When carrying out enforcement actions, regulators are looking for companies to be upfront about incidents and willing to work with them to solve issues, said state and federal regulators during a panel at a Practising Law Institute (PLI) cybersecurity conference Monday.
GDPR
The General Data Protection Regulation (GDPR) is the European Union’s landmark privacy law governing how organizations collect, process and protect personal data. In effect since 2018 it applies to any entity handling EU residents’ information regardless of where the company is based and imposes strict requirements around consent, transparency, data minimization and user rights. GDPR enforcement has led to billions in fines against global companies setting a high bar for compliance frameworks worldwide and influencing privacy legislation in the U.S. and other regions.
The Irish Data Protection Commission (DPC) said Friday it identified the two companies and dataset at the heart of a scandal involving the sale of smartphone location data and is investigating. The Irish Council for Civil Liberties (ICCL) accused the DPA of failing to act on its earlier whistleblowing complaint.
Customers have a right to access their personal data contained in recorded telephone conversations, Italian DPA Garante said Thursday as it fined a bank 100,000 euros ($117,000) for failing to respond adequately to a consumer's access request.
The EU Council agreed Wednesday on its negotiating stance on several European Commission proposals, including one extending red-tape reduction rules to mid-cap enterprises, a move that will amend the GDPR.
Geolocation devices such as connected watches, toys or apps have "real consequences" for children's privacy and should be used sparingly, French data protection authority CNIL said Monday.
European data retention rules for telcom companies are fragmented and should be addressed by the EU during its regulatory simplification push, the GSM Association and ConnectEurope said in comments posted this week. They were responding to a European Commission consultation on data retention by service providers for criminal proceedings.
Ireland tapped Niamh Sweeney, a former Meta executive, as a commissioner on the country’s Data Protection Commission. The appointment brought quick reaction from critics who said Ireland had bowed to pressure from U.S. big tech to the detriment of GDPR protections.
While both the EU and U.K. use legitimate interest as a basis for processing personal data, the U.K. Data Use and Access Act (DUAA) has introduced "something interesting" -- a more flexible standard that can reduce administrative burden in some cases, said Daniel Vinerean, managing director of law firm David and Baias, during a webinar Thursday.
The Swedish Data Protection Authority (DPA) responded Wednesday to what it said were "many questions" about how data controllers should handle situations where cyberattacks on data have led to publication of personal data on the dark web.
The European Data Protection Board (EDPB) guidelines published Friday marked its first advice on the interplay between the General Data Protection Regulation (GDPR) and Europe's new digital laws, it said.