On August 5, 2022 news broke that the French Data Protection Authority (“CNIL”) proposes fining adtech company Criteo €60 million for undisclosed GDPR violations as part of an ongoing investigation opened by the CNIL in 2020. The investigation followed a 2018 complaint by the privacy NGO Privacy International against Criteo…
On February 23, 2022, the European Commission published its proposal for a Regulation on Harmonized Rules on Fair Access to and Use of Data (“Data Act”), which focuses on data generated by Internet of Things (“IoT”) devices. The aim of the Data Act are to create a single market for…
On June 17, 2022, the UK Government’s Department for Digital, Culture, Media and Sport (“DCMS”) issued a final response (“Response”) to the consultation, ‘Data: a new direction’ (“Consultation”), which launched on September 10, 2021, to receive input from stakeholders on the DCMS proposals to reform the UK’s data protection regime….
On April 21, 2022, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced its decision to fine medical software company Dedalus Biologie €1.5 million following a data breach that exposed health information of nearly 500,000 people. The CNIL noted the company violated several GDPR obligations,…
The Kingdom of Saudi Arabia (“Saudi Arabia” or the “Kingdom”) has enacted the Personal Data Protection Law (“PDPL”), the country’s first comprehensive data protection law. The PDPL was scheduled to become effective on March 23, 2022 but full implementation was recently delayed until March 17, 2023, a positive development for…
The International Data Transfer Agreement (“IDTA”), the long awaited mechanism for international transfers of personal data originating from the United Kingdom (“UK”), is now in force as of March 21, 2022, along with a separate addendum to the EU standard contractual clauses (“UK Addendum”). These transfer mechanisms were introduced by…
Introduction On 13 January 2022, the Austrian Data Protection Authority (“DSB“) ruled that the use of Google Analytics (“GA”) and the resulting export of personal data to the United States (“US”) violates the GDPR’s data export requirements. On 10 February 2022 the French data protection authority (“CNIL”) also confirmed that…
Update: Since going live with the below, the EDPB has published its draft guidelines addressing key aspects of a data subject’s right of access. More to follow soon. Last month, a large number of EU and US companies received queries about their data access request procedures under the General Data Protection…
Data controllers processing personal data in Turkey must register with the Turkish Data Controllers Registry, “VERBIS”, to notify the Turkish Data Protection Authority (“DPA”) of their processing activities by 31 December 2021, under penalty of a fine. In addition, data controllers not established in Turkey (“foreign controllers”) will need to…
On 18 November 2021 the European Data Protection Board (“EDPB”) released its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”) for public consultation. The Guidelines clarify one of the most vexing issues in…