On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here).  To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its oversight and enforcement authority for data protection.

According to the activity overview, the SA has received over 900 security breach notifications and around 350 complaints.  It has performed over 100 inspections and imposed 59 sanctions, 9 of which resulted in fines for a total of €189,000.  In fact, the SA has imposed the bulk of these fine amounts only in the last two months.

Continue Reading Belgian Supervisory Authority’s GDPR Track Record So Far

On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).  The decision has not been made public.  Earlier this week, the hospital publicly announced that it will contest the fine.

According to press reports, the CNPD

By Luca Tosoni and Dan Cooper

On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law.  This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.

The Garante imposed the fine on a company that allegedly made money transfers to China on behalf of individuals without their knowledge or agreement, and therefore did not obtain the individuals’ consent to the processing of their data.

The size of the fine reflects, in part, the fact that a significant number of data subjects were impacted by the breach.  In fact, the Garante concluded that the company had committed a separate privacy violation for each data subject whose data was used without consent.  The fine therefore reflects the sum total obtained from adding up the fine for each individual breach committed by the company.
Continue Reading Italian DPA Issues Record Data Privacy Fine

On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption.  The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption.  There is no legally-binding requirement under UK data protection law to encrypt data, either when static or

The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls.  The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly contravened UK regulations, and fined the company £200,000.
Continue Reading UK ICO Issues Largest Ever Fine In Connection With Automated Marketing Calls

Last month a federal court found Dish Network liable for calls that were alleged by the Federal Trade Commission (“FTC”) to violate various provisions of the FTC’s Telemarketing Sales Rule (“TSR”).  Specifically, the FTC’s 2009 complaint asserted that Dish Network initiated, or caused a telemarketer to initiate, calls to numbers on the National Do Not Call (“DNC”) Registry and to consumers who previously declined to receive such calls whose numbers were on Dish Network’s entity-specific do-not-call list or were marked “DNC” by a telemarketing vendor.  The FTC also alleged that, in violation of the “abandoned-call” provision of the TSR, Dish Network abandoned or caused telemarketers to abandon phone calls.  In its complaint, the FTC seeks monetary civil penalties from Dish Network for every violation of the TSR, for which the court is entitled to award up to $16,000 for each violation.  At issue are tens of millions of calls, making the potential level of damages to be awarded at the trial stage staggering.
Continue Reading Court Finds FTC Entitled to Partial Summary Judgment Against Dish Network for Telemarketing Violations

Last week, the governor of Connecticut signed into law a new requirement that extends compliance with the state’s existing Do-Not-Call registry to promotional text messages (SMS).  Specifically, the law amends the definition of a “telephonic sales call” to include a “text or media message sent by or on behalf of a telephone solicitor,” thereby prohibiting

Earlier this week, the FCC announced that mobile wireless company Sprint will pay $7.5 million to resolve allegations that the company failed to honor consumer requests to be placed on Sprint’s entity-specific Do-Not-Call list.  The settlement represents the largest of its kind between the FCC and a carrier.

Through this settlement agreement, which follows