The Court of Justice of the European Union has issued its Planet 49 decision.

Key takeaways:

  • A pre-checked check box is not sufficient consent for the placement of cookies.
  • You need active consent whether or not cookies collect personal data.
  • The fact that a user activates the promotional game participation button is not sufficient to consider that the user has validly given his consent to the placement of cookies.
  • The expression of intention must be specific to the data processing.
  • Cookie disclosure must be clearly understandable and detailed enough to allow the user to understand how cookies are used.
  • Cookie disclosure must include at least:
    • identity of the controller (or multiple controllers)
    • the purposes of the processing
    • the duration of operation of cookies, and
    • the possibility or not for third parties to access these cookies.

Read the full text of the decision.

Ecuador is considering a GDPR – like privacy law.

“A massive data breach in Ecuador has sparked a new push to pass data protection legislation that would mirror the European Union’s privacy regime. The National Assembly is debating a bill that allows citizens to access, correct, eliminate and oppose the use of their personal data and sets up a new data protection authority to enforce the law and sanction bad actors. President Lenin Moreno sent the bill for debate shortly after the personal data of 20 million Ecuadorians was discovered on a server in Miami earlier this month.”

Details from Bloomberg Law.

The Liechtenstein data protection authority has issued guidance on joint controllership under GDPR:

Examples of joint controllers:
  • If two companies jointly organize a competition in which the name and address are collected by the participants for the subsequent delivery of the prizes.
  • If a website operator integrates a Facebook “Like” button on his website in order to improve his marketing, both the website operator and Facebook are jointly responsible, even if the website operator has no access to the data collected.
  • If a company uses a Facebook fan page for its social media presence, there is common responsibility between the company and Facebook, although the company itself has no access to the actual data and the survey and evaluation of personal data only takes place on Facebook.
Examples where not joint controllers:
  • A company forwards personal data from employees to a travel agency for the purpose of booking a business trip (controller to controller).
  • An association produces and sends a member newspaper from a printing company and transmits plus addresses of the members of the association for the dispatch of the paper (controller – processor).

Read the full guidance.

Consent is not needed for the transfer of personal data from Canada to other countries, says the Canadian Office of the Privacy Commissioner.

Following a consultation on transfers of personal information for processing, the Office of the Privacy Commissioner of Canada (OPC) has concluded that its guidelines for processing personal data across borders will remain unchanged under the current law.

Even though consent is not needed for the transfer, transparency remains paramount. Organizations should advise customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities. During its consultation, the Office received 87 submissions.

The vast majority took the view there was no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

Details from the Canadian Office of the Privacy Commissioner.

If you post photos online, and are subject to GDPR, you must:

  1. tell the people in the picture about it
  2. let them object
  3. get their consent, sometimes
  4. respect their wishes to remove the photos
  5. be extra careful if kids are in the photos

The Danish Data Protection Authority has released a new guidance on the legal basis for posting photos online.

Read my detailed analysis.

“It is very important for businesses to start thinking about compliance now. From my perspective, we are getting ready for enforcement in parallel with our rule-making process.” — Deputy California Attorney General Stacy Schlesser. 

Schlesser says there is no time like the present to work on CCPA compliance.

Though the attorney general can begin enforcement only on July 1, 2020, “When and if the attorney general takes action in July, it can, in fact, retroactively enforce for infractions committed starting Jan. 1,” said Travis LeBlanc, former enforcement chief at the Federal Communications Commission and a newly confirmed member of the federal Privacy and Civil Liberties Oversight Board.

Details from the International Association of Privacy Professionals.

“Whenever there is no clear guidance under the GDPR on how to obtain certain security objectives, it certainly seems wiser and more rational to use existing solutions provided by NIST publications than to wait until more EU guidelines would be available. Later you could further build on what you already have, rather than start from scratch,” writes Piotr Foitzik, Senior Manager, Privacy and Data Protection Office, HCL Technologies.

Piotr advocates using NIST standards to comply with your GDPR Art 32 ‘adequate technological and organizational measures’ obligation and in building out your privacy and information security program. This is equally applicable to the CCPA requirements for adopting ‘reasonable measures’ protect personal information you collect.

Read the full text of Piotr’s article in the IAPP’s Privacy Advisor.

GDPR permits a general contractor to disclose personal information of the client who hired them for a home renovation to subcontractors, for their purpose of carrying out the renovation as well as for the correction of defects within the scope of the warranty.

The legal basis for this is that it is necessary for the performance of the contract with the client (Article 6(1)(b) of GDPR), says the Data Protection Authority of Austria.

Read the full opinion.

“The EU’s much-vaunted data-protection legislation doesn’t cover how data can be used ‘to draw conclusions about me or to undermine democracy,'” said European Union Commissioner Margrethe Vestager,  in a speech in Copenhagen on Sept. 13.

“When a few companies control a lot of data about us, that can also help them influence the choices we make. Europe ‘may also need broader rules to make sure that the way companies collect and use data doesn’t harm the fundamental values of our society,’ she said. It’s one of the first indications for how she may use her unprecedented second term as competition commissioner from Nov. 1, bolstered with new laws to shape potential regulation for digital companies.”

Details in Bloomberg Law.