Irish DPC: liability for failure to act against Facebook
The divergence between strict legal requirements and poor implementation of the GDPR is significant. One key finding is the reluctance of the Irish DPC1 to take any action against global players like Facebook. Allthogh the Irish DPC has a discretion…
Google Analytics: Injunctive relief, information requests and damages
Peter Hense // Dresden Regional Court on Google Analytics1 Irrespective of the GDPR, claims for injunctive relief against the disclosure of personal data can also be based on German tort law according to a decision of the Regional Court of…
Data Protection in Japan
//by Toshihiro Wada The European Commission adopted the adequacy decision on Japan pursuant to Article 45(3) GDPR on 23 January 2019.1 On the same day, the Japanese data protection authority, the Personal Information Protection Commission (PPC), judged that the EU…
The “Whitelist” and its Value during a Data Protection Impact Assessment
by Iheanyi Samuel Nwankwo // Background The EU General Data Protection Regulation (GDPR) solidifies the risk-based approach in data protection through several references that tie the obligation of data controllers to the risk exposure associated with their data processing. This…
Planet 49 (ECJ): most consents for cookies invalid
The ECJ held a consent requires an opt-in of the user.1 A consent is only valid insofar the user consents in an active and unambiguous manner. It follows, cookies consent is invalid if a controller is using a pre-ticked checkbox.…
The DPO and the messanger of bad news
The strong legal position of the DPO, which is provided by the GDPR, does not prevent the DPO1 in practice of the risk of either being sued or being fired by the controller. Role of DPO according to GDPR The…
“Fashion ID”: ECJ opens door for class action against Facebook
The ECJ held a website embedding the “Like“ button is required to inform it users and to ask for their consent. Without user´s consent the transfer of personal data from the website (“Fashion ID“) to Facebook is not admissable.1 An…
Struggling with users’ consent: Economic approach to solve the issue of coupling
by Dr. Alexander Golland // Although it has always been discussed in jurisprudential literature, the so-called “prohibition of coupling” – making the provision of a service conditional on the user’s consent – has been lurking in the shadows under the…
Liability of private parties for data protection breaches
by Tobias Jacquemain//The data protection law provides those affected a right to compensation. In practice, however, this right rarely applies. Criteria for assessing damages are problem areas that can reduce the existing sanction deficit in data protection. I. Regulatory mechanisms…
Data breach: 72 hours period extended on weekend
GDPR requires companies to notify data breaches to the supervisory authority „…without undue delay and, where feasible, not later than 72 hours…“1 Insofar the notice period of 72 hours would include weekends companies were required to organise an urgency duty…