Privacy & Information Security Law Blog

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On September 6, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on processing of personal data through video devices (the “Guidelines”). The Guidelines were adopted on July 10, 2019, for public consultation.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). Although the Guidelines provide examples of data processing for video surveillance, these examples are not exhaustive. The Guidelines aim to provide guidance on how to apply the EU General Data Protection Regulation (“GDPR”) in all potential areas of video device use.

On July 16, 2019, the European Data Protection Board (the “EDPB”) published its Annual Report for 2018 (the “Report”). The Report highlights that the EDPB (1) endorsed 16 guidelines previously adopted by the Article 29 Working Party; (2) adopted four additional guidelines to clarify provisions of the GDPR; (3) adopted 26 consistency opinions to guarantee the consistent application of the EU General Data Protection Regulation (“GDPR”) by the EU data protection authorities; and (4) issued two opinions in the context of the legislative consultation process, as well as a statement on its own initiative and on the draft ePrivacy Regulation.

On July 9, 2019, the European Data Protection Board (the “EDPB”) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment (the “Opinion”) at the request of the French and the Swedish data protection authorities (“DPAs”).

Background – The French and Swedish DPAs’ Initial Request

On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (the “White Paper”). In addition, CIPL submitted the White Paper along with a separate response to the European Commission’s questionnaire to prepare for the June 2019 stocktaking exercise on the application of the EU General Data Protection Regulation (“GDPR”).

On May 27, 2019, the Irish government announced that Helen Dixon, who currently serves as Irish Data Protection Commissioner, was appointed to a second five-year term in her position. Her reappointment was approved by a May 27 Cabinet vote.

On May 22, 2019, the European Data Protection Board (the “EDPB”) published on its website a summary of enforcement actions taken by the European Economic Area Supervisory Authorities (“EEA Supervisory Authorities”) one year after the entry into force of the General Data Protection Regulation (the “GDPR”). Reflecting on the growing numbers of data controllers designating a lead supervisory authority, the EDPB reported that of the 446 cross-border cases opened by EEA Supervisory Authorities, 205 of these cases have led to One-Stop-Shop procedures. The EDPB ...

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).

On March 12, 2019, the European Data Protection Board (“EDPB”) adopted an opinion on the interplay between the EU Directive on Privacy and Electronic Communications (“the ePrivacy Directive”) and the General Data Protection Regulation (“GDPR”) (the “Opinion”).

On February 26, 2019, the European Data Protection Board (the “EDPB”) presented its first overview of the GDPR’s implementation and the roles and means of the national supervisory authorities to the European Parliament (the “Overview”).

The Overview provides key statistics relating to the consistency mechanism among national data protection authorities (“DPAs”), the cooperation mechanism of the EDPB, the means and powers of the DPAs and enforcement of the GDPR at the national level.

On February 25, 2019, the European Data Protection Board (the “EDPB”) issued a statement regarding the transfer of personal data from Europe to the U.S. Internal Revenue Service (the “IRS”) for purposes of the U.S. Foreign Account Tax Compliance Act (“FATCA”).

Enacted in 2010, FATCA requires that foreign financial institutions report information about financial accounts and assets held by their U.S. account holders to the IRS. Such institutions are required to register directly with the IRS to comply with FATCA or comply with intergovernmental agreements signed between the foreign country and the U.S. government. FATCA was designed to combat tax evasion by U.S. persons holding accounts and other financial assets offshore.

The Belgian Data Protection Authority (the “Belgian DPA”) recently published the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

On February 20, 2019, the French data protection authority (the “CNIL”) published a set of questions and answers (“FAQs”) indicating the CNIL’s recommendations, and steps that organizations should take, to prepare for a no-deal Brexit. The CNIL’s FAQs build upon guidance the European Data Protection Board (“EDPB”) provided in its Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit.

On February 12, 2019, the European Data Protection Board (the “EDPB”) released its work program for 2019 and 2020 (the “Work Program”). Following the EDPB’s endorsement of the Article 29 Working Party guidelines and continued guidance relating to new EU General Data Protection Regulation (“GDPR”) concepts, the EDPB plans to shift its focus to more specialized areas and technologies.

At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.

On January 23, 2019, the European Data Protection Board (“EDPB”) released an opinion on the interplay between the European Clinical Trials Regulation (“CTR”) and the EU General Data Protection Regulation (“GDPR”) (the “Opinion”). The Opinion was requested by the European Commission Directorate-General for Health and Food Safety (“DG SANTE”).

On January 22, 2019, the European Data Protection Board (“EDPB”) issued a report on the Second Annual Review of the EU-U.S. Privacy Shield (the “Report”). Although not binding on EU or U.S. authorities, the Report provides guidance to regulators in both jurisdictions regarding implementation of the Privacy Shield and highlights the EDPB’s ongoing concerns with regard to the Privacy Shield. We previously blogged about the European Commission’s report on the second annual review of the Privacy Shield, and the joint statement of the European Commission and Department of Commerce regarding the second annual review.

On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile device and create a Google account, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. The CNIL’s enforcement action was the result of collective actions filed by two not-for-profit associations. This fine against Google is the first fine imposed by the CNIL under the GDPR and the highest fine imposed by a supervisory authority within the EU under the GDPR to date.

On January 23, 2019, the European Commission announced that it has adopted its adequacy decision on Japan (the “Adequacy Decision”). According to the announcement, Japan has adopted an equivalent decision and the adequacy arrangement is applicable with immediate effect.

On January 18, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on the territorial scope of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on November 16, 2018, for public consultation.

On January 15, 2019, the UK House of Commons rejected the draft Brexit Withdrawal Agreement negotiated between the UK Prime Minister and the EU by a margin of 432-202. While the magnitude of the loss sets in motion a process which could potentially have resulted in an early general election being held, on January 16 a majority of British Members of Parliament rejected a vote of no confidence in Theresa May’s government.

On November 23, 2018, the European Data Protection Board (“EDPB”) published its long-awaited draft guidelines on the extraterritorial application of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). To date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR’s application outside of the EU. While the Guidelines provide some clarity on this issue, questions will remain for non-EU controllers and processors. Importantly, these Guidelines are only in draft form and are open for consultation until January 18, 2019, which will give organizations an opportunity to provide comments and raise additional questions in an effort to obtain further clarification from the EDPB on these important scoping questions.