On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March … Continue Reading
On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but … Continue Reading
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer … Continue Reading
On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies. While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent … Continue Reading
On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.… Continue Reading
On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their … Continue Reading
On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.… Continue Reading
New Set of SCCs for Data Transfers to Third Countries On June 4, 2021, the European Commission (EC) published its long awaited new set of Standard Contractual Clauses (New SCCs). This new data transfer mechanism allows for the transfers of personal data outside of the European Economic Area (EEA) and replaces the current Standard Contractual … Continue Reading
On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch … Continue Reading
On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading
The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading
On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.… Continue Reading
On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document … Continue Reading
On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online … Continue Reading
On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:… Continue Reading
On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high … Continue Reading
On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.… Continue Reading
In a long anticipated ruling, the Court of Justice of the European Union (CJEU) confirmed on October 6, 2020 (joint-cases C-623/17 and C-511/18 et seq., “Ruling”) that general and indiscriminate transmission or retention of traffic and location data for law enforcement and national security purposes breaches EU law.… Continue Reading
On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands. In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining … Continue Reading
On October 1, 2020, the French data protection authority (the CNIL) issued the final version of its guidelines on the use of cookies and other trackers (the Guidelines), replacing a first draft published on July 4, 2019. While the main principles remain unchanged, this version provides further practical guidance for website and mobile application publishers … Continue Reading
On September 28, 2020, the U.S. Department of Commerce (DoC) published a white paper co-authored by the U.S. Department of Justice (DoJ) and the Office of the Director of National Intelligence (white paper)[1] which provides information on the safeguards under U.S. law to limit the collection of data from private companies by U.S. intelligence services. … Continue Reading
On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.… Continue Reading
On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic. The guidelines remain … Continue Reading
On April 21, 2020, the European Data Protection Board (EDPB) published two sets of guidelines addressing data processing in the context of the COVID-19 pandemic. These guidelines address the use of location data and contact tracing tools to combat the spread of COVID-19 and the use of health data for the purposes of scientific research into COVID-19 (together, the … Continue Reading