Debevoise Data Blog

NOVEMBER 10, 2020

ICO targets the data broking industry : On 27 October, the ICO demanded that Experian make sweeping changes to data protection practices within its direct marketing business within three months or face further enforcement action. We will continue to report on developments as Experian’s appeal progresses.

Data protection 52

Data protection Intellectual Property e-records Machine learning 52

Debevoise Data Blog

MARCH 11, 2021

There were a few European data protection developments in February that companies may want to have on their radar. What happened: CNIL has reminded businesses to audit their use of cookies and tracking technologies, ahead of the regulator’s October 2020 guidance coming into force at the end of March.

Data protection 52

Data protection Compliance Analytics Court 52

Debevoise Data Blog

APRIL 8, 2021

million for vendor oversight failings, unlawful cross-border transfers What happened : The AEPD, the Spanish data protection authority (“DPA”), fined Vodafone Spain €8.15 4 million was for allegedly deficient oversight of Vodafone’s data processors. Here are our highlights of what you need to know.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

OCTOBER 12, 2021

million fine against Austrian Post for channelling electronic data protection-related inquiries to a web form and not offering an additional email address, irrespective of the data subject option to also use non-electronic postal mail or customer service.

Data protection 52

Data protection Failure-to-appear Compliance e-records 52

Debevoise Data Blog

MAY 12, 2023

Key takeaways this April include: UK children’s data protection focus continues: Businesses may wish to review policies and procedures for dealing with children’s data in light of recent UK ICO fines and guidance, especially to ensure that terms of use are adequately enforced. 22, as set out by the court.

Data protection 52

Data protection Software design Machine learning Software 52

Debevoise Data Blog

FEBRUARY 10, 2021

As covered in our Annual Review , 2020 was a blockbuster year for European data protection. This was bolstered by the ICO’s announcement that it is resuming investigations into real time bidding and the adtech industry that were paused in May 2020 due to COVID-19. EDPB publishes new data breach notification guidance.

Data protection 52

Data protection Time-tracking Defendant Court 52

Debevoise Data Blog

MAY 7, 2021

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK.

Data protection 52

Data protection Court Compliance Hearing 52

Debevoise Data Blog

MAY 28, 2024

EDPB “Consent or pay” models: Businesses operating large online platforms should consider the European Data Protection Board’s recent opinion indicating that “consent or pay” models are unlikely to be GDPR-compliant.

Data protection 52

Data protection Compliance Law Law 52

Debevoise Data Blog

JULY 20, 2021

Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened : As reported in our blog post , the European Commission adopted its new Standard Contractual Clauses (“SCCs”) for the cross-border transfer of personal data from the EEA to “third countries”.

Data protection 52

Data protection e-filing Compliance e-records 52

Debevoise Data Blog

MARCH 26, 2023

UK tribunal limits ICO enforcement order but partially upholds lawful basis objection What happened : A tribunal rejected certain aspects of the UK ICO’s October 2020 enforcement notice against Experian, a credit reference agency that holds and processes data relating to essentially the whole of the UK’s adult population.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

JUNE 8, 2023

As we covered here , last October, the CNIL fined Clearview AI €20 million for various data protection violations, including “intrusive and massive” data processing without consent or a valid legitimate interest. The amount of compensation should be assessed by Member State courts under their domestic rules.

Data protection 52

Data protection Compliance e-records Dispute resolution 52

Legal IT Group

SEPTEMBER 29, 2023

Brazil’s Lei Geral de Proteção de Dados Pessoais (or LGPD), similar to GDPR, CCPA and PIPEDA, regulates personal data protection. If the company does not process personal data in Brazil but still processes data to offer or supply goods or services to Brazil, the LGPD also applies in this case.

Data protection 130

Data protection Compliance Court Law 130

Debevoise Data Blog

JUNE 16, 2021

We also saw developments in the courts on when companies will be liable to pay individuals damages for GDPR violations and the German anti-trust regulator using its new enforcement powers. These decisions follow the CNIL’s October 2020 updated cookies guidelines (see our blog post ).

Data protection 40

Data protection Compliance Court Time-tracking 40

Debevoise Data Blog

AUGUST 16, 2023

. : Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to. Data Privacy Framework (the “DPF”). Data Privacy Framework (the “DPF”).

