Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. Italy: Garante publishes DPO handbook
    The Italian supervisory authority (the Garante) published a handbook for data protection officers in collaboration with the Spanish, Croatian, Bulgarian and Polish data protection authorities, as part of the EU-funded “T4DATA (Training for Data)” project. In particular, the DPO Handbook offers guidance for data protection officers in both the public and private sectors on how to ensure compliance with the GDPR. According to the Handbook’s authors, it is intended to translate the new and demanding tasks of the DPO into “practical, sound, documented guidance and advice” and consists of three parts: first, an introduction to the concepts of confidentiality, privacy and data protection and a history of data protection law; second, an overview of the key elements of the GDPR, with a focus on the accountability principle and the role of the DPO; and third, practical guidance on how DPOs should fulfill their tasks, with real-life examples.
  2. Ireland: Irish DPC Announced Final Investigative Reports on Facebook GDPR violations
    The Irish Data Protection Commission announced that it had given Facebook copies of its final investigative reports for some of the cases it opened against Facebook under the GDPR, and plans to send a select number of draft decisions on those cases, along with proposed fines and sanctions, to other EU member state supervisory authorities by the end of September. According to European officials, the approval process for those fines could go until the end of 2019 or into early 2020.
  3. Ireland: Irish DPC investigates Department of Employment Affairs and Social Protection
    Thee Irish DPC could also be the first to issue fine against a public body under the GDPR. The DPC started an investigation of Ireland’s Department of Employment Affairs and Social Protection last year after discovering that senior officials changed an online notice that stated the agency collected biometric data and interfered with the agency’s data protection officer. According to reports, the agency faces a fine of up to 1 million euros, and has also been ordered to bring into compliance with the GDPR the processing of personal data in connection with Public Service Cards, which are used for services such as issuing drivers licenses, passports, making welfare benefit decisions, and more.
  4. USA: Ninth Circuit Court affirms BIPA class action decision against Facebook
    A 35 billion dollar class-action lawsuit has survived a recent legal challenge and will advance after a Ninth Circuit Court of Appeals ruling. The original case regards allegations from 2015 that Facebook’s facial-recognition mapping technology dating back to 2011 violated the Illinois Biometric Information Privacy Act by collecting, using, and storing biometric identifiers from the plaintiffs’ photos without obtaining consent or establishing a compliant retention schedule. The Court ruled that Facebook’s development of a face template using facial-recognition technology without consent invades an individual’s privacy, and disagreed with Facebook on the issue of whether the plaintiffs alleged any concrete harm, ruling that the plaintiffs did in fact have sufficient grounds to sue. Facebook has stated that it will continue to fight the suit on other grounds.
  5. OneTrust Achieves World’s First ISO 27701 Certification
    The International Organization for Standardization recently published ISO 27701, an extension to ISO 27701 for Privacy Information Management. After completing its certification audit, OneTrust received the world’s first ISO 27701 certification for a Privacy Information Management System, with the help of the OneTrust Privacy, Security and Third-Party Risk Management suite of technology.Built on top of ISO 27001, which more than 60,000 organizations have certified to date, ISO 27701 is a highly anticipated standard that is expected to be the first privacy management certification to get mainstream adoption, and may eventually serve as the basis for a certification mechanism under the GDPR. ISO 27701 details the necessary provisions for establishing, implementing, maintaining, and continually improving a Privacy Information Management System, and provides practical guidance that can be used by both data controllers and data processors to build and manage their privacy program.To learn more about ISO 27701 and how you too can get certified, visit onetrust.com and be sure to register for next week’s webinar led by OneTrust’s Director of Privacy, Andrew Clearwater.


That’s all for Last Week in Privacy. Thanks again for watching, and I’ll see you next time.