The $5 billion fine levied against Facebook by the Federal Trade Commission is certainly headline news, but it also contains detailed requirements for privacy and information security governance and accountability that all companies can learn from and implement.

Big Picture Takeaways:

  • Facebook faces many detailed requirements for internal and external governance and oversight with

Italian Data protection Authority, Garante privacy, ordered a company that did not acquire granular consent for marketing from members of its loyalty programs to:

(i)  stop processing personal data for marketing purposes if granular consent for the marketing/mailing was not acquired;

(ii) not start processing personal data for marketing purposes in future without obtaining such

“European Union privacy regulators are ramping up enforcement of the General Data Protection Regulation as the bloc’s comprehensive privacy regime heads into its second year,” write Bloomberg’s Sara Merken and Daniel R. Stoller Esq.

Businesses “can expect in 2019 is the transition from the warning authority that explains things and conducts campaigns, to also the

Enforcement is coming – says CNIL, the French Data Protection Authority.

CNIL published its enforcement priorities for 2019. CNIL will no longer refrain from enforcing new obligations imposed by GDPR, but it will continue to exercise judgment in the choice of corrective measures and will not resort to fines every time. CNIL’s enforcement program will

How has GDPR enforcement played out in the past year?

The Dutch Data Protection Authority (Autoriteitpersoonsgegevens, or AP) recently published a report on its 2018 activities.

The report highlights the growth of GDPR enforcement actions:

  • 27,000 people contacted the AP by telephone about the Privacy Act (2017: 9,500).
  • AP received more than 11,000 complaints.
  • AP

Since May 25, 2018, 206,326(!) GDPR cases have been reported by Supervisory Authorities (SAs) from 31 European Economic Area (EEA) countries.

Of those, 94,622 were initiated by individual complaints and 64,684 due to data breach notification by the controller. 52 percent of these cases have already been closed and 1 percent challenged before national court.

Now serving complaint #6241…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidelines on how it will prioritize the handling of complaints filed with it under the EU General Data Protection Regulation (GDPR).

Criteria include:

  1. How harmful is the alleged violation for the individual(s)? This depends on nature of data and nature of the