Oct. 20, 2021

Lessons From the WhatsApp Decision on GDPR Transparency Requirements: Enforcement Takeaways

The Irish Data Protection Commission’s recent €225-million fine against WhatsApp Ireland Ltd. for failure to meet the GDPR’s transparency requirements is a warning to companies to keep on top of privacy compliance. This first article of our two-part series on key takeaways from the case covers, with insight from partners at K&L Gates, Seddons and Orrick, the impetus and focus of the DPC’s investigation, its treatment of what constitutes personal data, how to handle regulator inquiries and the increase in remedial obligations found in E.U. regulators’ decisions. Part two will offer practical steps on building a strong foundation for a compliant global privacy program. See “Irish DPC Helen Dixon on GDPR Enforcement Hurdles One Year In” (May 29, 2019).

Collective Actions in the U.K. After Lloyd v. Google

In the U.S., class action suits permeate a wide range of sectors, such as fast-moving consumer goods, securities and accounting. In contrast, England’s class actions regime is nascent, and privacy is one area where class action-style cases have been making some headway. In this guest article, Keily Blair and Lara Nonninger, attorneys at Orrick, discuss the ongoing Lloyd v. Google case, five other factors driving data protection representative actions in the U.K., how companies can respond and the collective action landscape across the E.U. See Orrick’s two-part series on how the Google decision opens the door for American-style class action in the U.K.: “Analyzing What Constitutes Harm” (Jul. 8, 2020); “Six Ways to Avoid Liability” (Jul. 15, 2020).

U.K. Data Privacy Officers Discuss Challenges and Concerns

Data privacy officers (DPOs) in the U.K. have less confidence in their companies’ compliance, and day-to-day tasks, such as handling data retention issues and data subject requests, remain a significant challenge. These are among the findings in the U.K. Data Protection Index, a quarterly survey of 465 U.K. DPOs that helps track trends and evolving opinions. At the recent GRC Forum, a panel of DPOs shed insight on some of the results of the September 2021 survey and the trends they are seeing. See “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

Gibson Dunn Expands Privacy Bench in San Francisco

Rosemarie Ring has joined Gibson Dunn as a partner in the privacy, cybersecurity and data innovation practice, where she specializes in privacy and consumer class actions and intellectual property disputes. For insight from Gibson Dunn, see “CISA and DHS Counsel Explain Cybersecurity Executive Order’s Key Provisions” (May 26, 2021).