FTC’s investigation into Facebook data practices could result in a fine up to 5 billion, Facebook estimates

On April 24, 2019, Facebook published its financial results for the first quarter, where it estimated a probable loss and recorded an accrual of $3 billion  in connection with an investigation by the Federal Trade Commission  (FTC).  The investigation could result in a penalty of up to 5 billion. The FTC began its investigation into Facebook’s mishandling of data after the New York Times reported in March 2018 that the information of 87 million users had been harvested by a British Read more [...]

EU Parliament resolution to create vast biometric database

On April 16, 2019, the European Parliament informed that it decided to create the Common Identity Repository (CIR). The CIR will interconnect a series of data systems (listed below) into a gigantic biometric database containing data about EU and non-EU citizens to improve data exchange between EU information systems to manage borders, security and migration. After the formal approval of the Council, member states will have two years to adopt the new rules. The main elements of the new legislation Read more [...]

EDPS’s Guidelines on Article 6(1)(b) lawful basis for processing in online services open for comments until May 24

On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.  The Guidelines are open for public consultation until May 24, 2019.   Photo Read more [...]

EDPB on data transfer from EEA to UK

On February 12, 2019 the European Data Protection Board (EDPB) warned that in the absence of an agreement between the EEA and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. The EDPB provides 5 steps organizations that transfer data to the UK should take to prepare for a no-deal Brexit: Identify what processing activities will imply a personal data transfer to the UK Determine the appropriate data transfer instrument for your situation (see Read more [...]

Dutch DPA is the first European DPA to publish fining policy under GDPR

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy. It is the first European Union (EU) country to do so. Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines for infringements of the Regulation. For some violations, the fines will be “up to 10,000,000 Read more [...]