Stay up to date with the latest knowledge and breaking news in the privacy and compliance world. Find out about updates to global privacy regulations and GDPR, along with laws that affect the rights of individuals.
On August 26, 2024, the Dutch Data Protection Authority fined Uber €290 million ($324 million) for failing to comply with EU data transfer rules under the GDPR. Uber transferred sensitive data from over 170 French drivers to U.S. servers without implementing required safeguards.
The New York Attorney General’s office released guidance on July 15, 2024, signaling increased oversight of online cookie practices. Companies should ensure cookies are correctly categorized, consent tools respect consumer choices, and privacy claims are accurate. Organizations are advised to implement strong policies, test tracking technologies, and seek compliance assistance to avoid enforcement actions.
The Spanish data protection authority (AEPD) fined I-DE Redes Electricas Inteligentes (I-DE) 3 million euros for failing to assess its security breach risk, violating Articles 5(1)(f) and 32 of the GDPR. Despite I-DE's claim that the breach was due to a cyber attacker and that they had implemented detection measures, the AEPD emphasized the necessity of preventive measures in addition to remedial actions.
Less than a year after the Connecticut Data Privacy Act (CTDPA) took effect, the state's Attorney General's Office (OAG) reported on its activities. The OAG issued over a dozen violation notices across various sectors. Enforcement focuses on privacy policies, sensitive data, teens' data, and data brokers. The Report recommends measures to strengthen the CTDPA, including narrowing the entities exempt from compliance.
In April, Colorado amended the Colorado Privacy Act (CPA) to include protections for biological and neural data. The amendment expands the definition of "sensitive data" to cover this information, requiring data controllers to obtain consumer consent, conduct data protection assessments, and update privacy notices. These new provisions take effect on August 6.
Last month, Maryland joined the growing list of states that have passed comprehensive privacy legislation with the introduction of the Online Data Privacy Act of 2024 (MODPA). The new legislation will mandate companies to comply with data protection requirements related to data minimization, safeguarding sensitive data, and the processing and sale of data of minors. Here's what you need to know:
On Sunday 7 April, U.S. House of Representative Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. released a new bill – the American Privacy Rights Act (APRA).
Governor Beshear signed H.B. 15 into law on April 4, making Kentucky the 16th state with a data privacy law. Effective from January 1, 2026, it affects businesses operating in Kentucky or targeting its residents. Consumers under Kentucky's law have rights resembling other state laws, including the right to access information about them, to correct inaccuracies in their data, and to delete personal data provided by or obtained about them.
The European Data Protection Board announced its third Coordinated Enforcement Framework action, targeting organizations' compliance with data subjects' right to access their data. Thirty-one EU data protection authorities, including seven German state-level bodies, will participate. The initiative underscores the importance of GDPR compliance for all companies, regardless of size, and signals the seriousness of European authorities toward enforcement.
In July, the European Commission took the final steps to formally adopt formally establish the new EU-U.S. Data Privacy Framework (the Framework). After years of intense negotiation between the EU and the U.S., restoration of the Framework reduces the uncertainty about lawful data transfer that came with invalidation of the U.S-EU Privacy Shield by the Court of Justice of the European Union (CJEU) in the Schrems II case.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.
The framework enhances protections for EU residents with respect to the activities of such agencies by restricting U.S. their processing of EU data subjects’ personal data.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.
Companies transferring data out of China for processing should be aware of new guidance issues on June 26 by China’s National Information Security Standardization Technical Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information.
Currently, a drafted piece of data privacy legislation is going through the US Congress. After some research and discussion, we analyzed what's in the proposed bill.
As we reported last week on Twitter, the European Commission announced the launch the European Health Data Space (EHDS), an initiative designed to empower people to control and use their health data in their home country or in other member states.
Transatlantic data flows took center stage at the International Association of Privacy Professionals (IAPP) Global Privacy Summit.
Clearview AI has been investigated and sanctioned by a number of different EU data protection authorities. However, Italy’s recent sanction stood out as it also sanctioned Clearview for failure to appoint an Article 27 Representative.
The recent news of an agreement on data transfers between the US and EU comes at a time of great scrutiny and instability. Businesses owners have justifiable questions about how this framework affects their data privacy policy, which is why we've summed up our thoughts on the deal.
The fallout from the recent decision of the Austrian data protection authority in the Google Analytics case highlights the increased risk for companies transferring data across the Atlantic, and the urgent need for an effective, practical, long-term solution for data transfers.
Companies that collect and process health related data that does not fall under the requirements of the Health Information Protection and Portability Act (“HIPPA”) will want to pay close attention to new resources published on January 21, 2022 by the Federal Trade Commission.
The Austrian data protection authority (the “Austrian DPA”) recently published a decision that could have significant implications in other EU Member States and result in a ban of Google Analytics across the EU. Achieved Compliance believes this ruling could expose any company that uses cloud-based website and application monitoring services and collects information to regulatory scrutiny. Users of Google Analytics and similar services should be aware of this important development.
Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act.
On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.
In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU. At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises.
The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s General Data Protection Regulation.
The European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S.
On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data.
But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since its adoption in 2016, the GDPR has served as a model for governments around the world as they have established their own data protection regimes.
The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”).
The European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”). The Commission also released the final version of the new SCCs.
Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law.
China’s 13th Standing Committee of the National People’s Congress passed the country’s first comprehensive data protection law, the Personal Information Protection Law (the “PIPL”). The PIPL establishes a comprehensive framework to govern the processing of personal information.
Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14.
-p-800.jpg)
