Debevoise Data Blog

AUGUST 27, 2024

Building on prior European guidance , the French and Irish DPAs published guidance on the deployment of generative AI, large language models and data protection. To that end, the EDPB proposed designating DPAs as the “national competent authorities” under the AI Act to create a single point of contact.

Data protection 52

Data protection Compliance Litigation Litigator 52

Debevoise Data Blog

SEPTEMBER 23, 2024

Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., without sufficient safeguards.

Data protection 52

Data protection Court Software Compliance 52

Eric Goldman

FEBRUARY 15, 2024

Marketa Trimble [Eric’s introductory note: I briefly addressed the DSA in this blog post , along with the attached meme. intermediaries servicing the EU market, an application that suggests that, as has been the case with the EU General Data Protection Regulation (“GDPR”), some spillover from the EU legislation will be felt in the U.S.

Due diligence 105

Due diligence Data protection Compliance Court 105

Debevoise Data Blog

JULY 30, 2024

Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection Time-tracking Mediator Analytics 52

Debevoise Data Blog

JULY 20, 2021

Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened : As reported in our blog post , the European Commission adopted its new Standard Contractual Clauses (“SCCs”) for the cross-border transfer of personal data from the EEA to “third countries”.

Data protection 52

Data protection e-filing Compliance e-records 52

Debevoise Data Blog

OCTOBER 12, 2021

million fine against Austrian Post for channelling electronic data protection-related inquiries to a web form and not offering an additional email address, irrespective of the data subject option to also use non-electronic postal mail or customer service.

Data protection 52

Data protection Failure-to-appear Compliance e-records 52

Debevoise Data Blog

SEPTEMBER 27, 2023

The AEPD held that a DPO cannot hold a position that leads them to determine the purposes and means of data processing. The scale and data protection risks associated with such technologies has been further complicated recently by their increasing integration with artificial intelligence systems.

Data protection 52

Data protection Compliance e-filing Court 52

Debevoise Data Blog

JUNE 1, 2023

Privacy and Data Protection , a leading UK journal on practical data protection compliance issues, has featured in its latest edition an article by Robert Maddox and Stephanie Thomas on the hallmarks of effective data protection by design and default under the EU and UK GDPR.

Data protection 52

Data protection Compliance 52

Debevoise Data Blog

SEPTEMBER 9, 2021

The court also struck out the claimant’s negligence claim on the grounds that: (i) case law has established that negligence cannot be pleaded alongside Data Protection Act claims; and (ii) “distress” does not constitute damage, as required for a successful negligence claim.

Data protection 52

Data protection Court Litigation Litigator 52

Debevoise Data Blog

MAY 12, 2023

Key takeaways this April include: UK children’s data protection focus continues: Businesses may wish to review policies and procedures for dealing with children’s data in light of recent UK ICO fines and guidance, especially to ensure that terms of use are adequately enforced.

Data protection 52

Data protection Software design Machine learning Software 52

Debevoise Data Blog

APRIL 8, 2021

million for vendor oversight failings, unlawful cross-border transfers What happened : The AEPD, the Spanish data protection authority (“DPA”), fined Vodafone Spain €8.15 4 million was for allegedly deficient oversight of Vodafone’s data processors. See our blog post here for further tips on managing the latest landscape.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

DECEMBER 10, 2020

The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post- Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here ).

Data protection 52

Data protection Dispute resolution Court Compliance 52

Debevoise Data Blog

DECEMBER 13, 2022

What to do : Read our blog post for detailed guidance on scope, applicability and penalties under NIS2, including how to prepare for the revised incident reporting, security and management oversight obligations. .

Data protection 52

Data protection Compliance Due diligence Hearing 52

Debevoise Data Blog

NOVEMBER 21, 2023

Data protection & AI: In particular: (i) the French CNIL published its first set of guidance on GDPR compliance when developing AI tools; and (ii) the UK ICO issued a preliminary enforcement notice against Snap over its AI chatbot, alleging that Snap had not adequately assessed the privacy risks posed to child users of the tool.

Data protection 52

Data protection Compliance Failure-to-appear e-records 52

Debevoise Data Blog

NOVEMBER 1, 2021

Subject access requests : The possibility that companies responding to data subject access requests from individuals will have to provide copies of entire documents containing their personal data, rather than only extracts. What to do : Monitor developments in the case, which we will report on the blog as they become available.

Data protection 52

Data protection Court Defendant Law 52

Debevoise Data Blog

MARCH 11, 2021

There were a few European data protection developments in February that companies may want to have on their radar. We will continue to report on progress through the Blog. What to do: As we reported previously there is increasing convergence between European data protection and competition law enforcement.

Data protection 52

Data protection Compliance Analytics Court 52

Debevoise Data Blog

DECEMBER 22, 2023

Regulators publish AI-related guidance to advise businesses on their existing obligations What happened : As discussed in previous blog posts , the EU AI Act, which has now concluded its passage through the EU “trilogue negotiations”, is expected to have a wide-reaching impact on businesses which use AI systems in, or sell them into, the EU.

Data protection 52

Data protection Time-tracking Compliance Machine learning 52

Debevoise Data Blog

APRIL 28, 2023

UK ICO updates guidance to clarify requirements for fairness in AI What happened : The UK ICO has updated its existing Guidance on AI and data protection following requests from industry to clarify requirements for fairness in AI. Norwegian Data Protection Authority fines medical device company c.$240,000

Data protection 52

Data protection Compliance e-filing Software 52

Debevoise Data Blog

NOVEMBER 10, 2020

ICO targets the data broking industry : On 27 October, the ICO demanded that Experian make sweeping changes to data protection practices within its direct marketing business within three months or face further enforcement action. We will continue to report on developments as Experian’s appeal progresses.

