On February 8, 2024, the French data protection authority (CNIL) published a list of its enforcement focus areas for 2024.[1] The CNIL will focus on the processing of children’s data by online services, the handling of individuals’ requests to access their personal data (so-called “DSAR”), the re-use of data processed for loyalty programs, and data processed in connection with the upcoming Olympic and Paralympic games.Continue Reading French Data Protection Authority Publishes Its 2024 Enforcement Focus Areas

Individuals are increasingly making use of their right to access their personal data under applicable privacy laws in the EU.

It can be a challenge for companies to handle such requests, and in particular, if a request concerns a complex data set, there are a high number of requests, or the right is exercised for strategic reasons, such as in HR or legal disputes. The right of access is, however, not absolute, and its restrictions vary across Member States, adding further complexity to the matter. How to handle such requests and apply these restrictions is commonly set out in internal policies and procedures. We set out below the current landscape as well as a recent enforcement trend.Continue Reading Weaponization of Data Subject Access Requests in the EU

On August 24, 2023, some members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group published a joint statement on data scraping (Statement). Signatories to the Statement include the privacy regulators of the UK, Australia, Argentina, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, and Switzerland.[1] Notably absent from the list of signatories were the U.S. Federal Trade Commission and the California Privacy Protection Agency, both of which are accredited members of the Global Privacy Assembly. This seems likely due to First Amendment considerations in the U.S. regarding data scraping, which have led to “publicly available” information being broadly excluded from recent U.S. state privacy laws.Continue Reading Global Regulators Highlight Potential Harms of Data Scraping and Best Practices

On June 21, 2023, a request for a preliminary ruling on the scope of the term “undertaking” in Article 83(4) to (6) of the General Data Protection Regulation (GDPR) was lodged with the Court of Justice of the EU (CJEU). This concept is critical for companies facing enforcement action as it is used as a reference point to determine the cap for GDPR fines.Continue Reading Missteps in Mixing EU Data Protection and Competition Law: A Call for Boundaries

On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to control i) which data is shared, ii) with whom, iii) for what purpose, and iv) for how long. If adopted, FIDA will further liberalize financial data sharing in the EU.Continue Reading European Commission Proposes New Rules on Financial Data Access and Use

In Europe, recent advances in artificial intelligence (AI) have given rise to intense debate over how this technology should be regulated. Companies that have developed AI tools, or who are considering implementing AI, should assess the implications of recent legislative developments and regulatory action. This alert discusses the most recent legislative and regulatory developments in Europe and identifies key steps companies should take in light of these developments.Continue Reading Europe Prepares for a New Era in AI Regulation