June

The European Union's (EU) Article Working Party recently revealed a number of General Data Protection Regulation (GDPR) application guidance documents.
 
The mandatory Data Protection Officer (DPO) role can be confusing to organizations who question the terms "core activities" and "large scale". The guidance recommends those in doubt should err on the side of appointing a DPO. This individual should be a professional who is qualified to determine the organization's compliance with national and European data protection laws and practices, including an in-depth understanding of the GDPR.
 
The new data portability law under Article 20 of the GDPR allows data subjects to receive from any controller, in a machine-readable format, the personal data they provided "knowingly and actively" to the controller and any personal data generated by their activity. The WP29's guidance for establishing a lead data protection authority to lead the "one-stop shop" mechanism details cross-border processing and illustrates sample scenarios for choosing a DPA.
 
And, finally, details on the EU-U.S. Privacy Shield include further definition of the framework for transferring personal data to the United States.

A Romanian website that says it is dedicated to keeping "information free and open" is raising questions about how much personal information should be included in Canadian legal rulings.
 
Over the past year, almost 100 people have complained to the Canadian Legal Information Institute (CanLII), after reading legal decisions that mention their names through Google searches. The complaints CanLII has fielded stem not from decisions posted on its own website, but on a site hosted in Romania that asks for a fee for quick removal of personal information.
 
The situation has highlighted the growing tension between open access to public information and the desire to protect personal privacy in the digital age.

This month, the U.S. District Court for the Northern District of California declined to preliminarily approve a class action settlement of the Fair Credit Reporting Act (FCRA) claim because the payment to class members was unreasonably low.
 
In Lagos v. Leland Stanford Junior University, the plaintiff filed the class action, alleging the defendant violated the background check disclosure provisions of the FCRA, specifically that it was not a stand-alone document.
 
After months of litigation, the parties settled on a settlement that would pay each class member a net amount of $13.82, demonstrating an 86% discount between the settlement amount and the minimum statutory damages ($100) if the plaintiff fully prevailed on his claim was not warranted.