Cédric Burton

Subscribe to Cédric Burton's Posts

The EU Parliament and the EU Council recently adopted their respective versions of the Digital Markets Act (DMA) and Digital Services Act (DSA), which intend to create new antitrust-related (DMA) and regulatory (DSA) rules applicable to digital platforms.1

The adoption of the draft amendments by the EU Parliament and the EU Council constitutes a critical step towards final adoption of these laws. Now, the EU Commission (EC), Parliament, and Council are undergoing negotiations (so-called “trilogues“) to agree on a final version of the laws. The institutions could reach an agreement on the DMA and the DSA within the coming months, but it may take some time before it is enacted.
Continue Reading EU Parliament and Council Take Next Steps to Advance Major New Rules for Digital Platforms

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an action plan to bring the TCF into compliance within two months. To reach this conclusion, the DPA concluded that:
Continue Reading Belgian DPA Finds That IAB Europe’s Cookie Consent Framework Violates the GDPR

On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2]

The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under the Unfair Commercial Practices Directive[3] when those advertising messages are displayed to users without prior consent, on a frequent and regular basis.
Continue Reading European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing

They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR

On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers

As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this deadline.
Continue Reading Don’t Forget to Use the New SCCs to Transfer EU Personal Data as of September 27, 2021

New Set of SCCs for Data Transfers to Third Countries

On June 4, 2021, the European Commission (EC) published its long awaited new set of Standard Contractual Clauses (New SCCs). This new data transfer mechanism allows for the transfers of personal data outside of the European Economic Area (EEA) and replaces the current Standard Contractual Clauses (current SCCs). The New SCCs take into account the European Court of Justice’s (CJEU) Schrems II ruling, which invalidated the EU-U.S. Privacy Shield and requires that data exporters and importers take measures to ensure that the SCCs are effectively complied with.
Continue Reading A New Data Transfer Mechanism Is Available for EU Personal Data