Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions.

The EDPB is working on a set of FAQs that will hopefully provide some level of clarification on key issues that companies now face. The EDPB is meeting on July 22 and 23, and we expect the FAQs to be published shortly thereafter. We will report on these FAQs as soon as they are issued.
Continue Reading Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic.

The guidelines remain largely unchanged from the earlier version but do provide helpful clarifications on two points: a) the validity of consent when interacting with so-called “cookie walls”; and b) “scrolling” as a means of indicating consent.
Continue Reading EDPB Adopts Updated Consent Guidance

On January 21, 2020, the Information Commissioner’s Office (ICO) published its final version of its Age Appropriate Design Code of Practice (the code). The code will be submitted to Parliament in the coming days, and, assuming there is no objection, will become effective approximately two months later.

This blog post follows our previous update on the ICO’s draft Age Appropriate Design Code. The current code was produced following extensive industry and consumer engagement. It adopts the maximum transition period of 12 months to allow companies to make meaningful and thoughtful changes to how they operate. 
Continue Reading Update: UK’s Age Appropriate Design Code

The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether.
Continue Reading European Privacy Landscape: What to Expect in 2020

The Information Commissioner’s Office (ICO) has confirmed that by November 23, 2019, it will present its Age Appropriate Design Code of Practice to the UK Parliament for approval. Unless Parliament objects, this mandatory code will be issued and in force (albeit with a transition period) as early as January 2020.

The final code has been hotly anticipated since the call for input on the issue of age appropriate design in June 2018. Since then, the ICO has worked with a large number of stakeholders to understand the key challenges when designing child-accessible services. In that context, it published its draft iteration of the code for consultation earlier this year (the Draft Code). This Draft Code sets out 16 standards (the Standards) which must be followed when designing online services accessible to children under 18. In an August update, the ICO recognized that the code will cause shifts in the design processes for online services which make use of children’s data, such as the tech, e-gaming and interactive entertainment industries. In light of this the ICO, as well as providing clearer guidelines in the code itself, will provide additional guidance for designers and engineers. The ICO adds, however, that non-compliance is not an option, stressing that “[t]here is no room for companies who decide children’s privacy is a problem that’s simply too hard to solve.”
Continue Reading UK’s Age Appropriate Design Code Pending

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis.
Continue Reading ECJ: Cookies Require Active Opt-In Consent

On July 5, 2019, the UK’s Data Protection Authority (ICO) issued its “Guidance on the use of cookies and similar technologies” (the Guidance) along with a brief explanatory blog post. At the same time the ICO updated its own website cookie notice and consent, leading by example. The ICO’s blog post makes clear that cookie compliance will increasingly be a regulatory priority, and that companies should start working towards compliance now.
Continue Reading The ICO Issues Its Cookies Guidance: Clarified Stance and Enforcement Priorities