On March 5, 2020, the Danish Supervisory Authority (“Datatilsynet”) issued a guidance document in which it clarifies how companies should process the personal data of their employees in the context of the coronavirus (“COVID-19”) crisis (see here, in Danish). This follows the publication of a similar guidance by the
Continue Reading Danish Supervisory Authority Issues COVID-19 Guidance
Italian Supervisory Authority Publishes COVID-19 Guidance
On March 2, 2020, the Italian Supervisory Authority (“Garante”) published a “statement” in which it clarifies how companies should process personal data in the context of their efforts for preventing a spread of the coronavirus disease (“COVID-19”) among their employees and others in Italy (see here, in Italian).
The
Continue Reading Italian Supervisory Authority Publishes COVID-19 Guidance
Centre for Data Ethics and Innovation Publishes Final Report on “Online Targeting”
On February 4, 2020, the United Kingdom’s Centre for Data Ethics and Innovation (“DEI”) published its final report on “online targeting” (the “Report”), examining practices used to monitor a person’s online behaviour and subsequently customize their experience. In October 2018, the UK government appointed the DEI, an expert committee that advises the UK government on how to maximize the benefits of new technologies, to explore how data is used in shaping peoples’ online experiences. The Report sets out its findings and recommendations.
Continue Reading Centre for Data Ethics and Innovation Publishes Final Report on “Online Targeting”
UK ICO Publishes New Guidance on Special Category Data
On November 14, 2019, the UK Information Commissioner’s Office (“ICO”) published detailed guidance on the processing of special category data. The guidance sets out (i) what are the special categories of data, (ii) the rules that apply to the processing of special category data under the General Data Protection Regulation (“GDPR”) and UK Data Protection Act 2018 (“DPA); (iii) the conditions for processing special category data; and (iv) additional guidance on the substantial public interest condition, including what is an “appropriate policy document”.
Under the GDPR, stricter rules apply to the processing of special category data, which includes genetic and biometric data as well as information about a person’s health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership. As noted in the guidance, there is a presumption that “this type of data needs to be treated with greater care” because the “use of this data could create significant risks to the individual’s fundamental rights and freedoms”. This blog post provides a summary of the key takeaways from the ICO’s guidance.
Continue Reading UK ICO Publishes New Guidance on Special Category Data
EDPB Adopts Final Version of Guidelines on Territorial Scope of the GDPR
On November 14, 2019, the EDPB adopted a final version of Guidelines 3/2018 on the territorial scope of the GDPR (Art. 3). This takes into account the contributions and feedback that the EDPB received during a public consultation on a draft version of the guidelines (see here).
The draft
Continue Reading EDPB Adopts Final Version of Guidelines on Territorial Scope of the GDPR
European Parliament Publishes Study on Blockchain and the GDPR
On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law. The study also explores how blockchain technology can be used as a tool to assist with GDPR compliance. Finally, it recommends the adoption of certain policies to address the tension between blockchain and the GDPR, to ensure that “innovation is not stifled and remains responsible”. This blog post highlights some of the key findings in the study and provides a summary of the recommended policy options.
Continue Reading European Parliament Publishes Study on Blockchain and the GDPR
ICO Launches Public Consultation on New Data Sharing Code of Practice
On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws. The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors. The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).
Continue Reading ICO Launches Public Consultation on New Data Sharing Code of Practice
CJEU rules that Facebook and website operators are joint controllers if the website embeds Facebook’s “Like” button
On July 29, 2019, the Court of Justice of the European Union (“CJEU”) handed down its judgment in the Fashion ID case (Case C-40/17). The CJEU found that when a website operator embeds Facebook’s “Like” button on its website, Facebook and the website operator become joint controllers. The case clarifies
Continue Reading CJEU rules that Facebook and website operators are joint controllers if the website embeds Facebook’s “Like” button
Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’
On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”. The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.
More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users. The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.Continue Reading Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’
European Commission Issues Report on the Implementation of the GDPR
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework. In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives. The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR. The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.
Continue Reading European Commission Issues Report on the Implementation of the GDPR