The European Union’s top court ruled last week that the operator of a Facebook fan page is a “joint controller,” along with Facebook, with respect to personal data collected on such pages.

The General Data Protection Regulation (GDPR), which is effective May 25, 2018, requires notification to European regulators within 72 hours of the discovery of many types of data breaches. This deadline requires speed and organization that no other jurisdiction currently requires, especially in the United States. Organizations that hold personal data of EU residents and do not have an incident response plan should promptly develop one so they can comply with the GDPR’s requirements.

Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses computerized data that includes an IA resident’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security.

The compliance deadline for the European Union's General Data Protection Regulation (GDPR) is nearly upon us, the unveiling of a proposed model to bring WHOIS into compliance is said to come from ICANN next week, and everyone is scrambling to understand all that's involved.

The European Commission recently released technical input on ICANN's proposed GDPR-compliant WHOIS models that underscores the GDPR's "Accuracy" principle — making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts. Contracted parties concerned with GDPR compliance should take note.