Jan Dhont

Subscribe to Jan Dhont's Posts

On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission’s call for consultation (the letter) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

As previously reported in our blog post, the European Commission’s recommendation sets out a “toolbox” of measures to be implemented across EU member states to address the use of technology in combating the spread of the COVID-19 pandemic. In its letter, the EDPB sets forth data privacy and information security measures that app developers should consider when developing mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps).
Continue Reading The EDPB Responds to the European Commission’s Recommendation on COVID-19 Mobile Apps

On April 8, 2020, the European Commission (the Commission) released its recommendation for a pan-EU approach on the use of technology and data to combat the COVID-19 pandemic (the Recommendation).

The Commission calls for the creation of a “toolbox” consisting of practical measures taken at the EU level to address the use of mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps) and address the use of anonymized population data to analyze the evolution of the pandemic in the EU. While the Recommendation does not specify the measures to be included in the toolbox, it provides a roadmap to promote the harmonization of these measures across all EU member states.
Continue Reading European Commission Calls for a Common Approach to COVID-19 Apps and Anonymized Data Use

The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines).[1] This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA.
Continue Reading Non-EEA Based Vendors Caught by GDPR’s Long-Arm Provisions

On December 10, 2019, the Danish Supervisory Authority (SA) published its final version of Standard Contractual Clauses (SCCs) that data controllers and processors may use to satisfy the General Data Protection Regulation (GDPR) obligation to enter into a data processing agreement.

The Danish SCCs have been reviewed and approved by the European Data Protection Board (EDPB). Accordingly, they constitute an official template containing the contractual provisions that the Danish SA and the EDPB consider important. Because the Danish SCCs have been examined by all EU Supervisory Authorities and approved by the EDPB, they may become the model for data processing agreements across the EU.
Continue Reading On the Final Publication of the Danish Standard Contractual Clauses for Vendor Agreements: A New Standard?

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.

At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins.
Continue Reading Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button