On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.

The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
Continue Reading EDPB Issues Guidelines on Social Media Targeting Under GDPR

On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.
Continue Reading ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses

On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations of the General Data Protection Regulation (GDPR) and related laws. Notably, the draft guidelines apply the EU cookie rules to connected vehicles, requiring granular consent to collect both personal and non-personal data from connected vehicles.
Continue Reading EU Privacy Regulators Issue Draft Guidelines on Connected Vehicles and Mobility Applications

The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether.
Continue Reading European Privacy Landscape: What to Expect in 2020

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis.
Continue Reading ECJ: Cookies Require Active Opt-In Consent

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins.
Continue Reading Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button

In yet another round of Schrems versus Facebook, on January 25, 2018, the Court of Justice of the European Union (CJEU) ruled that privacy activist Max Schrems is a consumer with regard to his Facebook
Continue Reading Court of Justice Dismisses Privacy Class Action Against Facebook but Allows Max Schrems to Sue in Austria