Greetings from Brussels!

I was in discussion recently with a Belgian friend regarding the Belgian DPA and its enforcement of the GDPR. One comment I heard, which I think is a fair one, is that there’s notably less media attention given here to GDPR infringement and enforcement and to the DPA, in general, compared to other EU member states. That aside, I did find the details of one recent enforcement that may be of interest to you.

On 19 Sept., the dispute chamber of the Data Protection Authority imposed an administrative fine of 10,000 euros for a GDPR breach by a merchant retailer that required an electronic identity card to create a loyalty card as part of its commercial offering. Interestingly for the anglophones among you and to put into context, in Belgium as in other continental European countries, such as France, there is a national identity card that one is legally obligated to carry on their person at all times. Invariably, the ID card can and is used as a confirmation of identity in both public (administration) and commercial scenarios; the card also contains a readable chip with additional personal data.

In this particular investigation, the DPA found that the practice of requiring access to the ID card as conditional to the loyalty scheme did not comply with GDPR’s standards on the grounds of (a) data minimization, as the electronic identity card contains much more information about the data subject than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real (alternative) choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid. Furthermore, the DPA also found that the merchant had not sufficiently informed the complainant customer about the extent of its data-processing activities and thereby violated its information duties under the GDPR. A decent summary of the case is summarized by IAPP member Maarten Stassen, partner (and a colleague) at Crowell & Moring law firm.

The Belgian DPA also released an explanatory statement at the time. Hielke Hijmans, the president of the dispute chamber, stated, "Companies or merchants need to take a more conscientious approach when they claim all kinds of personal data for a service, especially in the absence of valid customer consent. GDPR provides principles and obligations that must serve as a guideline for the proper processing of personal data." David Stevens, the DPA president, added, "This decision is an important new step in the road to better protecting the privacy of our citizens."

On another note, if you haven’t done so already, do take a look at the insightful and concise analysis of the ongoing EU member state review of the GDPR, by IAPP Senior Westin Fellow Müge Fazlioglu. I have to agree with Müge, it will be important and of great interest for privacy pros to follow the Article 97 process until 25 May 2020, as the European Commission prepares its first evaluation and review of the GDPR.

Paul Jordan
Managing Director
IAPP Europe

Upcoming DPI Events


Learn privacy best practices and get in-depth insights into the practical and operational aspects of data protection at whichever location works best for you. Can you even choose your preferred language track? Oui, yes, ja and doch.
IAPP Data Protection Intensive Conferences
12-13 Feb. | France
9-12 March | U.K.
9-10 June | Nederland
9-10 Sept. | Deutschland

Select Your City


Perspective: EU member states comment on GDPR's application

In preparation for requirements in Article 97 of the EU General Data Protection Regulation, a host of member state delegations submitted comments to the Council of the European Union on their evaluation and review of the application of the GDPR. In all, 19 member states commented in a 72-page document released 9 Oct. Of course, there's a lot in there to chew on, but IAPP Senior Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has gone through the comments to assess how member states regard the application of the GDPR so far. Article 97 "has already prompted member states, supervisory authorities and other European institutions to deeply reflect upon the problems, obstacles and hindrances to the GDPR’s implementation and to share and discuss their observations and experiences with its application since it came into force last year," she writes. In this post for Privacy Perspectives, Fazlioglu offers her thoughts on the member state commentary and why privacy pros should pay attention to the process moving forward.
Full Story


New proposed Brexit deal reached, but what about data transfers?

More than three years after the U.K. voted in a referendum to leave the EU, a proposed Brexit deal is on the table just weeks ahead of an 31 Oct. deadline. U.K. Prime Minister Boris Johnson said it is a "great new deal" and that the U.K. Parliament will vote on it this Saturday, 19 Oct. The draft text of the deal released Thursday includes a section near the top on data protection, though it is far from certain if the U.K. Parliament will pass the current deal this Saturday. Bird & Bird Partner Ruth Boardman, IAPP Country Leader for the Netherlands and Privacy Management Partners' Jeroen Terstegge, CIPP/E, CIPP/US, and Hogan Lovells Partner Eduardo Ustaran, CIPP/E, offer their insights on this latest development in the Brexit saga in this post for Privacy Tracker. 
Full Story


