A German investigation into Facebook Inc. shows that multinational companies could face probes from multiple data-protection regulators in Europe over the same missteps.

If you are a non-EU entity subject to GDPR, or are a part of a group of companies, the GDPR one stop shop mechanism may not help you.

Thinking through the role

Red Card! The Spanish Data Protection Authority has issued LaLiga a 250,000 EUR fine for using its mobile app to detect bars illegally broadcasting soccer matches, without duly disclosing this data processing activity in violation of GDPR.

When installing the application and receiving user approval, LaLiga remotely activated the microphone of any user’s mobile phone

  1. The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection.

Key takeaways:

  • Before using a development tool, especially for personal data, read the conditions of use.
  • If the data requires a maximum level of confidentiality, use tools with a local instance, rather than the cloud.
  • Conduct a

The UK Information Commissioner’s Office (ICO) is strategically focusing on the “fairness” requirement under the GDPR – says U.K. Information Commissioner Elizabeth Denham.

The focus is unfair, invisible processing. This includes big tech, data brokers, credit reference agencies and adtech, specifically looking at transparency and fairness, as well as the legal basis for consent.

Regarding

“Privacy policies … have evolved from … largely factual statements to become, nowadays, either long, verbose and impenetrable legalese, or else vague and soothing PR exercises. Either approach places the burden on the individual to understand complex data practices and act rationally in her own best interests.”  says European Data Protection Supervisor Giovanni Buttarelli.

“Transparency

“The Federal Trade Commission is aiming to bring more EU-U.S. Privacy Shield enforcement actions for significant violations of the cross-border data transfer program, the agency’s consumer protection chief said April 26.”

There are a group of cases the FTC is “looking at right now and they include” alleged substantive violations of the Privacy Shield program

“Europe has taken the first steps to protect citizens’ privacy and our new regulations have proven to be effective — both for our citizens and our businesses… It’s time for America to join us, Japan and many others in our work, and be part of setting the global standards on privacy.”  — European Commissioner Vera

“The crucial, crucial change [GDPR] brought was around accountability. Accountability encapsulates everything the GDPR is about,” says UK Information Commissioner Elizabeth Denham.

Denham said companies must understand the risks that they create for others with their data processing, and mitigate those risks. GDPR also formalizes the move away from box ticking to seeing data protection

Data subject access rights and your medical practice.

The UK Information Commissioner’s Office (ICO) issues advice.

Medical practices have reported a significant rise in subject access requests (SARs) since the GDPR came into effect in May last year, which is a similar trend in other sectors.

  • General Practicioners (GPs) cannot query the reason for requesting

A pre-ticked checkbox is not valid consent for placing cookies under the EU eprivacy directive – says the Advocate General to the Court of Justice of the EU in the Planet49 case.

Other takeaways:

  • Pre-ticked box + an active “click” on “participate in lottery” is still not sufficient consent for placing cookies. For consent to