Data protection 40

Data protection Analytics Compliance Time-tracking 40

Inside Privacy

FEBRUARY 27, 2023

Background The RAD came into force on December 24, 2020 with the objective of introducing a common framework and approach to collective actions across the EU. An action can be brought by several qualified entities from different member states in order to protect the collective interests of consumers in different member states.

Data protection 52

Data protection Court Litigator Litigation 52

Debevoise Data Blog

DECEMBER 22, 2020

Businesses operating in France should take these new blockbuster fines as another reminder of the importance of data protection frameworks and policies. In 2019 and 2020, the CNIL’s inspectors performed online checks of google.fr This fine was upheld on appeal in June 2020 (see our comments on the decision). and amazon.fr

Data protection 52

Data protection Compliance Court 52

Debevoise Data Blog

FEBRUARY 8, 2021

On 19 January 2021, the UK Information Commissioner’s Office (the “ICO”) published its September 2020 letter to the Securities and Exchange Commission (the “SEC”) analysing the GDPR’s impact on UK-based SEC-regulated firms’ (“SEC–Regulated UK Firms”) ability to comply with SEC data requests. What was the issue? What did the ICO find?

Data protection 52

Data protection Compliance Court Law 52

new tech law blog

MARCH 14, 2022

This interest was generated among other sources by numerous complaints filed by NOYB—European Center for Digital Rights in the last year with data protection authorities, and has resulted in guidance and several decisions issued by regulators in recent months (e.g. in Austria, Belgium and France).

Data protection 52

Data protection Analytics e-filing Compliance 52

Debevoise Data Blog

APRIL 19, 2021

519-FZ on Amendments to the Federal Law on Personal Data dated 30 December 2020 (the “Law”) came into force. This is additional to general data processing consent, which is still required under pre-existing data protection law. 3] To subscribe to the Data Blog, please click here. [1] Special Consent.

Due diligence 52

Due diligence Data protection Federal law Court 52

Ikigai Law

AUGUST 7, 2023

Fast forward to the last month, the Delhi High Court used the long arm of the PMLA to classify PayPal as a ‘reporting entity’ under the PMLA. The Court rejected this premise. Main Course : Deep dive stories on card network portability, and impact of the data protection bill on fintechs. The data law is nearly here!

Data protection 52

Data protection Law Law e-records 52

Debevoise Data Blog

JUNE 25, 2022

On March 11, 2021, the Amsterdam District Court found in favor of Uber in both suits ( see here and here ), holding that Article 22 did not apply because the decisions reached by these systems did not have “legal or similarly significant effects.”

Compliance 52

Compliance Law Law Data protection 52

Debevoise Data Blog

OCTOBER 18, 2021

The TDPA provides for a private right of action for violation of the prohibition to sell, lease, or disclose data. Compensatory damages or damages between $200 and $1,000 are authorized for each unlawful sale, as are reasonable attorneys’ fees and court costs. 1:20-CV-1084-JES-JEH, 2020 WL 5118035 (C.D. See, e.g., Figueroa v.

Law 52

Law Law Court Time-tracking 52

new tech law blog

JUNE 22, 2023

This is because the obligations and prohibitions imposed on gatekeepers will either directly or indirectly vest other groups with rights they can pursue before national courts. The DMA vests these entities with certain rights, directly or indirectly, which they can enforce before national courts (Art. DMA recital 12). 5, 6 and 7 DMA.

Compliance 52

Compliance Data protection Court Software 52

Debevoise Data Blog

MARCH 17, 2023

Since these models generally evolve, regulators and courts might argue that—in the event of a performance issue or other regulatory concern—the model’s earlier outputs are important to understanding its later performance.

e-discovery 52

e-discovery Compliance Litigator Litigation 52

Debevoise Data Blog

OCTOBER 26, 2021

Among other proposed federal legislation, the National Biometric Information Privacy Act of 2020 died in Congress last year. Given that this provision of BIPA is currently being tested in the courts, this is also an important area for lawyers to monitor going forward.

