There’s no substitute for openness, clear communication and specificity where privacy regulation is concerned, Orrick lawyer Christian Schroder wrote, as was demonstrated by rulings in Germany in June involving GDPR regulations. In addition, the rulings showed that an organization gathering data from public sources about a job candidate could put it out of compliance, though that might not force the hiring of a wronged candidate, Schroder said in a blog post this week.
GDPR
The General Data Protection Regulation (GDPR) is the European Union’s landmark privacy law governing how organizations collect, process and protect personal data. In effect since 2018 it applies to any entity handling EU residents’ information regardless of where the company is based and imposes strict requirements around consent, transparency, data minimization and user rights. GDPR enforcement has led to billions in fines against global companies setting a high bar for compliance frameworks worldwide and influencing privacy legislation in the U.S. and other regions.
The European Court of Justice (ECJ) decision last month on the meaning of pseudonymized data has sparked a wave of legal comment because DPAs are split over how possible it is for third parties to retrieve personal information from such data, Hogan Lovells privacy lawyer Etienne Drouard said in an interview.
OneTrust agrees that businesses shouldn't set and forget privacy compliance tools, amid increased scrutiny from regulators, said Ojas Rege, general manager of privacy and data governance. In an interview with Privacy Daily, Rege also said that a great amount of enforcement action is happening behind the scenes, without becoming public. In addition, the OneTrust official warned that “AI amplifies every single privacy and data governance gap you have in your organization.”
As part of an effort to facilitate GDPR compliance and bolster consistency, the European Data Protection Board (EDPB) and the European Commission issued their first joint guidelines Thursday, emphasizing areas of agreement between GDPR and the Digital Markets Act (DMA).
A U.S.-based company that scraps the web for images of people and sells them to clients tells Privacy Daily it will appeal a Wednesday decision from a U.K. panel that ruled its activities violate its citizens' privacy.
The European Data Protection Board will consider approving joint guidelines with the European Commission on the interplay between the Digital Markets Act and the GDPR, according to the board's agenda for this week's meeting.
Ireland's Data Protection Commission published a final decision Thursday on its investigation into whether TikTok violated the GDPR by transferring Europeans' personal data to China. The decision, including fines of 530 million euros ($600 million), was announced May 2 (see 2505020001).
The IAPP on Tuesday unveiled a guide to Europe's digital law landscape for business, policy and tech audiences. The guide explains various digital regulations, changes being made, whom the measures affect and where the main risks and opportunities lie. Among other things, it maps the intersection of the GDPR with other laws, such as the AI Act, Digital Markets Act, Digital Services Act and Data Governance Act.
A Hamburg, Germany, company from the financial industry that violated the GDPR by failing to tell several customers why their credit card applications were rejected must pay 492,000 euros ($578,000), the city's DPA announced Tuesday.
Lithuanian-based digital identity research tool Whitebridge.ai is selling "reputation reports" compiled from large amounts of scraped personal information about unsuspecting people to "anyone willing to pay" for them, privacy advocate Noyb alleged Monday. It slammed the company's "shady business model."