Mirena Taskova - EU GDPR Intro & Update - Stanford Engineering - 14 Jan 2019
2 likes467 views
The document discusses the importance of the EU General Data Protection Regulation (GDPR) for US companies, emphasizing the rights of data subjects and the potential fines for non-compliance. It outlines various enforcement actions and breaches reported in several European countries since GDPR's implementation. Additionally, the document highlights ongoing complaints regarding 'forced consent' against major tech companies following GDPR's enforcement.
Mirena Taskova - EU GDPR Intro & Update - Stanford Engineering - 14 Jan 2019
- 1. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com GENERAL DATA PROTECTION REGULATION (EU GDPR) WHY SILICON VALLEY NEEDS TO GET IT RIGHT MIRENA TASKOVA 1/14/2019 European Entrepreneurship & Innovation – Stanford School of Engineering
- 2. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com1 GDPR Why am I here today? What will I learn? Why the European Union GDPR matters to US companies & consumers, and why bother?
- 3. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com2 GDPR Why am I here today? What will I learn? What is personal data?
- 4. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com 3 GDPR What constitutes personal data? Our company’s annual report Your salary details Your medical information Your name and date of birth NO YES YES YES Your anonymous response to a survey question MAYBE Your photo or image on a CCTV camera YES
- 5. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com4 GDPR What rights do data subjects have? This means you too. I want to have errors about me corrected I don’t want to receive your marketing letters and promotions I want to find out what data you have about me and how you’re using it Does the right to be forgotten apply to me? I want to be able to take my data and reuse it on other platforms Please stop using my data until you’ve verified there is a legitimate purpose
- 6. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com5 GDPR Company Fines under GDPR WHY WE NEED TO GET IT RIGHT Infringements of rights, basic principles, and rules on international transfers: • €20 million or 4% of the total worldwide turnover of the preceding financial year (whichever is higher) Failure to notify of data breaches: • €10 million or 2% of the total worldwide turnover of the preceding financial year (whichever is higher)
- 7. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com6 GDPR Enforcement Actions in Europe | January 2019 Increase in Supervisory Authorities’ activity (local level & cross border)
- 8. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com7 GDPR Enforcement | UK ü The Information Commissioner’s Office (ICO) received 1792 breach notifications in June 2018, compared with 367 in April 2018; ü There have been a number of high profile breaches for which fines are possible such as British Airways, the Conservative Party, and Facebook; ü Supermarket chain Tesco has been fined £16.4 million by the Financial Conduct Authority for failing to exercise due skill, care, and diligence in protecting customers against a cyber-attack (not awarded under the GDPR); ü The ICO, for the first time, issued its maximum fine of £500,000 against Equifax for its security breach (not awarded under the GDPR).
- 9. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com8 GDPR Enforcement | Germany ü During the months May-July 2018, 111 data breach notifications were filed with the Data Protection Commissioner in Berlin. In the same period in 2017, the authority received only 12 notifications; ü The Bavarian State Authority for data protection announced random controls (audits) of companies beginning September 2018; ü Not aware of any sanctions under the GDPR yet. A sanction procedure takes some time to complete due to the strict procedural rules.
- 10. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com9 GDPR Enforcement | France ü More than 600 notifications of data breaches have been received by the French DPA involving about 15 million people - about 7 per day since May 25 2018; ü Since May 25 2018, the French DPA has received 3767 complaints vs. 2294 complaints over the same period in 2017. This represents a 64% increase; ü In regards to joint-actions (similar to US class action suits), two organizations have filed complaints with the French DPA: • “La Quadrature du Net” filed 5 separate complaints over “forced consent” against Google, Amazon, Facebook and Apple; • The association “NOYB” filed a complaint over “forced consent” against Google (Android). ü Not aware of sanctions under the GDPR yet.
- 11. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com10 GDPR This is just the beginning … On November 8, 2018 Privacy International filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.
- 12. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com11 GDPR This is just the beginning … noyb filed four complaints over “forced consent” against Google, Instagram, WhatsApp and Facebook. The complaints were filed with DPAs in Austria, Belgium, France and Germany right after GDPR came into force.
- 13. Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com12 GDPR Questions?
- 15. Mirena Taskova, CIPP/E Senior Privacy Advisor M: +1 (650) 250 3615 E: mirena.taskova@fieldfisher.com Follow: @Fieldfisher www.linkedin.com/in/mirenataskova Blog: privacylawblog.fieldfisher.com