Guidance Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act. The NIST Privacy Framework   In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of…

READ MORE
GDPR Identity Verification

Loose Identity Verification Puts You at Risk for Fraud

Subject Access Requests (SARs) under the GDPR Now is the time to tighten up your identity verification methods. Without tight verification methods, you open yourself up to GDPR regulators and you put your customers at risk of being a victim of fraud. Individuals Can Request Access to Their Personal Data Article 15 of the GDPR gives individuals a “right of access” to their personal data, under which they can request specifics about the personal data a business holds about them, or the organization’s purpose for processing the data, the categories of personal data held, who has access to the data, whether or not it will be transferred outside of…

READ MORE

Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…

READ MORE

EDPB Releases New Guidance: When Can Companies Rely on the Need to Fulfill the Terms of a Contract as a Legal Basis to Process?

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements. Background To lawfully process data, companies must establish one of six legal bases articulated in Article…

READ MORE

Framework for GDPR Fines Published by the Dutch Authorities

The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act. The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a…

READ MORE

European Data Protection Board Issues Guidance on Interplay Between GDPR and Rules Governing Data in Clinical Trials

On January 23, 2019, the European Data Protection Board (EDPB), released an opinion on the relationship between the European Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR) (the “Opinion”). The CTR, scheduled to take effect in 2020, is designed to harmonize how clinical trials are assessed and supervised across the EU. It introduces a Clinical Trials Information System and establishes rules that protect individuals and enhance transparency requirements. In its Opinion, the EDPB provides guidance on (1) the legal bases for primary uses of clinical data, i.e., processing personal data in the course of a clinical trial protocol, and (2) secondary uses of clinical trial data…

READ MORE

U.S. Senate Commerce Committee To Hold Hearings on Privacy February 27, 2019

On February 27, 2019, the U.S. Senate Committee on Commerce, Science and Transportation will convene a hearing titled “Privacy Principles for a Federal Data Privacy Framework in the United States.” Committee members will focus on potential Congressional action to “address risks to consumers and implement data privacy protections for all Americans.” Committee Chairman Sen. Roger Wicker of Mississippi described the hearing as an opportunity to “help set the stage for meaningful bipartisan legislation.” The hearing comes in the midst of calls from policymakers, advocates and industry for law that would protect individuals, foster trust, and promote innovation. Several lawmakers introduced legislation in the last Congress, and bills are expected…

READ MORE

French Data Protection Authorities Fine Google Nearly $57 Million for Violations of the General Data Protection Regulation’s Notice and Consent Requirements

French regulators have fined Google nearly $57 million for violations of the General Data Protection Regulation (GDPR). This fine was the first major penalty levied against a large U.S. technology company since the regulation took effect in May 2018. France’s data protection authority, known as the CNIL, said that Google failed to fully disclose to users how their personal information is collected and what happens to it. Significantly, regulators said that Google also did not properly obtain users’ consent to use the data to serve them personalized advertisements. The CNIL said in a statement that the violations “deprive the users of essentially guarantees regarding processing operations that can…

READ MORE