On July 5, 2019, the UK’s Data Protection Authority (ICO) issued its “Guidance on the use of cookies and similar technologies” (the Guidance) along with a brief explanatory blog post. At the same time the ICO updated its own website cookie notice and consent, leading by example. The ICO’s blog post makes clear that cookie compliance will increasingly be a regulatory priority, and that companies should start working towards compliance now.
Continue Reading The ICO Issues Its Cookies Guidance: Clarified Stance and Enforcement Priorities
The CNIL Sharpens Requirements on Deployment of Tracking Technologies
On July 18, 2019, the French Data Protection Authority (CNIL) issued new guidance on the use of cookies and similar tracking technologies (collectively referred to as “cookies” below).[1] The guidance clarifies the instances in which companies must obtain consent for the use of cookies and specifies the requirements for obtaining consent.
Continue Reading The CNIL Sharpens Requirements on Deployment of Tracking Technologies
The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting
On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.
Background
When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting
And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield
On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member states plus Iceland, Liechtenstein, and Norway, to allow the transfer of personal data to the United States and other countries outside the EEA.
Continue Reading And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield
The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency
On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification). The Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance.
In addition, the Cybersecurity Act provides for a new permanent mandate for the EU Agency for Cybersecurity (ENISA) with new responsibilities.
Continue Reading The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency
Belgian Facebook Case Referred to the European Court of Justice
On May 8, 2019, the Brussels Court of Appeal referred the Belgian Data Protection Authority’s (DPA) case against Facebook to the European Court of Justice (CJEU) to address jurisdictional issues regarding which DPA is competent to bring enforcement actions against Facebook. The case deals with Facebook’s collection of individuals’ data through cookies stored in Facebook’s social plugins. The Belgian DPA alleges that Facebook’s data collection is unlawful as it lacks valid consent and does not provide appropriate notice to individuals. Several courts in Belgium have already examined the issues, but it now reaches a new phase as the Brussels Court of Appeal Court referred critical questions to the CJEU dealing with the interpretation of the concept of “Lead Supervisory Authority” under the General Data Protection Regulation (GDPR).
Continue Reading Belgian Facebook Case Referred to the European Court of Justice