//Aprajita Tyagi// We have all heard about the TurboTax fiasco1 where the company hid the U.S. government-mandated free tax-file program for low-income users. They hid this option on their website to get these users to use their paid program. But…
Virginia Follows California with a Comprehensive State Privacy Law
By Michael Shapiro// On March 2, 2021, Virginia became the second U.S. state, after California, to enact a comprehensive consumer privacy legislation. Inspired by the GDPR and the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (VCDPA)1 introduces…
EDPB: No “Swapping“ of legal basis
The EDPB requires controller to specify the legal basis for the respective data processing. Whereas, the wording of Art. 6 GDPR leaves the option to refer to one or to several legal basis, the EDPB is more restrictive. According to…
Canada Introduces a Long-Anticipated New Privacy Law for the Private Sector
By Michael Shapiro// On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced a proposed Digital Charter Implementation Act, 20201 through which the Canadian government intends to establish a new privacy law for the private sector, the Consumer Privacy Protection…
Right of Access: Austrian Court requires to inform which specific data being transferred to any individual recipient
by Andreas Rohner, Gerald Trieb// The Austrian Federal Administrative Court (“AFAC”)1 held2 a data subject has the right to be fully informed which specific personal data has been disclosed or will be disclosed to a recipient by the data controller.3…
GDPR: 90% reduction of fines by German Court
//by Jonas Puchelt and Sandra Brechtel The Regional Court Bonn reduced fines of EUR 9.55 million imposed by the German SA on the telecommunications company 1&1 to “only” EUR 900,000.00. Is the reduction of the fines by more than 90%…
ECJ: no unlimited access to communication data for security and intelligence agencies
The ECJ held that the access for security and intelligence agencies to communication data shall be restricted according to the principle of proportionality. That derives from the fact that an unlimited access to communication data by security and intelligence agencies…
Schrems II: approval of BCR invalid?
The ECJ requires in “Schrems II“ a level of data protection which is “essentially equivalent“ to the level within the EU, when data is being transferred outside the EU. This new requirement is equally applied to BCR1. Since the ECJ…
The long road
By Prof Ulrich Kelber, German Federal Commissioner for Data Protection and Freedom of Information (BfDI)// Recently the General Data Protection Regulation (GDPR) celebrated its second birthday. Nobody expected a wild party even before the Corona pandemic. Instead there were appropriate…
Schrems II: ECJ sets GDPR as a global standard for IT-business
In a landmark decision the ECJ declared the Privacy Shield as invalid. The data transfer from the EU to the US can no longer be based on this Agreement between the EU Commission and the US Government. The court held…