Ireland: DPC Annual Report 2020: Enforcement & Transfers Dominate Agenda

In its second full year overseeing and regulating the GDPR in Ireland, the Data Protection Commission  (DPC) has published its 2020 Annual Report, highlighting key observations, emerging guidance, and large scale inquiries and decisions of 2020. Primary areas of focus for the DPC in 2020 included enforcement (under both GDPR & ePrivacy), breach notifications, data …

Ireland: DPC Annual Report 2020: Enforcement & Transfers Dominate Agenda Read More »

Europe: Interim EDPB guidance on the application of GDPR to health research

In response to a set of questions from the European Commission, the European Data Protection Board (“EDPB”) has published some high level guidance on the application of the GDPR to health research (“Guidance”).  This article summarises the key takeaway points from that guidance.    For obvious reasons, the past year has done much to highlight …

Europe: Interim EDPB guidance on the application of GDPR to health research Read More »

Belgium: EU takes another step towards strengthening the cybersecurity of 5G networks

Authors: Kristof De Vulder, Heidi Waem, Gilles Hachez The EU has been steadily ramping up its cybersecurity efforts over the last few years. This has been previously evidenced by its adoption of a new Cybersecurity strategy (the ‘Cybersecurity Strategy for the Digital Decade’ part of its Shaping Europe’s Digital Future strategy, its Recovery Plan for Europe …

Belgium: EU takes another step towards strengthening the cybersecurity of 5G networks Read More »

UK Information Commissioner issues letter on transfers of personal data to the U.S. Securities and Exchange Commission

The UK’s Information Commissioner (“ICO”) has recently issued a letter to the U.S. Securities and Exchange Commission (“SEC”) confirming that SEC-regulated UK domiciled firms (“UK Regulated Firms”) can share personal data with the SEC when seeking to comply with regulatory obligations, in compliance with the UK GDPR. After a long delay, the ICO’s letter has …

UK Information Commissioner issues letter on transfers of personal data to the U.S. Securities and Exchange Commission Read More »

Belgium: ePrivacy proposal in progress: Council agrees on its position to start off ‘trilogue’ negotiations

Authors: Heidi Waem, Alizée Stappers and Simon Verschaeve With the ultimate purpose of enacting specific rules regarding electronic communications, the ePrivacy Regulation aims, in particular, to replace the 2002 ePrivacy Directive, detail and complement the GDPR’s general rules, and implement important changes in areas such as metadata processing on end-user devices and obtaining cookie consent …

Belgium: ePrivacy proposal in progress: Council agrees on its position to start off ‘trilogue’ negotiations Read More »

The Netherlands: 440,000 EUR fine for hospital re. unauthorised access to medical records

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam  hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel. After complaints, the Dutch DPA conducted an investigation, and carried out an audit of …

The Netherlands: 440,000 EUR fine for hospital re. unauthorised access to medical records Read More »

Will this recent High Court decision reduce the number of group-litigation claims?

A judgment handed down following a costs and case management conference in Weaver [2021] EWHC 217 (QB) appears to have struck a blow to claimant solicitors seeking to pursue group-action in the UK. Background The UK ‘group action’ landscape is ever shifting, notably in the world of data protection compensation. The relatively steep growth in …

Will this recent High Court decision reduce the number of group-litigation claims? Read More »

Belgium: DPA imposes fine on provider “pink boxes”: free products vs. free consent and other interesting take-aways

Heidi Waem, Frederik Ringoot Belgium: DPA imposes fine on provider “pink boxes”: free products vs. free consent and other interesting take-aways On 27 January 2021, the Belgian Data Protection Authority (“BDPA”) imposed a EUR 50,000 fine and an obligation to change its data processing activity on the company “Nationale Dienst Voor Promotie van Kinderartikelen NV”/”Service …

Belgium: DPA imposes fine on provider “pink boxes”: free products vs. free consent and other interesting take-aways Read More »

Singapore: Amendments to the Personal Data Protection Act 2012 (PDPA) now in force

The following sections of the Amendment Bill are now in force (as of 1 February 2021): a. Mandatory data breach notification Organisations must now notify the Personal Data Protection Commission (PDPC) and affected individuals if a data breach results in, or is likely to result in, significant harm to affected individuals, or affects 500 or …

Singapore: Amendments to the Personal Data Protection Act 2012 (PDPA) now in force Read More »

