1. The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection.

Key takeaways:

  • Before using a development tool, especially for personal data, read the conditions of use.
  • If the data requires a maximum level of confidentiality, use tools with a local instance, rather than the cloud.
  • Conduct a data protection impact assessment (DPIA) at the outset, even if not required by GDPR.
  • Start from a simple, correctly designed and secure system. Increase the complexity gradually while continuing to secure new additions.
  • If you use agile methods for your development, consider integrating security into the heart of your process.
  • Implement “defense in depth.”
  • If using cloud-based code management, ensure your code repository visibility setting is set to “private.”
  • Never use real personal data in the dev environment.
  • Change the default configuration of your third-party libraries and SDKs.
  • When using third-party components, only enable the features you need.
  • Develop a clean code and check it.
  • Document your architecture.
  • Version the documentation with the code.

The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR.

Key takeaways:

  • Data minimization:
    • Collect only the information you need. If you only need name, identification code, bank account number, currency, balance, purpose of payment/payment code,  then collect just that.
    • It is not necessary to also collect: date of unreported electronic invoicing, names and amounts of senders; part of message text for unread messages; purpose, nature and amounts of available loans; pension fund names, units and value; types of credit; outstanding balances; numbers of issued payment cards and amounts in them.
    • Do not retain data for longer than necessary. Here, the inspectorate held that holding data for 216 days was too long (especially when the retention term was supposed to be 10 minutes).
  • Data Breach:
    • Two (2) days of unauthorized access to personal data available on the Internet is considered as a personal data breach that must be reported.

Read more about the fine.

“C’est tres complique aujourd’hui de se declarer 100% conforme”

“In reality, it’s very complicated to declare in total and perfect conformity [with GDPR], be it today, in five or ten years, because it’s a continuous process. A company never really achieves 100% compliance, it works on it every day. It seeks to have compliance champions, such as compliance officers or DPOs, and gives them autonomy” says French privacy attorney Adrian Aulas.

“Today, there is a paradox because on the one hand, French companies are starting to have a pretty clear idea of ​​how to comply with the [GDPR], they have already done a lot of work, but, on the other hand, there are still uncertainties because it is a compromise text, with its gray areas. The supervisory authorities have not yet ruled on the entirety of its provisions”

“The advantage of [GDPR] is that it is a broad text in its principles, which does not go into the details of all the concrete cases, so it is quite scalable for companies. You can find different ways to comply, which really vary from one organization to another.”

Read more of Adrien Aulas’ insights 

“German regional data protection authorities have imposed fines in 75 cases totaling EUR 449,000 for breaches of the European General Data Protection Regulation (GDPR), since it came into effect in May 2018,” Welt Am Sonntag reports.

“While fines have been low, it is important to note that regulators have other tools in their ‘belt of remedies’, including prohibiting further processing of personal data until an issue has been rectified. This may have a greater impact on companies than fines, large or small.”

“Fines have been imposed in six federal states. In Baden-Wurttemberg, for example, the data protection authorities imposed fines worth EUR 203,000 in seven cases, in Rhineland-Palatinate EUR 124,000 for nine cases, in Berlin EUR 105,600 for eighteen cases and in Hamburg, EUR 25,000 for two cases, the report added.”

Details from Telecompaper.

“While there are undoubtedly significant benefits in using new technologies, organisations need to be aware of the potential challenges when choosing and using any systems involving biometric data,”  writes Steve Wood, Deputy Commissioner for Policy at the UK Information Commissioner’s Office.

“Any organisations planning on using new and innovative technologies that involve personal data, including biometric data, need to think about these key points:

  1. Under the GDPR, controllers are required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’ such as the (large scale) use of biometric data.
  2. When you’ve done your DPIA, make sure you act upon the risks identified and demonstrate you have taken it into account. Use it to inform your work.
  3. You must be able to demonstrate your compliance by putting appropriate technical and organisational measures in place.
  4. If relying on consent as a legal basis, then remember that biometric data is classed as special category data under GDPR and any consent obtained must be explicit.”

Read Steve’s full blog post.