German DPAs release GDPR fining guidelines

Germany’s Data Protection Conference, Datenschutzkonferenz, has announced it published guidelines for the country's new EU General Data Protection Regulation fine regime. In a post for his law firm, Latham & Watkins Partner Tim Wybitul, CIPP/E, wrote the guidelines will help make fines more "consistent and predictable" while fines will be higher, with larger organizations subject to steeper penalties. Wybitul adds that DSK will seek to have the European Data Protection Board adopt the new fine regime for all EU member states. (Articles are in German.) Editor's Note: Wybitul previously wrote for The Privacy Advisor on German DPAs seeking a new GDPR fine model. 
Full Story


EDPB releases guidance on processing data for online services

The European Data Protection Board has published its guidelines for the data processing related to contracts for online services in the context of Article 6(1)(b) of the EU General Data Protection Regulation. The EDPB wrote that the guidelines aim to "outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of 'necessity' as it applies to 'necessary for the performance of a contract.'" The guidance addresses specific situations for how the law is applied, including processing for service improvement, fraud prevention, online behavioral advertising and personalization of content.
Full Story


Spanish AEPD releases PbD guidelines

The Spanish Agency for Data Protection has released “Privacy Guide from the Design” guidelines to incorporate data protection principles and privacy requirements into new products or services from conception, CEPYME News reports. The document is divided into nine sections, including defining the foundational principles of PbD and privacy engineering, as well as different strategies for the practice. The guide notes "establishing a framework that guarantees data protection does not represent an obstacle to innovation, but rather offers advantages and opportunities for ... organizations, market and society as a whole." (Original articles are in Spanish.)
Full Story


How to conduct background checks under GDPR

Employees are often considered the weakest link in organizational security, and in order to potentially mitigate risk brought on by staff, an entity may wish to conduct a background check to vet the people they ultimately hire. In this piece for The Privacy Advisor, HCL Technologies Privacy Office Senior Manager Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, looks at how to perform a background check under the EU General Data Protection Regulation. Foitzik breaks down what organizations should do when they process special categories of data and the role local laws play in the process.
Full Story


ICO looks at considerations for using AI to fulfill DSARs

As part of its ongoing call for input for its framework for auditing artificial intelligence, the U.K. Information Commissioner's Office looks at the challenges organizations may face as they craft AI systems designed to help fulfill data subject access requests. ICO Research Fellow in Artificial Intelligence Reuben Binns writes about the use of AI systems for access, erasure and rectification requests under the EU General Data Protection Regulation and where potential exemptions may pop up. Meanwhile, ICO Executive Director for Technology Policy Simon McDougall offers his takeaways from the recently concluded TechSprint event hosted by the Financial Conduct Authority.
Full Story


Study: Ireland tops list for protecting privacy of citizens

A Comparitech survey shows Ireland tops the list of 47 countries in protecting the privacy of its citizens, the Bangkok Post reports. The study assessed privacy protection and the state of surveillance in the countries surveyed, examining several categories, including the use of biometrics and data sharing and retention laws. Ireland scored 3.2 out of 5, topping the list due to its Data Protection Commission’s active role and general resistance toward the introduction of biometrics on ID cards. China, Russia, India, Malaysia and Thailand ranked among the worst in privacy protection, with China being the worst with a 1.8 out 5.
Full Story

Sponsored Content

Reduce time to compliance using push knowledge with Nymity’s Research & Alerts solutionLearn More

Stay current with accurate and relevant privacy law information from regulators, courts and law makers. Minimize time to CCPA, GDPR and global compliance with daily updated interactive maps and charts, privacy and cybersecurity law trackers, Nymity Frameworks & Thought-Leadership, annotations, and operational impact summaries.

Book a Demo


French minister offers warning about European use of AWS

French Junior Economy Minister Agnes Pannier-Runacher said Europe is running out of time if it ever wishes to wean itself off Amazon Web Services, Reuters reports. She added if Europe cannot find an alternative to AWS within 24 months, the region runs the risk of "a loss of sovereignty. This is what I’m hearing from experts, including French people in Silicon Valley, who underline how worrisome this situation is."
Full Story


