In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled
GDPR
The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?
The UK convenience store giant ‘Southern Co-op’ is facing the possibility of regulatory intervention and legal challenge following a complaint made by UK civil liberties campaign group Big Brother Watch (BBW) regarding the use of surveillance cameras in 35 Southern Co-op stores. Images of customers that a member of staff ‘reasonably expects’ to be committing ‘crime or disorder’ are captured and transformed into biometric data. The data of those ‘identified as an offender’ is then stored and checked against the database of facial recognition technology provider, ‘Facewatch.’
Continue Reading The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?
Is the Dutch Data Protection Authority’s Restrictive Approach to Legitimate Interests an Eccentricity or a Trend?
The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit…
Start Vetting Your Data Processors! Key Takeaways From the Forum Case
In January 2022, the President of the Personal Data Protection Office (“DPDO“) of Poland fined both a data controller and processor for their failure to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the data controller failed to exercise its GDPR right to audit and inspect…
Two More Nails in the Coffin for Opportunistic Data Breach Claims
Following on from a string of cases in 2021 concerning minor data breaches (see our earlier article here), two further cases in Q1 of 2022 have continued the trend of High Court scepticism. Such compensation claims, usually involving multiple causes of action, often find themselves trimmed down and sent to the County Court, if…
CJEU Rules Consumer Associations Can File Data Infringement Class Actions Without a Consumer Mandate
Article 80 (2) of the General Data Protection Regulation (GDPR) provides that Member States can entitle properly constituted not-for-profit bodies, organizations or associations that have statutory objectives which are in the public interest, and are active in the field of the protection of data subjects’ rights and freedoms, with the right to lodge complaints with…
“Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe
Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well.
Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe
Double Trouble: Why Organisations Need to Consider the Legal Consequences of Ransomware and DDoS Attacks
Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.
Continue Reading Double Trouble: Why Organisations Need to Consider the Legal Consequences of Ransomware and DDoS Attacks
United States and European Commission Announce Trans-Atlantic Data Privacy Framework: Setting the Scene for Schrems III?
On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice…
EU Supervisory Authorities Led by the Belgian DPA Find IAB Europe’s TCF Infringes EU Data Protection Rules
On February 2, 2022, the Belgian Data Protection Authority (the ‘Belgian DPA’) imposed a number of sanctions against Interactive Advertising Bureau Europe (‘IAB Europe’), for alleged violations of the EU General Data Protection Regulation (the ‘GDPR’) by its Transparency and Consent Framework (the ‘TCF’).
TCF is developed by IAB Europe, in partnership with IAB Tech…