If you de-identify end user data, this may be a use compatible with the original purpose for which the data was provided and not require seeking consent from the individual.

So, that’s between you and the end user. What about in b2b contracts? Here, the question of using or commercializing data, even if anonymized, often becomes a point of discussion and negotiation.

Details from the International Association of Privacy Professionals.

The EU General Data Protection Regulation (GDPR) did NOT make all processing of personal data unlawful, though it seems than many think this, says Michael Kaiser, data protection officer at the Hesse Data Protection Authority in Germany.

Per Kaiser, said the DPA has been inundated with complaints and breach notifications — up 1,200 percent since the GDPR went into effect.

The Irish Data Protection Commissioner has a similar experience.

The DPC had 2,795 breach reports come through its portal in 2017.

Since the GDPR went into effect not even one year ago, the number of reported breaches is at 4,136.

Per Cathal Ryan, assistant commissioner at the DPC, the mantra companies seem to be ascribing to: “When in doubt, report it,” might not be the best approach anymore. Companies may need to instead look a little more closely at whether the breach is a reportable one under the letter of the law.

Details from the International Association of Privacy Professionals.

Enforcement is increasing under the EU US Privacy Shield Framework for cross border transfer of personal data. A report published by European regulator, the European Data Protection Board (EDPB), lists enforcement initiatives by the Department of Commerce (DoC) and the FTC.

  • On a quarterly basis the DoC conducts “false claims reviews” to identify organizations that have started but not finished an initial or re-certification or that did not submit their annual recertification.
  • The DoC performs random web searches for false claims of participation in the program
  • The DoC performed a sweep of 100 randomly chosen organizations.
  • The DoC designated a person to follow the media and to do keyword searches to identify possible breaches of the Privacy Shield commitment.
  • The DoC performs regular checks for broken links to the privacy policy on the Privacy Shield list.
  • This year the FTC brought 5 new Privacy Shield cases.
  • The FTC investigates Privacy Shield-related referrals (approximately 100).
  • The FTC started to send Civil Investigation Demands (CIDs) proactively to monitor compliance with the Privacy Shield principles.

Details in the Second Annual Joint Review.

A total of 41 fines have reportedly been issued for GDPR violations across the various German states.

Violations included:

  • A clinic accidentally handed over a copy of a severely handicapped person’s ID card to the wrong patient.
  • Bank customers were able to see the bank statements of third parties in online banking.
  • Web shop customer data was copied without authorization following a hacker attack.
  • A hotel could not rule out that by an extortionate hacker attack, credit card or other customer data from its booking system fell into the wrong hands.
  • In a fire department of the country Bremen all phone calls were recorded, not only the emergency calls, but all outgoing and incoming calls.
  • Advertising mails, Dashcam use as well as open E-Mail distributors were the subjects of fines.

Details from Handelsblatt.

GDPR is here and is instrumental in bolstering individuals’ rights to their data.

The European Commission has issued a statement in honor of Data Protection Day which will be celebrated worldwide on January 28.

Some highlights:

  • Individuals’ data is one of the most valuable resources in modern economy.
  • One of the main aims of the General Data Protection Regulation (GDPR) is to empower people and give them more control of their data.
  • In order to achieve this goal, people must become fully aware of their rights and the consequences of their decisions.
  • The effects of GDPR are already noticeable. People are more aware of their rights and exercising them. The EU data protection authorities have received more than 95,000 GDPR complaints.
  • With GDPR, and its requirements for cross border data exchanges, Europe strives to ensure strong privacy rules at home but also lead the way globally.

Full details here from the EU.

When responding to a data subject access request under the EU General Data Protection Regulation (GDPR) you must disclose all the relevant personal data you hold and provide all information required by Article 15 of GDPR – all in a clear, easy-to-understand way.  A new complaint by public interest organization NOYB against media streaming services shines a spotlight on this GDPR right:

To comply with the right to access, controllers must disclose all data they hold and which could render the individual identifiable, including cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers. You must disclose:

  • purpose
  • categories
  • recipients
  • retention
  • sources (if not the individual)
  • transfers outside the EU
  • the individual’s right to right to request rectification, restriction of or objection to processing
  • the individual’s right to lodge a complaint
  • the existence of automated processing / profiling

You must provide the information in a manner clearly readable by the average consumer. Machine readable format will not suffice without also providing an explanation, software or other means to make the data readable and understandable.

Details from NOYB.

A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:

  • make sure information you provide users is easily accessible
  • tell people why you process their information, for how long you keep it and the categories of it
  • put the information in one or limited locations
  • refrain from requiring multiple actions to access the necessary information
  • describe your purposes specifically, and clearly.

Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:

  1. Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
  2. Require action by the user to signify consent ( no pre-checked checkboxes).
  3. Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.

Details from CNIL.

More here from Law360.

Does your company have the data processing agreements required by the EU General Data Protection Regulation (GDPR) when it engages third parties to assist with its data processing activities?

The Dutch data protection authority recently asked this question of 30 companies in the energy, media and trade sectors. The agency has also conducted similar exploratory compliance surveys covering Data Protection Officers and processing activity registers.

Under GDPR, a company may only engage processors that offer sufficient guarantees that they also comply with legal requirements. The processor agreement must specify how the protection and processing of personal data is regulated and address issues including:

  • which data will be processed and for how long
  • the nature and purpose of the processing
  • how the security of the data is guaranteed

Details from the Dutch Data Protection Authority.

The UK Information Commissioner’s Office (ICO) has issued expanded guidance on “Personal Data” under the EU General Data Protection Regulation (GDPR).

Here are the highlights:

Pseudonymization does not change the status of the data as personal data. To truly anonymize under the GDPR, you must strip personal data such that the individual can no longer be identified or later re-identified using reasonably available means. If you can distinguish an individual from other individuals, then that person is “identified” or is “identifiable.”  “Online identifiers” can be personal data. This includes:

  • IP addresses
  • cookie identifiers
  • RFID tags
  • MAC addresses
  • advertising IDs
  • pixel tags
  • account handles
  • device fingerprints

To determine whether an individual is identifiable you must consider what means are reasonably likely to be used to identify the individual, taking into account all objective factors, such as: costs and amount of time required for identification; available technology at the time of the processing; and likely technological developments.

Details available here from the UK ICO.

Sharing personal data with data brokers or other businesses partners? French regulator, CNIL, has new guidelines for you to follow.

Highlights include:

  • The individual whose data is shared must give consent before any transmission to partners.
  • The individual must be able to identify the partners, recipients of the data, from the form from which the data collection is carried out.
    • You can either:
    • Present a regularly updated exhaustive list which is visible directly on the form; or if too long
    • Present a link referring to the list as well as the privacy policies of the partners.
  • The individual must be informed of changes in the list of partners and especially the arrival of new partners.
  • The consent collected by the company collecting the data on behalf of its partners is only valid for them. The partners can not send the information received to their own partners, without again collecting informed consent of the individuals.
  • Partners must indicate, at their first communication, how to exercise their rights, in particular of opposition, as well as the source from which the data used come from.

Details here from CNIL.