With the recent spate of class actions under Illinois’ Biometric Information Privacy Act (“BIPA”), courts are considering an array of litigation-related questions that such actions pose. One such issue recently was addressed in Liu v. Four Seasons Hotel, Ltd, 2019 Ill App (1st) 182645 (April 9, 2019), when the Four Seasons argued that a class action brought by Chicago Four Seasons hotel employees, Tony Liu and Cathy Li, should be arbitrated pursuant to an arbitration clause in its employment agreements, which specified that wage and hour claims must be arbitrated. Since the employees’ suit was based on allegations that the hotel chain violated the privacy law by using their biometric data, namely their fingerprints, to record their hours, the Four Seasons argued that such claims constituted a wage and hour dispute. Both the trial court and the appellate court disagreed.

Plaintiffs Liu and Li asserted claims for BIPA violations, alleging they were never told that their fingerprints would be used and that neither gave permission for the hotel to share such data with an outside vendor that administered its payroll. The Four Seasons filed a motion to compel arbitration, citing the mandatory arbitration clause in its standard employment agreements. After the trial court denied the motion, the hotel took an interlocutory appeal. In affirming the trial court’s denial of the Four Seasons’ motion, the appellate court noted that employees are not required to sign their employment agreements or agree to the mandatory arbitration provision contained therein.

In addition, the court ruled that the lawsuit was really about individuals’ privacy rights rather than wage claims and, therefore, was not subject to the mandatory arbitration clause, in any event. In so holding, the court also rejected the hotel’s argument that an arbitrator, rather than the court, should determine the dispute’s arbitrability, citing the Uniform Arbitration Act.

The lesson? If Illinois employers are looking to avoid the courts to resolve disputes for BIPA violations, they cannot rely on arbitration clauses that merely address wage and hour claims. Rather, it is clear that the arbitration provision must specifically target claims for privacy breaches.

“We’ve removed [all of the trash cans] because of the GDPR law.”

GDPR does NOT prohibit the use of trash cans — the Irish Data Protection Commission tells Irish postal services provider.

Irish postal service provider, An Post, removed all trash cans from the main hall of a central post office building, after an internal audit identified them as a potential risk of breaching GDPR.

The Irish DPC said that “under no circumstances could public litter be in breach of GDPR” and the trash cans have since been reinstated.

Details from The Herald, of Dublin.

“The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,”  according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which issued a guidance on GDPR and medical records.

Key takeaways:

  • For medical data that are not covered by the Medical Treatment Agreement Act, such as nursing care and in-home care, personal data should not be kept longer than necessary.
  • The personal data that you have actively and consciously provided is covered by the right to data portability. This also applies to the data that you have provided indirectly through the use of a service or device. For example, the data that your pacemaker or blood pressure monitor generates.
  • The right to data portability does not apply to the conclusions, diagnoses, suspicions or treatment plans that your health care provider establishes on the basis of the information you provide.
  • As a health care provider, you must in any case use two-factor authentication. Such as logging in with DigiD in combination with SMS.

Read the full guidance.

CNBC’s Kate Fazzini interviewed Partner Odia Kagan, Chair of GDPR Compliance & International Privacy, for an article on the one-year anniversary of GDPR. Here are a few of Odia’s thoughts, which were included in the piece:

“The enforcement is just getting started. The higher fines are very likely going to be in connection with very large companies with very complex structures. We haven’t seen them because they aren’t done yet.” The data protection authorities have other tools as well, which might be even costlier than fines.

“In some cases, EU regulators can tell companies, ‘You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data.'”Sometimes, even the big fines won’t make or break them, but the data will if it is a core component of their business.

Read the full CNBC story, and Odia’s full comments.

The UK Information Commissioner’s Office (ICO) is strategically focusing on the “fairness” requirement under the GDPR – says U.K. Information Commissioner Elizabeth Denham.

The focus is unfair, invisible processing. This includes big tech, data brokers, credit reference agencies and adtech, specifically looking at transparency and fairness, as well as the legal basis for consent.

Regarding Brexit, she said that if there is a hard Brexit and the ICO becomes a third country, companies who commit a trans-border breach could face, instead of a one-stop shop under the GDPR, a two-stop shop.

“You could have to address two different sanctions for the same cross-border breach”.

Since GDPR came into force, the Irish Data Protection Commission has been hit with 6,000 complaints lodged. The majority of those complaints have been resolved says Irish Data Protection Commissioner Helen Dixon.

Currently, the Irish DPC is conducting 18 large-scale investigations, of its own volition, on tech companies and expects to bring “first-draft decisions” to the European Data Protection Board this summer.

Details from the International Association of Privacy Professionals.