transparency

On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR.  In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.

The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”).  The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients.  The relevant data were mainly used for advertising by postal mail.Continue Reading Belgian Supervisory Authority Sanctions Data Broker

On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides

On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.
Continue Reading Irish DPC Finds Against WhatsApp

On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month.  Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative.

In

On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:

  • Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
  • Chapter 2

On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.
Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR

By Caleb Skeath

As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February.  The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA).  As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements.  Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Continue Reading Congressional Privacy Bill: Commercial Privacy Rights Act of 2015

The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related to the Internet of Things. Its recent Opinion 08/2014 on the Recent Developments on the Internet of Things (the “Opinion”), adopted on September 16, 2014 provides guidance on how the EU legal framework should be applied in this context. The Opinion complements earlier guidance on apps on smart devices (see InsidePrivacy, EU Data Protection Working Party Sets Out App Privacy Recommendations, March 15, 2013).
Continue Reading Internet of Things Poses a Number of Significant Data Protection Challenges, Say EU Watchdogs