Privacy & Information Security Law Blog

On July 14, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €600,000 fine on Google Belgium SA (“Google”) for non-compliance with the right to be forgotten.

On July 8, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper (the “Paper”) as input for the European Data Protection Board’s (the “EDPB”) future guidelines on data subject rights (“DSRs”) (the “Guidelines”). The Paper, titled “Data Subject Rights under the GDPR in a Global Data Driven and Connected World,” was drafted following the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

On July 9, 2020, the European Commission (the “Commission”) adopted a Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled: “Getting ready for changes – Communication on readiness at the end of the transition period between the European Union and the United Kingdom” (the “Communication”).

On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.

On June 16, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine on a company (the “defendant”) for unlawful and incorrect processing of personal data and non-compliance with the EU General Data Protection Regulation’s (the “GDPR”) data subject rights provisions.

On June 26, 2020, New Zealand Justice Minister Andrew Little announced that the bill to repeal and replace New Zealand’s existing Privacy Act 1993 (the “Privacy Bill”) had passed its third reading in Parliament. The Privacy Bill received royal assent on June 30, 2020.

The Civil Code of China (the “Civil Code”) was approved by the National People's Congress of China on May 28, 2020 and will take effect January 1, 2021. Part Four of the Civil Code explicitly stipulates that the “Right of Privacy” is one of the “Rights of Personality” covered therein and includes a chapter on “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information.

On July 1, 2020, the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 came into effect (“New DP Law”). Due to the current pandemic, a three-month grace period, running until October 1, 2020, has been provided for companies to comply. The New DP Law replaces DIFC Law No. 1 of 2007. The release of the New DP Law is, in part, an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses).

On July 1, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published its 2019 annual report (the “Report”). The Report shows that in 2019, the Dutch DPA focused on enforcement actions, after having raised awareness about the EU General Data Protection Regulation (the “GDPR”) in 2018. Below are key findings from the Report.