Compliance 52

Compliance Federal law Data protection Machine learning 52

Legal IT Group

MARCH 6, 2023

Over 18 years of its existence, Google Analytics, and other Google services have become indispensable data processing tools for business owners and various organizations, such as educational institutions, healthcare, and sometimes even government agencies. It happened a few years ago. Presidential Executive Order No. 12.333 (E.O.

Analytics 130

Analytics Data protection Time-tracking Court 130

LawSites

DECEMBER 27, 2022

Notably, the post that captured the most eyes was about New York becoming the first state to mandate CLE in cybersecurity, privacy and data protection. The second most popular post was a test of the BriefCatch legal editing software using the leaked draft of the Supreme Court’s opinion in Dobbs v.

Data protection 94

Data protection Analytics Legal tech Legal tech 94

Inside Privacy

JUNE 1, 2023

It has been well-publicized that the Irish Data Protection Commission (“DPC”) has imposed a record €1.2 billion fine and corrective measures under the GDPR against Meta Ireland (“Meta”) in a long-running dispute relating to cross-border data transfers and the EU standard contractual clauses (“SCCs”).

Data protection 69

Data protection Court Compliance Hearing 69

Debevoise Data Blog

FEBRUARY 28, 2022

In this Data Blog post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations. The UK Data Protection Act of 2018 has a similar provision. See Wai Feng Trading Co. Quick Fitting, Inc. 2019 WL 118412 (D. Wetzel (W.D.

e-filing 52

e-filing Compliance Litigator Litigation 52

Debevoise Data Blog

JULY 31, 2023

Data Privacy Framework (the “DPF”). The decision enables businesses in Europe to transfer personal data to DPF-certified U.S. businesses without having to implement additional data protection safeguards. Data subjects may lodge complaints through both U.S.- The DPF is the third U.S. or EU-based recourse mechanisms.

Data protection 52

Data protection Dispute resolution e-filing e-records 52

Debevoise Data Blog

DECEMBER 1, 2020

The European Data Protection Board (“EDPB”) recently published new guidance on how companies can validly transfer EU personal data to the many countries that have not been deemed by the EU Commission to generally provide an adequate level of data protection – most notably the U.S. (so

Data protection 40

Data protection Litigation Litigator Law 40

Technology Law Dispatch

JANUARY 5, 2023

The previous EU-US Privacy Shield was invalidated by the Court of Justice of the European Union in 2020 due to the lack of protection of EU personal data. The European Data Protection Board will provide its non-binding opinion on the draft adequacy decision. What are the next steps?

Data protection 52

Data protection Court 52

Technology Law Dispatch

JULY 12, 2023

Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II , respectively).

Compliance 52

Compliance Data protection Court Law 52

Berkley Technology Law Journal

NOVEMBER 18, 2022

Jürgen Kühling is also a member of the German Monopolies Commission since July 1, 2016 and elected chairman since September 2020. Professor Kühling has been a member of the monopolies commission since July 1, 2016 and elected chairman since September 2020. And it’s going to be checked by the European Court of Justice.

Law 100

Law Law Data protection Court 100

Berkley Technology Law Journal

NOVEMBER 18, 2022

Jürgen Kühling is also a member of the German Monopolies Commission since July 1, 2016 and elected chairman since September 2020. Professor Kühling has been a member of the monopolies commission since July 1, 2016 and elected chairman since September 2020. And it’s going to be checked by the European Court of Justice.

Law 100

Law Law Data protection Court 100

Debevoise Data Blog

OCTOBER 17, 2022

The GDPR permits data transfers from the European Economic Area (“EEA”) to a non-EEA jurisdiction if the EU Commission has decided that the recipient country meets certain criteria and thus ensures an adequate level of data protection or through other mechanisms such as EU Standard Contractual Clauses (“SCCs”).

Data protection 52

Data protection Court Judge Attorney 52

Debevoise Data Blog

JANUARY 14, 2022

As a general rule, however, the FTC’s Division of Privacy and Identity Protection (the “DPIP”) initiates privacy and cybersecurity investigations via civil investigative demands (“CIDs”). A CID is a type of Commissioner-authorized subpoena, enforceable in court, that subjects the recipient to a number of formalized processes and timelines.

Compliance 52

Compliance Court Litigator Litigation 52