International Data Protection Bulletin: October 2016 – June 2017

By Ruth Boardman, Ariane Mole


Welcome to the October 2016 - June 2017 edition of our International Data Protection Bulletin. This covers a summary of enforcement in all Bird & Bird countries, as well as a selection of update articles from these countries.

The enforcement summaries give a good flavour of the different priorities and approaches of data protection authorities. Our highlights are:

  • France: the Supreme Court has considered footfall analysis using MAC addresses captured from passing mobile devices - confirming that this does involve processing of personal data, that the service provider had not effectively anonymised the data and, therefore, that it would have to comply with data protection legislation (including providing notice of data processing);
  • France: the CNIL has imposed an administrative fine on a dating website - for failure to collect explicit consent to process sensitive personal data in a compliant manner. The CNIL reinforced that, under current French law, it would not be sufficient to have one tick box combining consent to being old enough to use the site, acceptance of terms and conditions and agreement to processing sensitive personal data. For those working on GDPR requirements for consent, the decision is useful reading - as GDPR and current French requirements are very similar;
  • Italy: in another interesting case on consent, the Antitrust Authority fined Whatsapp/Facebook €3,000,000 for the way in which Whatsapp asked users to give consent to sharing of their data with Facebook. Key points were that users were given the impression that they couldn't use the app unless they gave consent, as well as the use of one 'accept' button and the fact that it was difficult for them to find and use the options not to share data;
  • There is also an interesting article from Poland on consent: GIODO has carried out an investigation into banks compliance. One main finding was on incorrect approaches to consent. GIODO emphasised that there should be separate request for consent to marketing of own products and third party products and for consent by email communications and telephone and SMS. Again, this will be of interest to those working on their GDPR compliance;
  • In Hungary, the data protection authority has now issued a decision on Weltimmo, following on from the CJEU decision. A fine of approx €28,000 was issued for failure to remove property listings on request and for an inadequate privacy policy;
  • In other news, the bulletin includes our colleagues articles on the new China cyber security law (as well as lots of examples of enforcement of data protection rules in China). There is also an article from colleagues in UAE where new rules applicable to those offering payment services have been introduced - including a data localisation requirement.

Download the PDF >