GDPR Compliance News

Fox Rothschild monitors the latest developments in the EU's implementation of its General Data Protection Regulation to keep clients ahead of the compliance curve. See below for the latest updates from Partner Odia Kagan, Chair of GDPR Compliance and International Privacy, which can also be found on our Privacy Compliance & Data Security Blog.

Recent Blog Posts

  • Spain’s Data Protection Authority Launches Privacy Innovation, Transparency Effort “The Spanish Agencia Española de Protección de Datos – AEPD has launched the DIGITAL PACT FOR THE PROTECTION OF PEOPLE , an initiative that aims to promote a firm commitment to privacy in the sustainability policies and business models of organizations” “Among the principles that are collected is to promote transparency so that citizens know what data is being collected and what it is used for, promote gender equality and the protection of children and people in vulnerable situations, or guarantee that the... More
  • Discovery in the Age of Schrems II: Between a Rock and a Hard Place I discover with my little eye… a GDPR breach? “Recent court rulings suggest that companies still face a Catch-22 when getting involved in U.S. discovery. There have been several cases … in which a party has objected to discovery based on GDPR concerns,” write Dr. Matthias Artzt and Gary D. Weingarden for IAPP – International Association of Privacy Professionals. “The SchremsII decision makes U.S. discovery from EU sources even more fraught … parties are likely to find themselves with an unpleasant dilemma:... More
  • France’s CNIL Fines Data Processor and Data Controller Over Credential-Stuffing Attack Data Processors beware. France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack. The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals. In this case, the companies focused their response strategy on developing a tool to detect and block attacks launched from bots. However, the development of this tool took... More
  • UK Information Commissioner Sets 2021 Priorities The United Kingdom’s Information Commissioner’s Office published its action plan for 2021. Areas of focus include: the Age Appropriate Design Code data sharing. data broking, the use of sexual crime victims’ personal information, adtech, including audits focused on digital marketing platforms. Additional guidance is forthcoming on: political campaigning facial recognition, codes of conduct and certification schemes As Elizabeth Denham’s tenure is coming to an end in 2021, the ICO is also going to recruit a successor for the position of Information Commissioner. Read the full summary via the UK ICO.... More
  • Blurred Images Collected by Automated Vehicles Can Be Personal Data Under GDPR Automated vehicle manufacturers beware: Blurred images can still be personal data under the European Union’s General Data Protection Regulation (GDPR),  says French Data Protection Authority CNIL in a statement on the use of drones by French police. If information is blurred only after it is collected, and blurred flows can be accessed in clear images by the agents of the police, this is processing of personal data. The fact that access is limited only to engineers with very specific rights and requires... More
  • Norway’s Data Protection Authority Offers Brexit Warning on Data Transfers to the UK Norway’s Datatilsynet does not mince words in its Brexit guidance: “On 31 December 2020, the Brexit transition period will end. This means, among other things, that anyone who transfers personal data to the United Kingdom after this date must follow the rules on the transfer of personal data to third countries.” “If the European Commission does not give the UK an adequacy decision before the New Year, companies that transfer personal data to the UK must ensure a transfer basis and comply with... More
  • EDPB Issues Guidance on Its Coordinated Enforcement Framework The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology The CEF is the foundation on which the annual coordinated action is built (the ‘rulebook’ for coordinated action). The objective of the CEF is to facilitate joint actions in the broad sense in a flexible but coordinated manner. Details in... More
  • European Parliament Addresses Smart Mobility Apps, Data Privacy and C-ITS The European Parliament issued a detailed study on the impact of smart mobility applications on the future of transport and addressed some data protection issues. Public authorities should further specify legislation for data privacy and protection. (e.g. addressing how drivers can grant third parties’ consent to use their data, where processing data is necessary for a task carried out in the public interest). The Cooperative Intelligent Transport System (C-ITS) industry and vehicle manufacturers should develop systems flexible enough to guarantee full control... More
  • European Commission Issues Long-Awaited Draft Standard Contractual Clauses The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone… Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C). Lots of emphasis on the laws of the country of transfer and pushing back on government requests. Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement) provisions. Requirements for transparency to the individuals. Individual redress, third party beneficiary and liability as among the entities Details in this client alert.... More
  • EDPB Adopts Measures on Post-Schrems II Supplemental Data Transfer Tools Brace yourselves, the post-Schrems II supplemental measures are coming! The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity... More