General Data Protection Regulation (GDPR)

On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees.

In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came about following indications of fraudulent use of the company’s existing badge-based time management system.  After installation, the company’s old system co-existed with the new system, and employees were free to choose the method by which to sign in to work.  One of the employees subsequently filed a complaint with the Dutch SA, which led to this investigation.Continue Reading Dutch Supervisory Authority Fines Company for Processing Biometric Data of Employees

On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.

The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples.  Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.Continue Reading French Supervisory Authority Publishes Guidance for Website and App Developers

On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure.  The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular
Continue Reading German Federal Commissioner for Data Protection and Freedom of Information Launches Public Consultation on Anonymization

Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government
Continue Reading Germany Publishes Draft Regulation on the Reimbursement of Digital Health Applications

In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch).  The Court was asked to decide on the scope of the right of access under the GDPR.

The defendant in this case was a bailiff involved in the bankruptcy procedure. 
Continue Reading Dutch Court Decides on Scope of GDPR Right of Access

On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH.  The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR.  The
Continue Reading German Telecommunications Company Fined 9.5 Million Euros for GDPR Violation

On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, the report discusses the perceived problem and proposes a solution.

The report begins by noting that the GDPR has significantly increased the workload of German Supervisory Authorities over the past year and a half.  This is due not only to an “enormous growth” in the number of complaints and consultation requests received, but also additional work resulting from the GDPR’s cross-border cooperation procedure.  Since the increased workload has not always been met with increased resources, the authorities have found it difficult to effectively supervise compliance.  Controllers are apparently aware of this and, as a result, have neglected their duties to be GDPR compliant.Continue Reading German Supervisory Authorities Propose Changes to the GDPR

On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”.  The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.

More specifically, the case before the Garante involved a professional, namely the president of a cooperative, who requested that Google remove a link to online content about him accessible by Internet users.  The content was accessible not by entering the individual’s name as a search term, but rather by entering his position as president of the cooperative, an association that serves the interests of members, i.e., social or economic needs or other general aims.Continue Reading Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’

On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.  In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives.  The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR.  The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.
Continue Reading European Commission Issues Report on the Implementation of the GDPR

You may have heard the phrase “dark patterns” as shorthand for various user interfaces designed to influence users’ decisions. They can range from the perfectly innocent to the unethical, and even illegal. Whatever the form, dark patterns have recently drawn attention from the mainstream press.

Dark patterns are coming out from the shadows. And when that happens, class action lawyers can’t be far behind.Continue Reading Dark Patterns: What They Are and What You Should Know About Them