General Data Protection Regulation

The “security principle” under the General Data Protection Regulation (GDPR) requires that organizations process personal data securely by means of “appropriate” technical and organizational measures. This month, the United Kingdom’s Information Commissioner’s Office (ICO) issued new guidance focused on two specific measures the ICO recommends that companies consider in complying with the GDPR security requirements: encryption and passwords.
Continue Reading UK Information Commissioner’s Office Issues Guidance on Use of Encryption and Passwords in Connection with GDPR

Last month, the French data protection authority (the CNIL) issued initial guidance addressing issues that applications utilizing blockchain technology should consider in order to comply with the European General Data Protection Regulation (GDPR).

As recognized by the CNIL, there are certain natural conflicts between GDPR and blockchain technology. A critical feature of the blockchain is its immutability – the fact that once information is entered into the public ledger regarding a transaction, that information cannot be changed or removed from the ledger. The benefits of providing a transparent and permanent public ledger will have to be reconciled with the data subject rights granted by GDPR, including the right to be forgotten and principles of data minimization. Blockchain applications also raise thorny questions about whether participants in the network are acting as data controllers or processors, subject to the GDPR’s requirements. Additionally, how can a worldwide network of computers involved in data processing activities comply with GDPR requirements related to cross-border data transfers outside of the EU?
Continue Reading French Data Protection Authority Issues Guidance on Interaction of Blockchain Technology with GDPR

Tim Cook, Apple CEO, recently delivered the keynote address for a privacy conference, attended by policy experts and European Union (EU) lawmakers in Brussels, Belgium, where he advocated for new data privacy laws in the United States, similar to the EU’s General Data Protection Regulation (GDPR).

Cook said that modern technology has led to the creation of a “data-industrial complex” in which personal data is “weaponized against us with military efficiency.” According to Cook, this problem doesn’t just affect individuals, but whole societies.
Continue Reading Apple CEO Calls for Comprehensive US Privacy Laws

As we previously noted, Facebook originally announced a breach late last month, in which hackers took advantage of a code vulnerability in the website’s “View As” feature, to access user’s data. However, on October 12, 2018, Facebook stepped back the number of affected accounts from 50 to roughly 30 million, and it acknowledged that hackers were able to view varying levels of information for different accounts. 
Continue Reading Facebook Acknowledges Breach of Sensitive Data for Nearly 30 Million Users

As many of our readers know, the General Data Protection Regulation (GDPR) imposes significant obligations and responsibilities on entities with regard to data protection and privacy for all individuals within the European Union and the European Economic Area. Violations of GDPR can result in fines up to €20 million, or up to 4 percent of

On June 28, 2018, the California State Legislature passed, and Governor Jerry Brown signed, the California Consumer Privacy Act of 2018, bringing to the United States many of the rights and compliance obligations currently being applied by the European Union through its General Data Protection Regulation (GDPR). Effective January 1, 2020, the Act gives California

Businesses are understandably focused this week on the looming effective date for the European Union’s General Data Protection Regulation (GDPR). For U.S. businesses, however, a proposed law closer to home would raise similar compliance burdens and create potential litigation risks.

This November, voters in California will likely vote on whether to pass a ballot initiative,

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next several months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part 3 of this GDPR Series is brought to you by the German law firm of Graf von Westphalen. Other blog entries in this series will be brought to you by the law firms of Mills & Reeve (UK), FIDAL (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

 Consent as a lawful basis for data-processing

Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in the Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR, however, the new Regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data.
Continue Reading General Data Protection Regulation (GDPR) Series, Part #3: GDPR Consent and Fair Processing

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next twelve (12) months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part #2 of this GDPR Series is brought to you by Mills & Reeve, a United Kingdom law firm. Other blog entries in this series will be brought to you by the law firms of Graf von Westphalen (Germany), FIDAL, (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

In any major project there is an analysis phase – involving a careful examination of your organization’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organization, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.

So what can be done to get started?

Perhaps the best first step is to conduct a self-assessment audit. This will help organizations map the likely impacts of the changes in data protection law on their activities.

A few key points are worth looking at in detail:
Continue Reading General Data Protection Regulation (GDPR) Series Part #2: The Importance of Self-Assessment