Lucia Hartnett

The Dutch Data Protection Authority (Dutch DPA) has issued fixed and periodic fines to a government ministry over its lack of security measures and transparency about who it shares personal data with, while the Danish Data Protection Agency (Danish DPA) has issued fines to a national bank for its lack of documentation on the deletion of personal data.
Continue Reading European DPAs in Action: Periodic Penalties and Deletion of Personal Data

The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.
Continue Reading EDPB Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs

EU FlagThis is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”).  Comments on the draft guidelines are due by 19 October 2020.

Part 1: Focus on Processors

On 7 September 2020, the EDPB published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” Businesses and members of the public may provide feedback on the draft Guidelines by 19 October 2020.
Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 1)

A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity’s place of incorporation.
Continue Reading New Data Protection Law for the Dubai International Financial Centre

On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018.

The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should be offered control and genuine choice when it comes to accepting or declining the terms of processing. The guidelines are broken down into various sections. These sections analyse the different parts of the wording of Article 4(11) of the GDPR, which defines consent, and look into whether controllers need to amend their consent forms in order to comply with the GDPR.
Continue Reading WP29 Publishes Draft Guidelines on Consent

On October 3, 2017, the Irish High Court issued a judgment in the “Schrems II” case, which raises the issue of whether the EU Commission’s decision approving the EU’s Standard Contractual Clauses (SCCs) should be invalidated. The Court has decided to refer various issues to the Court of Justice of the European Union (CJEU) and is seeking comment from the parties involved with regard to the questions that should be raised.
Continue Reading Irish High Court Issues Judgment in “Schrems II” Case