Roundup: Canada, EU, Sri Lanka, UK, US and more

In this week’s Privacy Tracker global legislative roundup, the pieces to the California Consumer Privacy Act puzzle began falling into place. Also in the U.S., the Federal Trade Commission continued its review of the Children’s Online Privacy Protection Act, a group of House Democrats is throwing support toward a new federal privacy bill, and California has put a ban on police using facial-recognition software. The European Data Protection Board offered new guidance on a particular form of data processing, and Sri Lanka has drawn up a final draft of its data protection law. (IAPP member login required.) 
Full Story

Sponsored Content

2.0 CCPA Master Class

Over 12,000 people have joined the CCPA Master Class series where we dive into key areas of the CCPA, including consumer rights, do not sell, targeted data discovery, the latest attorney general guidance and what to expect now that the amendments have been signed. Watch prerecorded webinars or join live to stay informed as we approach the January 2020 implementation deadline.

Learn More


Brave calls for strong ePrivacy Regulation in letter to EU governments

In a blog post on the company's website, Brave Chief Policy & Industry Relations Officer Johnny Ryan publicized a letter sent to EU governments that pitched for strong privacy protections in any ePrivacy Regulation proposals. "Brave’s letter, sent this morning, summarizes why a prohibition on cookie walls is necessary," Ryan wrote in the post. "It also supports the 'privacy by default' requirement for web browsers and operating systems." European Digital Rights also announced it joined four advocacy groups in sending their own letter to EU member states regarding a stringent ePrivacy Regulation.
Full Story


Op-ed: Does Ireland’s DPC funding breach EU rules?

In an op-ed, The Irish Times asks if a recent decision to fund Ireland’s Data Protection Commission at 27% of its requested increase for 2020 is a breach of EU rules. In a complaint filed with the European Commission, Castlebridge Founder and Managing Director Daragh O'Brien argued the state may have breached its obligations under the EU General Data Protection Regulation, Law Enforcement Directive and EU Charter of Fundamental Rights. The commission requested the additional funds due to the “increased volumes and complexities” of the GDPR. The Irish Times column says the underfunding potentially puts the government at risk “by leaving the commission without proper resources.”
Full Story

MetaCompliance_IAPP Banner-Roadshow_121817


Apple defends data-sharing practices

MediaPost reports Apple has defended its sharing of private search browser data, which was reported last week by Reclaim the Net. The prior report claimed Apple was sharing browser data with Google and Chinese tech company Tencent. The embedded sharing function, which is built into the Safari browser on Macs, iPhones and iPads, is mentioned in Safari's privacy policy. Login passwords for banks, email addresses and social media accounts are among the information that can allegedly be accessed and shared. Meanwhile, Fast Company reports Google's auto-delete tools are not as privacy-friendly as perceived, and The Hill reports Instagram announced a new feature to give users more control over their data.
Full Story


Nest implements tighter privacy protections

Google and Nest are working to rein in the risks of home automation, implementing a tighter set of rules for partner devices to prevent third-party-driven data breaches, The Verge reports. In a blog post Tuesday, Google laid out three ways to integrate devices, combined with protections to keep user data private and secure. A limited set of “Home Routines” can perform basic tasks that can be activated without sharing data, a new developer program will allow individuals to reprogram their own Nest devices, and the “Device Access” program allows users to control which systems have access to devices in their home. Nest has put restrictions on the companies that can participate in the program.
Full Story


Google’s machine learning-based frequency proposal raises concerns

Google is experimenting with changes to online targeting and tracking of consumers with privacy in mind, but not everyone is satisfied, Adweek reports. Google recently proposed a machine learning feature to help advertisers manage ad frequency without the use of third-party cookies. The company introduced updates to its Chrome web browser that enhance privacy and its recently unveiled Display & Video 360 feature that "can create models to predict traffic patterns" without a third-party cookie. Smart AdServer Chief Marketing Officer Michael Nevins said managing frequency while respecting privacy is laudable but primarily serves Google’s interests as it only provides value to Google's advertisers, while others say third-party verification will be needed for machine learning models. 
Full Story


Google's Osterloh speaks on Pixel data collection, regulating facial recognition

In a one-on-one interview with BBC News, Google Senior Vice President of Devices and Services Rick Osterloh discussed various privacy topics related to the Pixel 4 smartphone. Osterloh addressed recent allegations of improper data collection by a Google contractor that worked on weeding out bias with the Pixel 4's facial-recognition software. Regarding the retention of data despite a potential improper collection and lack of proper consent, Osterloh said, "The best approach here would be to discuss it once we've actually looked into the facts and understood what has happened." Later in the interview, he said he hopes potential facial-recognition regulations will "be clarified quickly" but "thoughtfully navigated."
Full Story


