Weekly Newsletter: 7 December – 11 December 2020
GDPR EU Representative

December 14, 2020

European Center for Digital Rights Joins Privacy Fight

[#Facebook #Namecheap #FacebookLawsuit #DataPrivacy]

“In June, we told you about Facebook’s efforts to force Namecheap to divulge private details about all of our domain registrants — people like you. Since then, there have been a number of new developments we wanted to share with you. We are currently litigating in federal court to dismiss the lawsuit for, among other things, Facebook’s lack of a right to the information. In our fight, we’ve received unexpected support from the most respected and renowned European data privacy enforcement organization, the European Center for Digital Rights.

[…] Facebook’s lawsuit against us originates from their demand for your private domain registrant information. […] Facebook claims they have a “legitimate interest” to this information and, therefore, should be given access to it just because they request it.

[…] Namecheap’s long-held position is that Facebook has no right to receive your personal information on a blanket request. Our stance is that they, like any other third party, must establish a legal right to obtain it using the proper legal forum such as a court of law.”

To read more: Click here

CNIL opens consultation on DPO certification process

[#CNIL #DPOCertificationProcess #DPOCertification]

The DPO Certification Process

“France’s data protection authority, the Commission nationale de l’informatique et des libertés, launched a consultation on its standards for approving organizations to certify data protection officers. As part of a biannual review, the CNIL is calling on stakeholders to weigh in on its DPO skills certification reference system and accrediting framework. The consultation period will close Jan. 6, 2021. Editor’s note: The IAPP launched in June a DPO certification, ‘Certification des compétences du DPO’, specific to the French market.”

For an official French version: Click here



EU, UK mulling interim data flows solution post-Brexit

[#Brexit #GDPRandBrexit #EUUKDataTransfers #dataflow #UKBrexit]

“With time running out for the EU to grant the U.K.’s data protection regime a stamp of approval before the Brexit transition period ends, officials are considering options to keep personal data flowing across the Channel, according to two individuals familiar with the talks.

The European Commission needs to deem the British data protection regime “adequate” in order to keep data flowing legally across the Channel. But any decision would need sign-off from EU governments, MEPs and the bloc’s data protection regulators, which looks unlikely — if not impossible — before year-end.

To avoid a cliff edge, negotiators in London and Brussels are working on an interim solution. One option on the table is to temporarily wrap data flows up into the wider trade deal — for a period no longer than six months — to allow more time to make the adequacy assessment, according to one official close to the talks.”

To read more: Click here


Cookies: €60 million fine against GOOGLE LLC and €40 million fine against GOOGLE IRELAND LIMITED


[#CNIL #GDPRfines #Google #CNILfines #FrenchDPA]

Breaking news on cookies: €60 million fine against GOOGLE LLC and €40 million fine against GOOGLE IRELAND LIMITED

“On December 7, 2020, the CNIL’s Restricted Committee sanctioned the companies GOOGLE LLC and GOOGLE IRELAND LIMITED with a total fine of 100 million euros, specifically for having placed advertising cookies on the computers of users of the search engine google.fr without prior consent or satisfactory information.”

Read more in French here.

Click here for an unofficial English translation.

Cookies: 35 million euro fine against AMAZON EUROPE CORE


[#CNIL #GDPRfines #Amazon #CNILfines #FrenchDPA]

Breaking news on cookies: €35 million fine against AMAZON EUROPE CORE.

“On December 7, 2020, the Restricted Committee of the CNIL sanctioned the company AMAZON EUROPE CORE with a fine of 35 million euros for having placed advertising cookies on users’ computers from the amazon.fr website without prior consent and without satisfactory information.

In its deliberation, the Restricted Committee recalled that the CNIL is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. It thus stressed that the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply in this procedure since operations related to the use of cookies fall under the “ePrivacy” directive, transposed in Article 82 of the French Data Protection Act.”

Read more in French here.

Click here for an unofficial English translation.


Tech giants to face large fines under Europe’s new content rules

[#CNIL #DataSecurity #DigitalServicesAct #EuropeanCommission #EuropeanDataProtection #TechFirms #CommissionProposal]

“Companies like Facebook and Amazon could face fines of up to billions of euros if they flout new rules aimed at curbing online hate speech and the sale of illegal goods, according to a draft of the European Commission’s upcoming Digital Services Act seen by POLITICO.

Under the proposals, which will be unveiled next Tuesday, Brussels will mandate that large online platforms — those that reach at least 45 million people across the 27-country bloc — must limit the ability of illegal material from spreading on their networks, provide regulators and outside groups with greater access to their internal data and appoint independent auditors that will determine if firms are compliant with the new rules.
If companies like Google and Twitter fail to meet the new obligations, they could be fined up to six percent of their annual revenue, according to the Commission’s draft document.”

To read more: Click here.

noyb’s Comments on the Draft Standard Contractual Clauses under Article 28 (7) GDPR and Article 29(7) of Regulation (EU) 2018/17251

[#EuropeanCommission #SCCs #StandardContractualClauses]

Feedback submitted by noyb.eu (Max Schrems’s organization) on the EU Commission’s proposed Standard Contractual Clauses for the transfer of personal data to third countries calls for more guidance on the EU representative

“[..] The obligation to appoint a representative in the EU is not a guarantee of enforceability of the GDPR. Many companies simply never appointed a representative – for example because they may be of the incorrect view that the GDPR does not apply to them. These representatives often neither have the relevant information to assist an investigation nor relevant assets or decision powers to provide for an effective avenue for enforcement.”

We believe that some further guidance would be welcomed in relation to clauses setting out the EU representation services. Many entities, and especially those that operate outside the EU must be fully aware of the Art. 27 GDPR EU Representative obligation, as this is set out in the GDPR.”

To read more: Click here.