Data protection 52

Data protection Intellectual Property e-records Machine learning 52

Debevoise Data Blog

JUNE 8, 2023

As we covered here , last October, the CNIL fined Clearview AI €20 million for various data protection violations, including “intrusive and massive” data processing without consent or a valid legitimate interest. 82 (see our May 2021 , August 2021 , and October 2022 blog posts for previous developments).

Data protection 52

Data protection Compliance e-records Dispute resolution 52

Debevoise Data Blog

MAY 7, 2021

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK.

Data protection 52

Data protection Court Compliance Hearing 52

Debevoise Data Blog

MARCH 26, 2023

As multi-jurisdiction data protection concerns expand and opportunities to rely on a lead supervisory authority may narrow , the EDPB is emphasising consistency of decisions between national supervisory authorities through, among other measures, the development of approval procedures that require a cooperation phase and the creation of task forces.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

AUGUST 5, 2021

European Data Protection Roundup – July Key takeaways from developments this July include: a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth; the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5

Data protection 52

Data protection Dispute resolution Court Case law 52

Technology Law Dispatch

JUNE 23, 2023

On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. Understanding PETs PETs are software and hardware systems that can help minimize use of personal data use while maximizing information security.

Data protection 52

Data protection Compliance Software Law 52

new tech law blog

JANUARY 2, 2023

In this regard, we describe below what they should take under consideration in light of Polish labour law and data protection law. Therefore, implementation and exploitation of such solutions by the employer (as a controller of employee data) must be done in compliance with the rules for processing of personal data under Art.

Data protection 52

Data protection Law Law Time-tracking 52

Debevoise Data Blog

APRIL 26, 2024

Key takeaways from March include: CNIL data security practice guide: The French DPA published an update of its data security practice guide for data protection officers, chief information security officers, computer scientists and legal experts. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection e-records Compliance Court 52

Inside Privacy

NOVEMBER 28, 2023

They raise various questions under regulatory and data protection and data security laws. The DiGA Regulation imposes specific data protection and data security requirements on health apps (in addition to safety, functionality, quality and interoperability requirements). 26 of the GDPR.

Data protection 57

Data protection Time-tracking Software Law 57

Debevoise Data Blog

JANUARY 21, 2021

In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed. million against Marriott for its 2018 data breach When you dig deeper though, two key points emerge.

Data protection 52

Data protection Litigation Litigator Failure-to-appear 52

Debevoise Data Blog

FEBRUARY 10, 2021

As covered in our Annual Review , 2020 was a blockbuster year for European data protection. The decision draws parallels with the AI-related claims brought against Uber in the Netherlands , and is another example of the cross-over between data protection and employment law. CJEU Opinion clarifies the one-stop-shop.

Data protection 52

Data protection Time-tracking Defendant Court 52

Debevoise Data Blog

OCTOBER 20, 2023

data bridge comes into force 12 October 2023 What happened : Parliament passed Regulations giving effect to the UK-U.S. data bridge from 12 October 2023. EU context, see this Debevoise blog. From 12 October, UK businesses can transfer UK GDPR-covered personal data to certified U.S. For the wider UK-U.S.-EU

Data protection 52

Data protection Intellectual Property Compliance Law 52

Kevin O'Keefe

FEBRUARY 25, 2024

On blogs, on websites, via contributed articles and more. Privacy and Data Protection: Advising on compliance with data protection laws, including GDPR in Europe and CCPA in California, especially for AI systems that process personal data. All Areas of the Law Required AI Insight Via Publishing 1.

Law firm 130

Law firm Intellectual Property Data protection Compliance 130

Inside Privacy

APRIL 28, 2023

Following a number of complaints, the European Data Protection Supervisor (‘EDPS’) decided that the SRB shared pseudonymized personal data with the consulting firm without informing the affected individuals of this sharing. Pseudonymous or anonymous data.

Court 137

Court Data protection 137

Debevoise Data Blog

AUGUST 25, 2022

On 18 July 2022, the UK government published the Data Protection and Digital Information Bill (the “Bill”), which proposes reforms to the UK’s data protection and e-privacy landscape in-line with the National Data Strategy.

Data protection 52

Data protection e-records 52

Debevoise Data Blog

JANUARY 25, 2024

They are also reminded of their obligation to maintain appropriate technical and organisational measures in relation to their data processing, and may wish to review their compliance with these measures. It remains to be seen whether data protect authorities will provide guidance on how to interpret the “draw strongly” condition.

Data protection 40

Data protection Court e-records Compliance 40

Debevoise Data Blog

FEBRUARY 20, 2023

Orange established a mobile telephone contract and SIM card without adequately verifying the customer’s data, resulting in identity theft and data processing of a victim’s personal data without consent. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection Compliance e-records Court 52

Debevoise Data Blog

SEPTEMBER 12, 2022

Russia has enacted amendments to its Personal Data Law (the “ Amendments ”) that may have a significant impact on companies operating in Russia. Companies will also be required to conduct a cross-border data transfer risk assessment. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection Compliance Time-tracking Litigator 52

Debevoise Data Blog

AUGUST 16, 2023

. : Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to. Data Privacy Framework (the “DPF”).

Data protection 40

Data protection Analytics Compliance Time-tracking 40