On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect. The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other … Continue Reading
On June 8, 2020, the Belgian Supervisory Authority (“SA”) fined a (then ex-) politician €5,000 for sending political marketing materials without an appropriate legal basis. Although the fine was not massive, the case is interesting for another reason: the complaint was brought not by the individuals who received the marketing materials, but by their employer. … Continue Reading
On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month. Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative. In … Continue Reading
On November 8, 2019, the European Union adopted the “Directive Modernizing Consumer Law”. This directive is part of the so-called “New Deal for Consumer” (see here), a package of legislative reforms designed to revise existing EU consumer laws. The main objective of these reforms is to adapt EU consumer protection legislation to the realities of … Continue Reading
Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model … Continue Reading
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework. In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes … Continue Reading
Last week, the European Data Protection Supervisor (the “EDPS”), in collaboration with European consumer organisation BEUC, hosted a joint conference on Big Data: individual rights and smart enforcement in Brussels (for the conference agenda, see here). The conference brought together leading regulators and experts in the areas of competition, data protection and consumer protection, including … Continue Reading
The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds. This is the highest fine issued by the ICO to date.… Continue Reading
Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”). As we explained in recent posts (here and here), publication of an … Continue Reading
By Megan Rodgers The FTC announced that the identity theft protection firm LifeLock will pay $100 million to resolve allegations that the company made false statements about its services and failed to safeguard consumer data. This settlement represents the largest of its kind in an FTC order enforcement action. The FTC first sued LifeLock in … Continue Reading
In May 2014, the Global Privacy Enforcement Network (“GPEN”) performed its second Global Privacy Sweep, in which 26 privacy enforcement authorities from 19 countries downloaded 1,211 mobile apps and assessed their privacy practices. On September 10, 2014, the Office of the Privacy Commissioner of Canada (“OPC”) published the results of the Sweep (the “OPC Report”). … Continue Reading
Last week, the Federal Communications Commission announced plans to fine Dialing Services, LLC, nearly $3 million for making illegal “robocalls” to cell phones. The FCC has specific rules for automatic telephone dialing systems, also known as “autodialers,” that have the capacity to produce, store, and dial telephone numbers using a random or sequential number generator. … Continue Reading
FDA has previously included claims made on Facebook or other social media platforms along with broader allegations of misbranding using a variety of sources in its enforcement letters . . . [b]y contrast, the present untitled letter focuses solely on a single statement on a Facebook page, and does not take issue with any statements outside the Facebook page.… Continue Reading
Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy … Continue Reading
Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar. The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment advisers to “adopt policies and procedures … Continue Reading
By Anna Kraus On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire. According to HHS, this is the first settlement based on a … Continue Reading
By Anna Kraus The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule. Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP). HHS’s investigation was … Continue Reading
Earlier this month, Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance regarding consumer report accuracy and the FTC’s efforts to improve accuracy through education and enforcement. Her testimony emphasized the impact that consumer report errors may … Continue Reading
Speaking at a seminar hosted by the International Association of Privacy Professionals, Assistant Director Chris Olsen and Senior Attorney Peder Magee, both of the Federal Trade Commission’s Division of Privacy and Identity Protection, provided a useful overview of the FTC’s recent enforcement actions and current enforcement priorities. Based on this discussion, the following infographic identifies the … Continue Reading
The data protection authority in Hamburg, Germany, issued an administrative fine in the amount of € 145,000 against Google for its illegal WiFi data collection activities. This fine fell just short of the maximum amount for such fines under German data protection law, which is € 150,000 (in cases of negligence). Between 2008 and 2010, … Continue Reading
BNA is reporting that Mexico’s data protection authority, the Federal Institute for Access to Information and Data Protection (IFAI), will issue a fine of $1 million against one of Mexico’s largest banks for violating the country’s Federal Law on the Protection of Personal Data in Possession of Private Parties. The action against the bank — … Continue Reading
This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until … Continue Reading
On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems. The final settlements follow a notice-and-comment period … Continue Reading
Earlier this week, Wyndham Hotels & Resorts LLC moved to dismiss the complaint filed against it by the Federal Trade Commission in connection with Wyndham’s data security practices, asserting that the FTC has neither the authority nor the expertise to regulate them. As we previously noted, the FTC filed a complaint against Wyndham in June … Continue Reading
