fbpx

Download free GDPR compliance checklist!

Category Archives for "Court cases"

UK Supreme Court says employer not liable for data breach by a disgruntled employee

The U.K.’s top court ruled that a British supermarket can’t be held responsible for a data breach by a disgruntled employee who leaked personal details of thousands of staff members online.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case. This decision sets aside a significant liability risk which had arisen following the previous decisions in the case.

Source: Morrisons Wins U.K. Supreme Court Ruling Over 2014 Data Breach – Bloomberg

Class action filed against Zoom about data collection

Wexler Wallace LLP had filed a class action lawsuit against Zoom Video Communications, Inc. before the U.S. Court for the Northern District of California, for allegedly collecting the personal information of its users and disclosing such information to third parties, including Facebook, Inc.

This data transfer occurs when a Zoom user installs, opens or closes the popular Zoom iOS video conferencing application. Consumers are not meaningfully informed of these facts, and specifically that Facebook receives the data. As the complaint alleges, even information on non-Facebook users is sent to Facebook through Zoom’s video conferencing application.

Source: Zoom Privacy Lawsuit – Wexler Wallace LLP

GDPR ushers in civil litigation claims across the EU

The EU General Data Protection Regulation ushered in an enhanced private right of action for violations of the law, both for material or non-material damage.

Plaintiffs can sue for compensation based on the damage suffered. Attorneys say there’s now a significant uptick in cases brought alleging such a grievance has occurred, often as a “follow-on” to data protection authorities’ investigations. And depending on any given judge’s sympathy for plaintiffs alleging data misuse, as well as how sizable the class is, the cost to organizations could be significant.

Full article: GDPR ushers in civil litigation claims across the EU

Google’s Right-to-Be-Forgotten Fine Toppled by French Court

Google won a battle over the right to be forgotten after France’s top administrative court canceled a fine of 100,000 euros ($111,000) for failing to remove contentious search results globally.

France’s Council of State threw out the 2016 penalty, following guidance from the European Union’s highest court which last year backed the Alphabet Inc. unit by saying it should only scrub search results on European versions of its websites.

Source: Google’s Right-to-Be-Forgotten Fine Toppled by French Court – BNN Bloomberg

Brussels Court of Appeal overrules first DPA fine to a private company

On Feb. 19, the Brussels Court of Appeal overruled one of the first decisions of the Belgian Data Protection Authority in a case involving the use of an electronic ID to get a loyalty card.

The Brussels Court of Appeal held that the customer did not give her identity card and, consequently, there was no processing of her data. Therefore, according to the court, the DPA did not demonstrate an actual personal data breach.

The court still underlined there was no prejudice for a customer because they could not get a loyalty card and therefore get a discount. There is no prejudice when one possible extra benefit is lost. It would have been different if the reading of the electronic ID was required to exercise a legal or contractual right.

Source: Brussels Court of Appeal overrules first DPA fine to a private company

France issues first legal decision on facial recognition

The Administrative Court (TA) of Marseille has made its decision regarding the use of facial recognition technology at two French high schools.

In a hearing before the TA, with La Quadrature du Net, The Human Rights League, the FCPE and CGT Educ’Action des Alpes Maritimes, the installation of a facial recognition system at the entrance of two French high schools were discussed.

TA ruled against the installation of the technology, stating that its deployment violated the EU General Data Protection Regulation (GDPR), as students were not able to provide consent “to the collection of personal data in a free and informed manner.”

Additionally, the court ruled that the technology was a disproportionate measure to manage the high school, especially with other alternative measures being available and less detrimental to students’ rights.

Source: #Privacy: France issues first legal decision on facial recognition

Clearview AI facial recognition app maker sued by Vermont

The complaint alleges that the facial recognition company’s scraping of images for its database violates state privacy laws.

Vermont’s complaint alleges Clearview AI violates the state’s Consumer Protection Act by collecting facial recognition data of Vermont residents, including children, without their consent. It also alleges that the “screen scraping” Clearview AI uses to collect the data violates the state’s new Data Broker Law, which targets companies that collect and sell data on consumers.

Source: Clearview AI facial recognition app maker sued by Vermont – CNET

ACLU sues US government over its use of facial recognition at airports

The American Civil Liberties Union is suing the US government over its failure to reveal details about the use of facial recognition at airports.

ACLU and the New York Civil Liberties Union filed a lawsuit asking a federal court to order a range of federal agencies to hand over their records about the tech’s usage at airports.

The lawsuit centers on concerns that the government can use facial recognition to track our movements, and has refused to provide details about what it’s doing with the tech.

Source: ACLU sues US government over its use of facial recognition at airports

CJEU Considers the Use of CCTV and Legitimate Interests

With the use of CCTV on the rise, it has become increasingly important for controllers to find a framework in which the conflicting rights of those who are subject to such surveillance are balanced.

In its recent decision of TK v Asociaţia de Proprietari bloc M5A-ScaraAmonit, the CJEU considered whether the processing carried out by CCTV cameras was necessary and proportionate for the purposes of legitimate interests pursued by the controller. The CJEU re-emphasised that the legitimate interests condition requires processing to apply only so far as “strictly necessary”.

Source: CJEU Considers the Use of CCTV and Legitimate Interests

Advocate General delivers opinion on GDPR consent

On March 4, 2020, Advocate General Szpunar (“AG”) delivered his opinion in the case C-61/19 Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP).

The AG concluded that a printed telecommunication contract stating that customers consent to the processing of a copy of their identification card does not meet the strict requirements for consent of the GDPR, even if the customers are orally informed that they can refuse their consent by writing this by hand on the contract.

Source: Advocate General delivers opinion on GDPR consent

1 2 3 31
>