GDPR “controls” have been embraced but not its “protections”.
The Netherlands: among the thousand implications of the Facebook model is that health insurers get to see the health-related searches of their users.
1. More detailed consent and broader legitimate interest
Yet consent doesn’t necessarily need to be written anymore + legitimate interest to be assessed by the data controller
2.Longer privacy information notice, but multi-layer
storage period needs to be expressly mentioned.
3. Reinforced rights with the novelty of the data portability right
right to be forgotten gets emphasized.
4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains
data processors can now appoint sub-processors + while data processors bear liability towards the data controller on behalf of their sub-processors, the exceptions arises when “it proves that it is not in any way responsible for the event giving rise to the damage“.
5. Need to adopt an accountability program
6. No major change for transfers of data outside the EEA
Never too late.
Among the highlights:
2. The Federal Court of Justice ruled that a single consent of a consumer is enough to receive advertising via several channels (e. g. via @mail, telephone, SMS and MMS) Separate consents for each is not required. -Will this decision endure under the GDPR, which requires ‘granular’ consent under data protection law?-
3. The Higher Regional Court of Frankfurt ruled that a sales contract for the acquisition of address data is null and void if the parties breach data protection laws whereas the individual’s consent wording did not clearly list the categories of personal data, recipients or purpose
4. The Regional Court of Berlin ruled that various default privacy settings of Facebook breach data protection law. (e.g. a location service in the app that reveals the location of the person that the user is chatting with, by default as well as pre-ticked boxes allowing search engines to link the user’s timeline). The court denied a valid consent since there was no guarantee that users knew that these boxes were ticked by default.
5. The Regional Labour Court of Berlin-Brandenburg ruled that an employee forwarding e-mails containing operational information to his private e-mail account in preparation for a new job with another employer (without the employer’s consent and without official necessity) can justify extraordinary termination of the employee’s employment contract for being a threat to the employer’s business interests.
European “copy-cats” are growing and in this case Singapore is aiming to protect “Critical Information Infrastructure”.
Australian government agencies+businesses+non-profit organizations with a yearly turnover of US$2.3+ million, private-sector health service providers, and credit reporting bodies and providers now face a fine of US$330,000 for a serious or repeated interference with privacy, up to a maximum penalty of five times that, or US$1.65 million.
The first times will see the French Authority focusing mainly on the core values and actions of the GDPR, instead of the new additional obligations.
I tried this chrome (or Firefox) extension and I have to say that it comes up with pretty nifty graphs of how information is worked.
Try adding the www website in its windows and it will indeed elaborate it in less than 30 seconds.