The European Union (EU) has revised its Cybersecurity Directive (NIS2). The new rules will apply to a wide range of companies in many sectors, create new cybersecurity obligations, and impose high fines for noncompliance. EU countries have until October 17, 2024, to transpose the new rules. As the deadline approaches, companies should assess the impact on their cybersecurity strategy. This alert summarizes the key obligations for businesses.Continue Reading NIS2: Preparing for EU’s New Cybersecurity Rules
Joanna Jużak
EU Court of Justice Landmark Ruling on Digital Advertising and GDPR Compliance
By Cédric Burton, Joanna Jużak & Sebastian Thess on
Posted in European Union, Privacy
On March 7, 2024, the European Court of Justice (CJEU) issued a landmark ruling on digital advertising and the concepts of personal data and joint controllership under the General Data Protection Regulation (GDPR).Continue Reading EU Court of Justice Landmark Ruling on Digital Advertising and GDPR Compliance
European Commission Proposes New Rules for Cross Border GDPR Enforcement
Posted in Privacy
On July 4, 2023, the European Commission (EC) published its proposal for a regulation laying down additional procedural rules for the enforcement of the EU General Data Protection Regulation (GDPR) (proposal). The proposal focuses on procedural issues relating to handling complaints and conducting investigations in cross-border cases.1 The proposal adds to the procedural rules laid down in the GDPR and addresses certain practical issues and gaps. In particular, the proposal harmonizes at an EU-level the rules on complaint admissibility, strengthens due process rights for complainants and defendants, and streamlines cooperation between supervisory authorities (SAs, i.e., national data protection authorities or DPAs). If it is eventually enacted, the proposal would be of considerable importance in facilitating the enforcement of the GDPR in cross-border cases.Continue Reading European Commission Proposes New Rules for Cross Border GDPR Enforcement
EU Privacy Regulators Coordinate to Assess Compliance with the GDPR Rules on Data Protection Officers
Posted in Uncategorized
On March 15, 2023, the European Data Protection Board (EDPB) announced a coordinated action on the role of the data protection officers (DPOs). The data protection authorities (DPAs) will ask DPOs a series of questions…
Continue Reading EU Privacy Regulators Coordinate to Assess Compliance with the GDPR Rules on Data Protection OfficersEuropean Commission Proposes New EU Cybersecurity Rules for Software and Hardware Products
By Joanna Jużak & Tom Evans on
On September 15, 2022, the European Commission (EC) published a Proposal for a Cyber Resilience Act (CRA Proposal) that sets out new rules in the European Union (EU) for software and hardware products and their remote data processing solutions. The CRA Proposal introduces mandatory cybersecurity-related requirements and reporting obligations, including about product vulnerabilities, for manufacturers, importers, and distributors of such products. The potential sanctions include product withdrawal from the EU market and fines of up to EUR 15 million or 2.5 percent of total worldwide annual turnover for the preceding year.
Continue Reading European Commission Proposes New EU Cybersecurity Rules for Software and Hardware Products
Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing
By Laura Brodahl, Laura De Boel & Joanna Jużak on
Posted in Cybersecurity, Privacy
On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.
Continue Reading Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing
Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling
By Jan Dhont, Nikolaos Theodorakis & Joanna Jużak on
Posted in Cybersecurity, Privacy
On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but the UK GDPR arguably does not change the essence of the Court’s ruling.[2]
Continue Reading Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling