Legal IT Group

MAY 17, 2023

Recently, the Cologne District Court ruled that a German mobile operator’s use of Google Analytics violated the GDPR’s requirements for international data transfers. The Cologne District Court ruling only applies to the defendant in the case, Telekom Deutschland GmbH.

Analytics 130

Analytics Court Data protection Defendant 130

Debevoise Data Blog

AUGUST 27, 2024

Representative actions: In light of the CJEU ruling that a violation of the controller’s information obligations can be subject to a representative action, businesses should consider the potentially increased risk of litigation following GDPR breach allegations and how to respond.

Data protection 52

Data protection Compliance Litigator Litigation 52

Debevoise Data Blog

SEPTEMBER 9, 2021

UK DPA launches data transfer consultation What happened : The ICO launched a consultation covering its international data transfer guidance, draft transfer risk assessment tool (“TRA”) and draft international data transfer agreement (“ IDTA ”). These developments, and more, covered below.

Data protection 52

Data protection Court Litigator Litigation 52

Debevoise Data Blog

SEPTEMBER 23, 2024

Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., without sufficient safeguards. ICO proposes £6.09

Data protection 52

Data protection Court Software Compliance 52

Debevoise Data Blog

OCTOBER 12, 2021

million fine against Austrian Post for channelling electronic data protection-related inquiries to a web form and not offering an additional email address, irrespective of the data subject option to also use non-electronic postal mail or customer service.

Data protection 52

Data protection Failure-to-appear e-records Compliance 52

Debevoise Data Blog

DECEMBER 10, 2020

The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post- Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here ). Bonn Regional Court slashes Telco’s €9.55

Data protection 52

Data protection Dispute resolution Court Compliance 52

Debevoise Data Blog

NOVEMBER 1, 2021

Subject access requests : The possibility that companies responding to data subject access requests from individuals will have to provide copies of entire documents containing their personal data, rather than only extracts. The court concluded that the legitimate interest could have been furthered through less intrusive means.

Data protection 52

Data protection Court Defendant Law 52

Legal IT Group

APRIL 28, 2023

In March 2023, Meta Platforms lost a class action lawsuit against the Dutch Data Privacy Stichting in an Amsterdam court, acting in conjunction with the Consumentenbond, the Dutch Consumers’ Association. If the data is necessary to achieve the latter, the criterion of “necessity” of collecting information is met.

Data protection 130

Data protection Time-tracking Court Lawsuit 130

Debevoise Data Blog

MARCH 11, 2021

There were a few European data protection developments in February that companies may want to have on their radar. While the recipients had consented to receiving the political newsletters, the Upper Tribunal found that informed and specific consent was still required for the promotion of the insurance products.

Data protection 52

Data protection Compliance Analytics Court 52

Technology Law Dispatch

FEBRUARY 7, 2023

We hope you enjoy reading it.

Data protection 52

Data protection Court Law Law 52

Debevoise Data Blog

APRIL 8, 2021

million for vendor oversight failings, unlawful cross-border transfers What happened : The AEPD, the Spanish data protection authority (“DPA”), fined Vodafone Spain €8.15 4 million was for allegedly deficient oversight of Vodafone’s data processors. Here are our highlights of what you need to know.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

MAY 7, 2021

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK.

Data protection 52

Data protection Court Compliance Hearing 52

Technology Law Dispatch

AUGUST 2, 2023

The Summer 2023 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version This edition covers the following topics: New adequacy decision for EU-U.S. data transfers CJEU: Requirements for GDPR damage claims CJEU: Lawfulness of processing in case of Art.

Data protection 52

Data protection Court Law Law 52

Debevoise Data Blog

AUGUST 5, 2021

European Data Protection Roundup – July Key takeaways from developments this July include: a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth; the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5

Data protection 52

Data protection Dispute resolution Court Case law 52

Debevoise Data Blog

JULY 30, 2024

Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. These developments, and more, are covered below.

Data protection 52

Data protection Time-tracking Mediator Analytics 52

Debevoise Data Blog

SEPTEMBER 27, 2023

The controller was also fined €9,000 for not having the proper contact information for the DPO in its privacy policy, and for using cookies without user consent. These developments, and more, covered below.

Data protection 52

Data protection Compliance e-filing Court 52

Debevoise Data Blog

NOVEMBER 21, 2023

Data protection & AI: In particular: (i) the French CNIL published its first set of guidance on GDPR compliance when developing AI tools; and (ii) the UK ICO issued a preliminary enforcement notice against Snap over its AI chatbot, alleging that Snap had not adequately assessed the privacy risks posed to child users of the tool.

Data protection 52

Data protection Compliance Failure-to-appear e-records 52

Debevoise Data Blog

MAY 12, 2023

Key takeaways this April include: UK children’s data protection focus continues: Businesses may wish to review policies and procedures for dealing with children’s data in light of recent UK ICO fines and guidance, especially to ensure that terms of use are adequately enforced.

Data protection 52

Data protection Software design Machine learning Software 52

Debevoise Data Blog

NOVEMBER 10, 2020

October was a particularly busy month, with headline-grabbing stories such as the long-awaited finalisation of the fines against British Airways and Marriott, which may well be the last penalties the UK Information Commissioner’s Office (the “ICO”) issues as a GDPR Lead Supervisory Authority.

Data protection 52

Data protection Intellectual Property e-records Machine learning 52

Debevoise Data Blog

FEBRUARY 10, 2021

As covered in our Annual Review , 2020 was a blockbuster year for European data protection. The fine is a rare example of a DPA penalising both the data controller and processor for the same failing. The guidelines will be a new “go to” resource for those preparing for, and responding to, data breaches.

