Posted on Categories privacy/personal data protection

The grace period is over, and the era of fines for GDPR infringements is upon us

Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.

Continue reading “The grace period is over, and the era of fines for GDPR infringements is upon us”

Posted on Categories judicature, privacy/personal data protection

First compensation for GDPR infringement

Apart from potentially very high administrative penalties that national data protection authorities may impose on violators of the EU’s General Data Protection Regulation (as has already occurred, for example, in France), under the GDPR any person who has suffered material or non-material damage has the right to obtain compensation from the controller or processor of his personal data for the damage suffered. This is an instrument that has attracted much less attention than administrative sanctions, but it may have very serious financial consequences.

Continue reading “First compensation for GDPR infringement”

Posted on Categories blockchain, privacy/personal data protection

How to process personal data processed on a blockchain – the French approach

At the end of September the French personal data state processing regulator, the Commission Nationale Informatique & Liberté (CNIL), published a preliminary analysis of the issue of what kind of systems suitable for blockchain might apply to personal data processing. The CNIL has also been looking at the issues that are fundamental from the point of view of the GDPR, for example who the controllers and processors are on a blockchain. The CNIL has proposed a number of specific solutions but realises that it does not have extensive knowledge of this technology. It has said that it is open to proposals from experts and says they are welcome to propose their own solutions.

Continue reading “How to process personal data processed on a blockchain – the French approach”

Posted on Categories anti-money laundering, privacy/personal data protection

Overzealous checking of customer identification can be harmful

Newly formed companies, and companies that have been on the market for some time, are becoming increasingly aware of their obligations under AML/FT regulations. Firms in various sectors, such as the technological sector, do not always realise that these obligations are only applicable to the types of entities listed in AML laws. Some businesses employ know your customer (KYC) identification procedures equivalent to those provided for in AML laws even though they are not subject to these laws. The problem is that overzealousness of this kind might be a breach of laws in other areas, especially personal data laws, above all the GDPR.

Continue reading “Overzealous checking of customer identification can be harmful”

Posted on Categories blockchain, privacy/personal data protection

Who is the data controller in a blockchain?

In the latest Rzeczpospolita Report on the legal aspects of blockchain and its  applications, I briefly discussed the challenges related to applying data protection regulations in this context. It is a complicated issue as it appears that blockchain can potentially challenge the basic assumptions and regulatory approaches provided by the GDPR.

Continue reading “Who is the data controller in a blockchain?”

Posted on Categories litigation, privacy/personal data protection

Private enforcement under the GDPR

While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.

Private enforcement is being used more and more as an addition to the public law mechanism for the enforcement of regulatory provisions. This solution has been introduced recently in compensatory liability cases for breach of competition law. A solution of this kind is also possible under the GDPR.

Continue reading “Private enforcement under the GDPR”