Ireland Data Protection Commission Fines WhatsApp Ireland $266 Million for GDPR Transparency Violations

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14. The investigation of WhatsApp began after the DPC received complaints from individuals regarding WhatsApp’s data processing activities and a mutual assistance request from the German Federal Data Protection Authority about WhatsApp’s compliance with EU data protection law. The investigation focused on whether WhatsApp, which was acquired by Facebook in 2014, complied with its transparency obligations under Articles 12-14 of the GDPR, particularly regarding the sharing and processing of…

READ MORE

European Commission Publishes Final Version of Standard Contractual Clauses, Imposes Obligations on Data Controllers and Processors

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”).  The Commission also released the final version of the new SCCs. (LINK) The new version of the SCCs is in part a response to the decision in the Schrems II case, which raised questions about whether they provide necessary protections for the trans-Atlantic transfer of data. The European Commission’s release in November 2020 of draft versions of the implementing decision and the SCCs was discussed previously in this blog. The guidance makes clear that…

READ MORE

Dutch Data Protection Authority Imposes €525,000 Fine for Failure to Appoint Article 27 Representative

The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”). Locatefamily.com publishes contact details (including telephone numbers and addresses) of individuals on its online platform. According to the Dutch DPA, individuals often did not register to be listed on the platform and did not know how their personal information found its way to the platform. The Dutch DPA had received numerous complaints from individuals about Locatefamily.com. In a decision issued May 12, 2021 found that the online platform had failed to comply…

READ MORE

Companies that Comply with GDPR Reap Benefits in Jurisdictions Beyond the EU

Companies faced with meeting the requirements of the General Data Protection Regulation face a complex task.  For businesses with limited grounding in data protection, understanding the law, mapping data, conducting risk assessment and mitigation, developing policies and protocols to govern data privacy and producing necessary documentation represents a significant investment of time and resources.  Even for companies with data governance programs in place, reviewing those programs to ensure they meet the obligation of the GDPR and making necessary adjustments is a significant undertaking. But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since…

READ MORE

European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR. The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements. It also provides for…

READ MORE