While one of the primary goals of the GDPR is to harmonize data protection laws across the EU, there are over 50 provisions, which allow GDPR derogations by Member States.
With data privacy laws becoming a focus for many global and U.S. state governments in 2019, this year will prove to be challenging for companies as they attempt to comply with the many regulations pertaining to the personal data of customers.
France’s data protection watchdog CNIL has published a set of guidelines to provide GDPR guidance on web scraping for direct marketing and recommended actions to businesses.
In our first article on the European Union General Data Protection Regulation (Regulation (EU) 2016/679 or ‘GDPR’) we focused on the global territorial scope of the new rules and how they could affect businesses based in Asia. In particular, we highlighted how the enhanced rights of data subjects in the EU and the expanded obligations on data controllers and data processors — even if they are located outside the EU — provide much for businesses to consider as they become compliant with the new rules. In this second article, we will focus on the new regulatory-enforcement regime and international data transfers, and then draw comparisons with the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
The Google GDR fine has demonstrated that most historical data, analytics & AI, and decentralized processing is illegal under the GDPR. Companies must focus on more than consent to legally process analytics and AI when those processes cannot be described with the required specificity and voluntariness at the time of data collection.
With the Privacy Shield under fierce criticisms, there is now consideration for the European Commission to grant “adequacy” to an individual US state – California with it's CCPA.
With the recent major GDPR cases on Facebook and Google, DPOs at smaller companies are getting worried and challenged in ensuring terms and conditions and privacy notices are not mixed up.
Out of all six legal bases for processing offered by the GDPR, consent and legitimate interests are the legal bases most likely to be relied upon to justify direct marketing. Where the direct marketing involves electronic communications, however, is where things get muddy.
117 GDPR omnibus laws, 28 CCPA sectoral laws and more amendments coming up for the CCPA and LGDP, how do you keep your privacy program afloat?