Analyzing Early GDPR Enforcement: Portugal and Germany

The first major case under the GDPR has arrived in the form of a French enforcement action against Google, with a €50-million penalty for improperly disclosing to users how data is collected. It was not, however, the first Member State action since the law’s implementation in May 2018 – there have been actions in the U.K., Austria, Portugal and Germany that provide clues about how regulators will be enforcing the new law against small and mid-size companies and assessing fines, and how companies should approach privacy and security, including when they conduct cross-border investigations and perform due diligence. In this article series, we discuss recent cases with local experts, including the theft of accounts from a social media site in Germany, leading to the Data Protection Authority’s (DPA) discovery of passwords stored in plain text, as well as a hospital in Portugal that had a deficient access policy that was uncovered by a newspaper, prompting an investigation by the DPA. See “GDPR Readiness: Legal and Technological Implications for Third-Party Monitoring in the E.U. and Beyond” (Mar. 7, 2018).

To read the full article

Continue reading your article with an ACR subscription.