1.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com
GENERAL DATA PROTECTION REGULATION
(EU GDPR)
WHY SILICON VALLEY NEEDS TO GET IT RIGHT
MIRENA TASKOVA
1/14/2019 European Entrepreneurship & Innovation – Stanford School of Engineering

2.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com1
GDPR
Why am I here today? What will I learn?
Why the European Union GDPR matters
to US companies & consumers, and why
bother?

3.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com2
GDPR
Why am I here today? What will I learn?
What is personal data?

4.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com
3
GDPR
What constitutes personal data?
Our company’s annual
report
Your salary details Your medical information
Your name and date of
birth
NO YES YES
YES
Your anonymous response
to a survey question
MAYBE
Your photo or image on a
CCTV camera
YES

5.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com4
GDPR
What rights do data subjects have? This means you too.
I want to have
errors about me
corrected
I don’t want to
receive your
marketing letters
and promotions
I want to find out
what data you
have about me
and how you’re
using it
Does the right to
be forgotten
apply to me?
I want to be able to
take my data and
reuse it on other
platforms
Please stop using my data until
you’ve verified there is a
legitimate purpose

6.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com5
GDPR
Company Fines under GDPR
WHY WE NEED TO GET IT RIGHT
Infringements of rights, basic principles, and rules on international transfers:
• €20 million or 4% of the total worldwide turnover of the preceding
financial year (whichever is higher)
Failure to notify of data breaches:
• €10 million or 2% of the total worldwide turnover of the preceding
financial year (whichever is higher)

7.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com6
GDPR
Enforcement Actions in Europe | January 2019
Increase in Supervisory
Authorities’ activity
(local level & cross border)

8.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com7
GDPR
Enforcement | UK
ü The Information Commissioner’s Office (ICO) received 1792 breach notifications in June 2018,
compared with 367 in April 2018;
ü There have been a number of high profile breaches for which fines are possible such as British
Airways, the Conservative Party, and Facebook;
ü Supermarket chain Tesco has been fined £16.4 million by the Financial Conduct Authority for failing to
exercise due skill, care, and diligence in protecting customers against a cyber-attack (not awarded
under the GDPR);
ü The ICO, for the first time, issued its maximum fine of £500,000 against Equifax for its security breach
(not awarded under the GDPR).

9.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com8
GDPR
Enforcement | Germany
ü During the months May-July 2018, 111 data breach notifications were filed with the Data Protection
Commissioner in Berlin. In the same period in 2017, the authority received only 12 notifications;
ü The Bavarian State Authority for data protection announced random controls (audits) of companies
beginning September 2018;
ü Not aware of any sanctions under the GDPR yet. A sanction procedure takes some time to complete
due to the strict procedural rules.

10.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com9
GDPR
Enforcement | France
ü More than 600 notifications of data breaches have been received by the French DPA
involving about 15 million people - about 7 per day since May 25 2018;
ü Since May 25 2018, the French DPA has received 3767 complaints vs. 2294
complaints over the same period in 2017. This represents a 64% increase;
ü In regards to joint-actions (similar to US class action suits), two organizations have
filed complaints with the French DPA:
• “La Quadrature du Net” filed 5 separate complaints over “forced consent” against
Google, Amazon, Facebook and Apple;
• The association “NOYB” filed a complaint over “forced consent” against Google
(Android).
ü Not aware of sanctions under the GDPR yet.

11.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com10
GDPR
This is just the beginning …
On November 8, 2018 Privacy
International filed complaints
against seven data brokers (Acxiom,
Oracle), ad-tech companies (Criteo,
Quantcast, Tapad), and credit
referencing agencies (Equifax,
Experian) with data protection
authorities in France, Ireland, and
the UK.

12.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com11
GDPR
This is just the beginning …
noyb filed four complaints over “forced
consent” against Google, Instagram,
WhatsApp and Facebook. The complaints
were filed with DPAs in Austria, Belgium,
France and Germany right after GDPR
came into force.

13.
Belgium | China | France | Germany | Italy | Netherlands | UK | US (Silicon Valley) | fieldfisher.com12
GDPR
Questions?

14.
Mirena Taskova, CIPP/E
Senior Privacy Advisor
M: +1 (650) 250 3615
E: mirena.taskova@fieldfisher.com
Follow: @Fieldfisher
www.linkedin.com/in/mirenataskova
Blog: privacylawblog.fieldfisher.com