Privacy and Data Protection Law

  In the last months, several fines have been issued against organisations for unlawful cookie practice, GDPR and electronic communications code breaches. For instance, the French data protection authority ('CNIL') fined Carrefour Banque €800,000 for failures under GDPR to provide adequate and complete information on its website in accordance with Article 13 of the GDPR on the right to be informed as well as for placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies. The Spanish data protection authority ('AEPD') fined Miguel Ibanez Bezanilla SL €3,000 for unlawful cookie practices and lack of security measures. In particular, following an individual complaint, the AEPD found that, in relation to Miguel Ibanez Bezanilla's cookie practices, the website does not present a first layer or banner providing information on cookies, as well as that, within the 'privacy noti...

  The French data protection authority ('CNIL') issued, on 18 November 2020, Deliberation No. SAN-2020-009 fining Carrefour Banque €800,000 for failures under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties ('the Act'), and the Post and Electronic Communications Code. In particular, CNIL found that Carrefour Banque had failed to provide adequate and complete information on its website, as well as information on the subscription of users with the 'pass card' online subscription in an easily comprehensible format, thus breaching Article 13 of the GDPR on the right to be informed. Moreover, CNIL held that Carrefour Banque had breached Article 82 of the Act by automatically placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies. Lastly,...

The Information Commissioner's Office ('ICO') announced, on 26 November 2020, that a director of AMS Marketing Limited, a telephone marketing company, who made over 75,500 unsolicited marketing calls, was banned by the Insolvency Service for six years, following the receipt of 71 complaints by the Telephone Preference Service ('TPS') and a further 31 complaints by the ICO. In particular, the ICO highlighted that AMS Marketing should have used the TPS list before making these marketing calls to remove the numbers of individuals who had elected not to receive unsolicited calls. Furthermore, the ICO highlighted that a fine of £100,000 is outstanding which would be issued by the ICO, and that the director was disqualified after they did not dispute that they had caused their company to breach Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 in making the marketing calls. You can read the press release here .  

The Court of Justice of the European Union ('CJEU') published, on 24 September 2020, a summary of the request for a preliminary ruling from the Federal Court of Justice ('Bundesgerichtshof') concerning a claim against Google, LLC for the de-refencing of links in the search engine results that lead to third party online articles identifying individuals, as well as an order requiring Google to cease displaying photographs of those individuals in the form of thumbnails. In particular, the questions referred to the CJEU for the preliminary ruling were, among others, whether a data subject's right to private light as protected under Article 7 of the Charter of Fundamental Rights of the European Union is affected when the link which is the subject matter of the de-referencing request leads to factual claims whose truth is contested by the data subject. Furthermore, in the context of a de-referencing request to a data controller of a search engine provider, ...