On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19. The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with … Continue Reading
On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here). The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search … Continue Reading
On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here). The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises a … Continue Reading
On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google. In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. According to the CNIL, the … Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law. The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online … Continue Reading
The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311. Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences of … Continue Reading
Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the Hamburg DPA established that Google’s … Continue Reading
Dan Cooper and Phil Bradley-Schmieg On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors [2015] EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK. This case was brought against Google Inc. by three … Continue Reading
Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies. In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation. As the below examples from France and Germany show, some courts or … Continue Reading
On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling. The full guidelines have not yet been published, … Continue Reading
By Randall Friedland Yesterday, the USA Freedom Act (S. 2685), a bill aimed at curbing the National Security Agency’s (“NSA”) data collection practices, fell two votes short of the 60 votes necessary for cloture in the Senate. The bill was largely blocked by Senate Republicans who expressed concern that the legislation would harm the government’s … Continue Reading
Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed. The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read … Continue Reading
By Dan Cooper, Mark Young and Kristof van Quathem On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12). The decision has wide-ranging consequences regarding the application of EU … Continue Reading
On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period of … Continue Reading
Yesterday, the FTC announced a settlement with Goldenshores Technologies, a company that makes the most-downloaded flashlight app on the Android platform. The FTC alleged that Goldenshores violated Section 5 of the FTC Act by failing to disclose to consumers that it shared location data it collected from users’ device with third parties. Although a list … Continue Reading
On Tuesday, 19 November, the Regional Court of Berlin ruled against Google in a case brought by the Federation of German Consumer Associations (vzbv). The vzbv had initiated an action for injunction against Google, requesting it to stop using certain clauses in its Terms of Use and Privacy Policy. In Germany, consumer associations have a … Continue Reading
Google has entered into a $17 million settlement agreement with attorneys general from 37 states and the District of Columbia over allegations that the company engaged in unauthorized tracking of users of Apple’s Safari browser in 2011 and 2012. The allegations stemmed from 2012 reports that Google had bypassed Safari’s default privacy settings and placed cookies … Continue Reading
By Katherine Gasztonyi Last week, Judge Robinson of the District of Delaware dismissed a multi-district lawsuit claiming that Google, Vibrant Media, Media Innovation Group, and WPP violated federal privacy and computer security laws by allegedly circumventing browser privacy settings in order to track users online. This lawsuit stems from a February 17, 2012, Wall Street … Continue Reading
In a decision issued last week that is being described by some as a “landmark,” Judge Koh of the Northern District of California denied a motion to dismiss a complaint filed against Google alleging that its Gmail service unlawfully intercepts the contents of emails sent by and to Gmail users. The case involves Google’s longstanding … Continue Reading
On 25 June, the Advocate General (the “AG”) submitted an Opinion on a set of questions that a Spanish court referred to the Court of Justice of the European Union (the “Court”). This is the first time that the Court has been asked to interpret the European Data Protection Directive 95/46/EC (the ‘Directive’) in the context of internet … Continue Reading
The CNIL announced in a press release on Thursday that it has issued a formal notice to Google Inc. that requires the search engine to provide clear and sufficient information to users about how their data is being used. In particular, the Paris based regulator wants Google to: Define specified and explicit purposes to allow … Continue Reading
The data protection authority in Hamburg, Germany, issued an administrative fine in the amount of € 145,000 against Google for its illegal WiFi data collection activities. This fine fell just short of the maximum amount for such fines under German data protection law, which is € 150,000 (in cases of negligence). Between 2008 and 2010, … Continue Reading
The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU … Continue Reading