Researchers rolling out privacy-preserving AI learning system for medical analysis

ZDNet reports artificial intelligence researchers from big tech company Nvidia and King's College London will debut a new federated learning system that will allow doctors to collaborate on cases without sharing patient data. The new system will help neural networks function on decentralized data that follows an algorithmic model at different locations. The anonymized data is created through partial system contributions from network participants and the injection of white noise.
Full Story


Microsoft's Smith: Privacy has reached a 'crisis point'

Microsoft President Brad Smith is calling for antitrust laws to be updated for the digital age, CNN reports. Smith said in an interview businesses should calculate how much consumer data it has instead of calculating market share when trying to determine if it's a monopoly. He also said privacy has reached a "crisis" point, "and it would benefit us to treat it that way," calling for a federal U.S. privacy law similar to the EU General Data Protection Regulation. He recommended U.S. businesses get ahead of the curve and offer those rights to customers now rather than later.
Full Story


Cyberattacks target nearly half of small businesses

CNBC reports nearly half of small businesses are targets of cyberattacks, yet only 14% can defend against the attacks, according to a new study from Accenture. Additionally, insurance carrier Hiscox revealed the attacks cost small businesses $200,000 in damages, causing 60% of them to close within six months after the initial attack. Despite the increased attacks and cost they inflict, key decision-makers "believe they're unlikely to be targeted by online criminals," according to the report. MedReview Chief Technology and Security Officer Dan McNamara noted, "It’s important to take a multi-faceted approach to cybersecurity."
Full Story


Snowden: Encryption is vital to privacy

In an opinion piece for the Guardian, U.S. National Security Agency whistleblower Edward Snowden says without encryption, "our public infrastructure and private lives will be rendered permanently unsafe." The primary method of keeping digital communications safe, Snowden says, is at risk with governments of the U.S., U.K. and Australia attempting to undermine the process. Security leaders have co-signed an open letter demanding Facebook abandon its proposals that incorporate end-to-end encryption in its Facebook Messenger and Instagram messaging app. If successful, "the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design," Snowden writes.
Full Story


Op-ed: Protect your privacy with ‘obfuscation’

In a world where people are tracked by cameras, cellphone data, travel logs, online purchases and more, the costs of "opting out" of surveillance and data-collection systems are "high and getting higher," New York University Department of Media, Culture, and Communication Assistant Professor Finn Brunton and Cornell Tech Information Science Professor Helen Nissenbaum write in an op-ed for Quartz. They write that while it is not possible for everyone to opt out, there are ways to carve out "resistance" to the constant tracking of surveillance. "There is no simple solution to the problem of privacy," but an "obfuscation approach" offers "ways to carve out spaces of resistance, counterargument, and autonomy," they write.
Full Story

All Current Job Listings


Don’t let language be a barrier to IAPP GDPR Ready Training. Sign up for the French-language GDPR Ready class in Paris this November to learn the essentials of European Union data protection practice and privacy program management. Register to raise your value as a data protection professional and open new career options.
IAPP GDPR Ready Training
4-7 Nov. | Paris

Register Today

Anyone working in health care must be familiar with handling sensitive information. “Privacy Essentials for the Healthcare Industry,” a new unit in the IAPP Privacy Core® e-learning library, explores principles like data minimization, the data life cycle and privacy laws for health data.

Learn More

Copyright© 2000–2021 International Association of Privacy Professionals.
The views in this eNewsletter, if any, are those of the authors and are not necessarily those of the IAPP.

75 Rochester Ave., Suite 4, Portsmouth, NH 03801 USA +1 603.427.9200

This email was sent by: INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS, 75 Rochester Ave., Portsmouth, NH 03801 USA +1.800.266.6501. This email was sent to you at You received this email because you are a member of International Association of Privacy Professionals (IAPP) or you provided your email address to us. We respect your right to privacy; view our privacy statement.

Manage Email Subscriptions


You cannot unsubscribe from IAPP listserv emails via this link. To unsubscribe from the IAPP Privacy List or IAPP Women Leading Privacy List, please use the unsubscribe links at the bottom of those emails.