DLA Piper GDPR fines and data breach survey: January 2021

This year has been extraordinary in many different ways.  The third annual DLA Piper GDPR fines and data breach survey which we launched today reflects how the current circumstances have affected the privacy landscape across the 31 European countries surveyed.  The report includes key GDPR metrics compiled from data from the 27 EU Member States …

DLA Piper GDPR fines and data breach survey: January 2021 Read More »

Belgium: Digital fingerprints on ID cards – no violation of the right to privacy according to the Belgian Constitutional Court

Heidi Waem, Emma Stockman On 14 January 2021, the Belgian Constitutional Court delivered a highly anticipated judgment on the legality of the integration of the digital format of two fingerprints in ID cards, introduced through Article 27 of the Belgian law of 25 November 2018. After a balancing of interests, the Court ruled that the …

Belgium: Digital fingerprints on ID cards – no violation of the right to privacy according to the Belgian Constitutional Court Read More »

Data Subject Access Requests – High Court dismisses claim where DSAR regime abused

Data Subject Access Requests – no unqualified right to documents In an important decision[1] for any business with a retail customer base, the High Court of England and Wales dismissed a claim against a bank for allegedly failing to provide an adequate response to the Claimant’s data subject access request (“DSARs”), highlighting the robust approach …

Data Subject Access Requests – High Court dismisses claim where DSAR regime abused Read More »

European Commission proposes reinforcement of EU Cybersecurity rules

Authors: Raf Schoefs, Simon Verschaeve, Laetitia Mouton On 16 December 2020, the European Commission adopted a proposal for a Directive on measures for a high common level of cybersecurity across the Union (“NIS II Directive”) that revises the current Directive on Security of Network and Information Systems (“NIS Directive”). As part of its new EU Cybersecurity …

European Commission proposes reinforcement of EU Cybersecurity rules Read More »

Brexit: Final arrangements for 1 January and future EU-U.K. data transfers

The Brexit trade deal has now has been agreed between the EU and UK. Here we summarise the implications for data protection including the important issue of cross-border data flows, which are critical for businesses to maintain between the EU and UK. Legal Framework UK data protection law has historically been governed by the General …

Brexit: Final arrangements for 1 January and future EU-U.K. data transfers Read More »

DLA Piper comments on EDPB recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

On 10 November 2020, the European Data Protection Board (“EDPB”) adopted its recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. These recommendations were open for public consultation until 21 December 2020. DLA Piper has submitted comments on these recommendations which are available here.

Belgium: New collaboration agreement between the Belgian Data Protection Authority and DNS Belgium

Authors: Heidi Waem, Frederik Ringoot, Alizée Stappers On 26 November 2020, the Belgian Data Protection Authority (BDPA) entered into a collaboration agreement with DNS Belgium, an association responsible for the registry of .be domain names. The agreement enables DNS to suspend or even delete .be websites involved in (alleged) data protection infringements, on simple request …

Belgium: New collaboration agreement between the Belgian Data Protection Authority and DNS Belgium Read More »

Belgium: Class Actions in Belgium – the next level in GDPR enforcement

Authors: Heidi Waem, Simon Verschaeve Many organisations tend to look at the activity of the supervisory authorities to assess enforcement risk related to their data processing activities. Although still a meaningful indicator, data breaches, unlawful data sharing activities as well as any other data protection infringements can also trigger an alternate enforcement track which might …

Belgium: Class Actions in Belgium – the next level in GDPR enforcement Read More »

Europe: Cookies – heavy Sanction by the CNIL in France For Google LLC and Google Ireland

On December 7 2020, the French Supervisory Authority (CNIL) sanctioned Google LLC (60 million EUR) and Google Ireland (40 million EUR) for installing advertising cookies on users devices without their prior consent and with proper information. In addition, the CNIL issued an injunction to inform properly the users of google.fr in compliance with Article 82 …

Europe: Cookies – heavy Sanction by the CNIL in France For Google LLC and Google Ireland Read More »

Asia-Pacific: Navigating Asia-Pacific data breach notification requirements

Data breach notification obligations throughout Asia-Pacific are in a state of flux, with several jurisdictions either introducing new requirements or updating their existing regimes in late 2020 and 2021. Against this backdrop, the number of cyber incidents reported continues to grow year-on-year, as increasingly sophisticated threat actors look to take advantage of the disruption caused …

Asia-Pacific: Navigating Asia-Pacific data breach notification requirements Read More »