Weekly Newsletter: 25 January – 29 January 2021
GDPR EU Representative

February 1, 2021

GDPR: A Law without Authority? Luxemburg’s Data Protection watchdog refuses to show its teeth to US companies. noyb files court case

[#DPA #LuxemburgDPA #CNPD #noyb]

“Today, noyb.eu filed an appeal against two decisions of the Luxemburg Data Protection Authority (CNPD) before the administrative tribunal of Luxemburg on a fundamental matter: the authority dismissed two complaints lodged against US-based data controllers, Apollo and RocketReach. The CNPD explicitly confirmed that the General Data Protection Regulation (GDPR) applies to these non-EU companies. However, the CNPD considered that it could not enforce the GDPR against these US controllers, despite multiple enforcement options within the EU. These decisions fundamentally undermine the application of the GDPR to all foreign companies on the EU market – a key promise of the law when it was introduced in 2018.”

To read more: Click here.

See Thierry Z.’s blogpost.

His­to­ric vic­tory for pri­vacy as da­ting app re­ce­i­ves gi­gan­tic fine

[#Grindr #GDPRfine #GDPRConsent]

“Today, the Norwegian Data Protection Authority issued an advance notification of a 100 million NOK (€ 9 600 000) fine to the dating app Grindr […]. The Data Protection Authority (Datatilsynet) has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission […].

[…] The Data Protection Authority has now upheld the Consumer Council’s complaint and issued an advance notification of a 100 million NOK (€ 9 600 000) one-time administrative fine, which amounts to 10 percent of Grindr’s global annual revenue. Grindr has until February 15th to provide comments or remarks on the decision.

[…] The decision from the Norwegian Data Protection Authority rules that Grindr users were not given sufficient information about how personal data was collected and shared onward with third party companies. Consumers had to accept data sharing with third parties in order to use the app.”

Find the Datatilsynet’s news here.

To read more: Click here

Gartner: The future of AI is not as rosy as some might think

[#AI #DataPrivacy]

“Gartner has released a series of Predicts 2021 research reports, including one that outlines the serious, wide-reaching ethical and social problems it predicts artificial intelligence (AI) to cause in the next several years. In Predicts 2021: Artificial Intelligence and Its Impact on People and Society, five Gartner analysts report on different predictions it believes will come to fruition by 2025. The report calls particular attention to what it calls second-order consequences of artificial intelligence that arise as unintended results of new technologies.

[…] Concerns over AI’s effect on privacy and truth are sure to be major topics in the coming years if Gartner’s analysts are accurate in their predictions, and successful businesses will need to be ready to adapt quickly to those concerns. A recurring theme in the report is the establishment of ethics boards at companies that rely on AI, whether as a service or a product. This is mentioned particularly for businesses that plan to record and analyze workplace conversations: Boards with employee representation should be established to ensure fair use of conversations data, Gartner said.”

To read more: Click here

Government leaders discuss state of play for UK adequacy, data transfers

[#Article27GDPR #BrexitTransitionPeriod #UKAdequacyDecision #Representative]

“Are relevant controllers and processors that are not located in either region but do target EU or U.K. citizens required to install representatives under Article 27 of the GDPR?

Gencarelli made it clear that EU law — the GDPR — whether during the bridging period or not, still applies. ‘Neither the bridging period nor a future adequacy decision does away with the other requirements of the GDPR. The same goes for other adequate nations,’ he said, ‘including Japan, for example. If subject to the GDPR, I have to appoint a representative notwithstanding an adequacy decision to satisfy the provisions of the GDPR.'”

To read the full article: Click here

Find the full webinar here (quote from 25’15”).


Do B2B companies not based in the EU need to comply with the GDPR?

[#GDPRRepresentative #GDPRArticle3 #GDPRArticle27 #GDPRscope #GDPRB2B]

“I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR. The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful. This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoint an EU representative (and comply with the GDPR more generally in the EU).

[…] Is that an implicit recognition that Article 3(2)(a) may not apply to B2B scenarios? It would be somewhat of an anomaly that personal information collected in the context of B2B transaction is subject to the GDPR if you have an establishment in the EU but out of scope where you are not in the EU. And what about protecting the privacy rights of individuals at companies that are clearly entitled to protection?”

To read more: Click here.