CNIL v Google. What Google got wrong.

On 21st January, the CNIL (the French ICO) fined Google €50 million for breaches of the GDPR.  The amount of the fine is unlikely to worry Google unduly (it was fined €4.3 billion by the EU Commission in July 2018 for abuse of its dominant position in relation to the Android system.  Google is appealing.) … Continued

UK ICO serves enforcement notice on Father Christmas

The UK data protection regulator, the Information Commissioner’s Office, has issued an enforcement notice against Father Christmas under the General Data Protection Regulation (679/2016/EU). The notice relates primarily to the Naughty Children List. The notice is particularly noteworthy because it has been issued against a business headquartered in the North Pole and which does not … Continued

French ICO orders deletion of 67 million records

CNIL, the French ICO, has ordered a marketing company to delete the 67 million records it holds. Vectaury, a Paris-based marketing company, operated by persuading mobile app producers to include a proprietary piece of code in their apps.  Once loaded onto a user’s phone, the Vectaury code would send geolocation and other user data to … Continued

ICO goes extra-territorial

The ICO has issued its first enforcement notice against an organisation which seems to have no presence in the EU.  The company, AggregateIQ Data Services Ltd, is based in Canada, and the enforcement notice seems to be a spin out of the Cambridge Analytica case. The extra-territorial reach of the GDPR is as yet untested, … Continued

PECR stalled but direct marking alive and well

The intention was that a new version of the E-Privacy Directive (replacing the UK’s Privacy and Electronic Communication Regulation, more commonly known as PECR) would come into force at the same time as the GDPR.  That did not happen, and the draft E-Privacy Directive is still going through the rounds in the EU (an updated … Continued

Class war v ICO fines

The large fines available to the ICO under the GDPR grabbed the headlines, but the fines have always been the least of the bills payable by a breaching company.  For example, Talk Talk was fined £400,000 for its data breach, but the actual costs of remedying the breach have been estimated as between £30 million … Continued

DPOs, large-scale monitoring and lack of clarity

Warning!  This article is a heavy read.  Only proceed if you are interested in the detail of GDPR.   One of the central pillars of the GDPR is the requirement for a number of organisations to have a DPO.  There are three categories of organisation that are required to have a DPO.  Two of the … Continued