General Data Protection Regulation (GDPR)

India will approach the European Union seeking “adequacy” status with the General Data Protection Regulation once the country finalizes and passes its own Personal Data Protection Bill – reports the India Economic Times.

An adequacy status stands for a recognition by the EU authorities that a country provides an adequate level of data protection.

A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.

At issue: The legal framework surrounding embedding a Facebook “Like” button on your website.

When a user visits a website on which a Facebook “Like” button is installed, their personal data is transmitted to Facebook Ireland.

This includes:

  • the IP address of the visitor’s computer
  • technical data of the browser (so that the server can determine the format in which the content is delivered to this address)
  • information about the desired content.

The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.

The transfer of information happens:

  • whether or not the individual is a member of the social network Facebook
  • whether or not the person has clicked on the “Like” button
  • in many cases, without the individual being aware that the information is being collected or transmitted to Facebook

Key takeaways:

A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed

The operator of a website that features a Facebook “Like” button can be a controller jointly with Facebook in respect to the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication, by transmission, of the data in question.


Continue Reading

Tardiness with transposing data protection laws comes with a hefty fine.

The European Commission is asking the Court of Justice of the European Union to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the May 6, 2018, deadline, according to a news

Web crawling and data protection: CNIL has issued a 180,000 EUR fine against a provider of automobile insurance policies for failure to adequately protect data in violation of GDPR, specifically citing disallowing web crawling as a way to protect personal data from wrongful access.

In particular the company :
  1. sent usernames and passwords in cleartext

“Some of Ireland’s best known heritage sites – such as Kilmainham Gaol, Dublin Castle and Muckross House – have been ordered to remove visitor books due to concerns they breach EU privacy and data protection rules.

The Office of Public Works (OPW) believes the books, in which visitors leave brief remarks along with their names

Analytics cookies in the crossfire.

Different approaches set forth in the CNIL Guidance and in the ICO cookie guidance.

CNIL – Set list of terms to qualify for an exemption from the need to obtain consent.

ICO – This is a non-essential cookie and consent is needed … BUT … unlikely to prioritize enforcement of

“Currently, unless a US CLOUD Act warrant is recognized or made enforceable on the basis of an international agreement, the lawfulness of such transfers of personal data cannot be ascertained” – EDPB/EDPS Joint response on impact of US CLOUD Act

Additional points:
  • Urgent need for a new generation of Mutual Legal Assistance Treaties to be

A phone directory of a European Union institution, per se, falls within the notion of large scale processing, especially since it can potentially include personal data of a large number of individuals,  says the European Data Protection Board in its recommendation regarding the list submitted by the European Data Protection Supervisor of processing operations requiring

The Danish Data Protection Authority has issued guidance on the transmission of personal data via text messages (SMS).

Key takeaways:

  • Sending personal data by SMS is risky as it entails transmission in clear text, over networks over which the data controller has no control.
  • When conducting its risk assessment, the data controller should take into