Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top privacy industry headlines:

  1. The French Data Protection Authority, the CNIL, released a report on the number of personal data breach notifications they have received since the GDPR went into effect. According to the report, from May 25th to October 1st, 742 data breaches were reported to the CNIL, affecting a total of 33,727,384 individuals. Of the reported breaches, 421 were the result of phishing and attacks on software. The hospitality industry led with 185 notifications, 65% of the total breaches were the cause of external malicious attacks, while 15% were from employee human error.
  2. Canada’s new breach notification requirements under the Personal Information Protection and Electronic Documents Act came into effect on November 1st. As a result, organizations who are subject to PIPEDA are now required to notify the Canadian Privacy Commissioner and any affected individuals of a personal data breach if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. Unlike the GDPR’s 72 hour requirement, however, PIPEDA’s new breach notification requirements do not set a defined timeframe for notification to occur, and instead simply state that notification must occur as soon as feasible. Official guidance on the new requirements has been posted on the Canadian Privacy Commissioner’s website.
  3. A Portuguese hospital recently announced that it had been fined 400,000 euros by the Portuguese data protection authority for GDPR violations back in July. According to reports, an investigation by the Portuguese DPA revealed that many hospital staff had unauthorized access to patient data through the use of false profiles, and the DPA concluded that the hospital had not put in place appropriate technical and organizational measures to protect the data, and that despite using the IT system provided by the Portuguese Health Ministry that it was ultimately the hospital’s responsibility to ensure compliance with the GDPR. The hospital announced that it is contesting the fine.
  4. In the U.S., the debate over comprehensive federal privacy legislation continues, with the latest draft coming from Democratic Senator Ron Wyden of Oregon. The controversial draft proposes a do-not-track system for consumers to opt out of certain types of data sharing and would give the Federal Trade Commission power to administer fines and require corporate executives to submit annual data protection reports. Most notably, the bill also includes prison time for corporate executives who intentionally mislead the FTC. The draft just is one of many bills that have been proposed, and more are expected to follow suit as the discussion of comprehensive federal privacy legislation in the U.S. rages on.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.