On 1 October 2019, the Court of Justice of the European Union (CJEU) ruled on a number of questions which, inter alia, relate to the validity of consent to cookies “by way of a pre-checked checkbox” (Case C 673/17). Although the questions referred to the CJEU primarily related to provisions of the Privacy and Electronic Communications Directive (2002/58/EG), the CJEU stated that the questions  must be answered also in regard to the EU General Data Protection Regulation (GDPR).
Continue Reading

According to recent press reports, the German data protection authorities have agreed on a new way to calculate administrative fines under the General Data Protection Regulation (“GDPR”). The new scoring model, which has not yet been officially published, could make fines of tens of millions of euros a reality in Germany. In contrast to their French and UK counterparts, Germany’s data protection authorities have so far been more restrictive in imposing GDPR fines.
Continue Reading

In its second statement of intent of the week, on 9 July 2019, the UK’s Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc (“Marriott”) £99.2m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system.
Continue Reading

The UK’s Information Commissioner’s Office (“ICO”) today (8 July 2019) announced its intention to fine British Airways (“BA”) £183.39m under the General Data Protection Regulation (“GDPR”) for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.
Continue Reading

On 21 March 2019, Advocate General (AG) Maciej Szpunar delivered his opinion on a number of questions which, inter alia, relate to the validity of consent to cookies “by way of a pre-checked checkbox” (Case C 673/17). While the questions referred to the Court of Justice of the European Union (CJEU) primarily related to provisions of the Privacy and Electronic Communications Directive (2002/58/EG), the AG stated that the principles established in his opinion were equally valid for the EU General Data Protection Regulation (GDPR).
Continue Reading

On 13 February 2019, the data protection officer for the German state of Baden-Wuerttemberg published a guideline on password security under the EU General Data Protection Regulation (GDPR). The guideline aims to advise data controllers (e.g., service providers, administrators) on how to set up effective password policies and securely store passwords, and data subjects (users) on how to choose secure passwords.
Continue Reading

According to recent press reports, since the EU General Data protection Regulation (GDPR) came into force in May 2018, German data protection authorities have issued 41 GDPR-related fines. The highest fine in a single case is reported to have been EUR 80,000, and the majority of fines (33) originated from the state of North-Rhine Westphalia.
Continue Reading

On 23 January 2019, the European Commission (the “EU Commission”) authorized the free flow of personal data to Japan. This “adequacy decision,” issued jointly with a mirroring decision by the Japanese government, allows personal data to transfer between the European Union (the “EU”) and Japan freely and under strong guarantees of protection. The outcome of lengthy negotiations resulting in Japan strengthening its privacy rules to follow EU standards,
Continue Reading

Foi publicada hoje a Medida Provisória 869/2018, emitida ontem pelo Presidente Michel Temer. A Medida Provisória cria a Autoridade Nacional de Proteção de Dados e aumenta o prazo de vacatio legis para a entrada em vigor da Lei Geral de Proteção de Dados (“LGPD”) de 18 para 24 meses após a sua publicação, ocorrida em 15 de agosto de 2018 (alteração do artigo 65 da LGPD pela Medida Provisória 869/2018).
Continue Reading

Breaking news: the Brazilian President Michel Temer issued yesterday and had published today the so-called “Provisory Measure” No. 869/2018 (Medida Provisória, a norm issued by the President alone, usually reserved for urgent and relevant matters) to amend the New Brazilian Data Privacy Law (Lei Geral de Proteção de Dados, “LGPD”). With this measure, the President created a National Data Protection Authority and determined that the LGPD shall
Continue Reading