Data protection 52

Data protection Time-tracking Defendant Court 52

Debevoise Data Blog

MARCH 26, 2023

The tribunal agreed with the ICO that where Experian obtained personal data for marketing purposes from a third party that had collected it on the basis of consent, the consent would no longer be informed and withdrawal of consent is complicated, though Experian had since changed this practice. A global approach.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

FEBRUARY 27, 2024

GDPR one-stop-shop: Businesses wishing to take advantage of the GDPR one-stop-shop system should take note of a new digest, published by the European Data Protection Board, which analyses the decisions made by so-called Lead Supervisory Authorities in this context.

Data protection 52

Data protection Compliance e-records Court 52

Debevoise Data Blog

JANUARY 21, 2021

In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed. million against Marriott for its 2018 data breach When you dig deeper though, two key points emerge.

Data protection 52

Data protection Failure-to-appear Litigator Litigation 52

Debevoise Data Blog

MAY 28, 2024

EDPB “Consent or pay” models: Businesses operating large online platforms should consider the European Data Protection Board’s recent opinion indicating that “consent or pay” models are unlikely to be GDPR-compliant.

Data protection 52

Data protection Compliance Law Law 52

Debevoise Data Blog

DECEMBER 13, 2022

New critical infrastructure cyber rules approved What happened : On 28 November 2022, the European Union also finalised the second network and information systems directive (“NIS2”). While aspects of the regime, including details of incident reporting obligations, remain to be decided, the key requirements are now set.

Data protection 52

Data protection Due diligence Compliance Hearing 52

Legal IT Group

MARCH 21, 2023

Therefore, a logical question arises: what should an employer know about the use of personnel monitoring tools in order not to violate the requirements of personal data protection legislation? Justifying the need for monitoring The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace.

Data protection 130

Data protection Time-tracking Software Compliance 130

Debevoise Data Blog

JUNE 8, 2023

As we covered here , last October, the CNIL fined Clearview AI €20 million for various data protection violations, including “intrusive and massive” data processing without consent or a valid legitimate interest. The amount of compensation should be assessed by Member State courts under their domestic rules.

Data protection 52

Data protection Compliance e-records Dispute resolution 52

Debevoise Data Blog

DECEMBER 22, 2023

Businesses may want to consider how the courts reasoning may apply to other circumstances when dealing with disclosure requests. For example, the Garante notes the need to incorporate data protection by design and by default principles within any AI systems used in the healthcare space. UK and U.S.

Data protection 52

Data protection Time-tracking Compliance Machine learning 52

Legal IT Group

JANUARY 22, 2024

With this regard, it is essential to know about the privacy legislation of this country since, nowadays, most internet businesses process the personal data of their clients, and they should do it in compliance with data protection laws. The Privacy Act aims to regulate how mentioned entities should protect personal information.

Data protection 130

Data protection Compliance Litigator Litigation 130

Debevoise Data Blog

APRIL 26, 2024

Key takeaways from March include: CNIL data security practice guide: The French DPA published an update of its data security practice guide for data protection officers, chief information security officers, computer scientists and legal experts. These developments, and more, are covered below.

Data protection 52

Data protection e-records Compliance Court 52

Debevoise Data Blog

FEBRUARY 20, 2023

On 29 December 2022, the CNIL fined TikTok UK and Ireland as joint controllers €5 million for failing to: offer users the ability to refuse cookies as easily as accepting them (several clicks were required to refuse all cookies, as opposed to just one to accept them); and inform users in a sufficiently precise manner about cookie purposes.

Data protection 52

Data protection Compliance e-records Court 52

Legal IT Group

SEPTEMBER 29, 2023

Brazil’s Lei Geral de Proteção de Dados Pessoais (or LGPD), similar to GDPR, CCPA and PIPEDA, regulates personal data protection. If the company does not process personal data in Brazil but still processes data to offer or supply goods or services to Brazil, the LGPD also applies in this case.

Data protection 130

Data protection Compliance Court Law 130

Martindale-Avvo

APRIL 30, 2025

A wave of state legislation with data protection requirements places new obligations on businesses and public institutions. Supreme Court rulings have found that the First, Third, Fourth, and Fifth amendments of the Constitution contain a right to privacy. These few federal laws apply to only some kinds of information.

Law 52

Law Law Federal law Data protection 52

Eric Goldman

MARCH 17, 2025

As the judge says resignedly, “Taking these provisions directly from a law enacted in the United Kingdom, the California Legislature left it to the courts to pass the CAADCA through the filter of our First Amendment.” Unsurprisingly, on remand, the district court declared the rest unconstitutional.

Court 52

Court Data protection Judge Law 52

Debevoise Data Blog

JANUARY 25, 2024

Nevertheless, when considering the appropriateness of protective measures, the obligation rests on the data controller to prove that they met the required standard. The rulings arose at the request of both the German and Lithuanian courts, following local administrative fines. The Court ruled that: “Scoring” (i.e.,

Data protection 40

Data protection Court e-records Compliance 40

Legal IT Group

JULY 5, 2023

As healthcare facilities are data controllers under the provisions of the GDPR, they are responsible for ensuring the proper processing of patients’ personal data. Why can a medical facility collect consent for data processing? The data subject’s signature will be deemed to be such express consent.

Data protection 130

Data protection Compliance Court Software 130

Debevoise Data Blog

AUGUST 16, 2023

. : Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to. Data Privacy Framework (the “DPF”). Data Privacy Framework (the “DPF”).

Data protection 40

Data protection Analytics Compliance Time-tracking 40