GDPR

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled

The UK convenience store giant ‘Southern Co-op’ is facing the possibility of regulatory intervention and legal challenge following a complaint made by UK civil liberties campaign group Big Brother Watch (BBW) regarding the use of surveillance cameras in 35 Southern Co-op stores. Images of customers that a member of staff ‘reasonably expects’ to be committing ‘crime or disorder’ are captured and transformed into biometric data. The data of those ‘identified as an offender’ is then stored and checked against the database of facial recognition technology provider, ‘Facewatch.’
Continue Reading The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?

The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit

In January 2022, the President of the Personal Data Protection Office (“DPDO“) of Poland fined both a data controller and processor for their failure to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the data controller failed to exercise its GDPR right to audit and inspect

Article 80 (2) of the General Data Protection Regulation (GDPR) provides that Member States can entitle properly constituted not-for-profit bodies, organizations or associations that have statutory objectives which are in the public interest, and are active in the field of the protection of data subjects’ rights and freedoms, with the right to lodge complaints with

Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well.
Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe

Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.
Continue Reading Double Trouble: Why Organisations Need to Consider the Legal Consequences of Ransomware and DDoS Attacks

On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice

On February 2, 2022, the Belgian Data Protection Authority (the ‘Belgian DPA’) imposed a number of sanctions against Interactive Advertising Bureau Europe (‘IAB Europe’), for alleged violations of the EU General Data Protection Regulation (the ‘GDPR’) by its Transparency and Consent Framework (the ‘TCF’).

TCF is developed by IAB Europe, in partnership with IAB Tech