Nikolaos Theodorakis

Subscribe to all posts by Nikolaos Theodorakis

10 Things You Should Know About the EU Artificial Intelligence Act

The Artificial Intelligence Act (AI Act) is the first comprehensive legislation that intends to regulate AI horizontally across all sectors in Europe. It will have far reaching consequences on all companies developing, implementing, or using AI solutions in the EU and beyond. These FAQs provide key information you should know before the AI Act is … Continue Reading

Flagship Online Safety Bill Moves Closer to Enactment in the UK: Who Will Be in Scope and What Will It Require?

The Online Safety Bill (OSB or Bill) passed its final reading in the UK’s Parliament in September 2023. The Bill will become law in the coming weeks, ushering in a new era for the regulation of digital services in the UK. Online platforms and search services that fall within the scope of the legislation will … Continue Reading

EU and U.S. Finalize Data Privacy Framework: Here’s How to Get Certified

On July 10, 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF). This paves the way for organizations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S., and allowing companies to simplify their compliance with EU data flow restrictions. … Continue Reading

European Commission Proposes New Rules on Financial Data Access and Use

On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to … Continue Reading

Europe Prepares for a New Era in AI Regulation

In Europe, recent advances in artificial intelligence (AI) have given rise to intense debate over how this technology should be regulated. Companies that have developed AI tools, or who are considering implementing AI, should assess the implications of recent legislative developments and regulatory action. This alert discusses the most recent legislative and regulatory developments in … Continue Reading

European Commission Seeks Companies’ Input on GDPR Enforcement

On February 24, 2023, the European Commission (EC) opened a public consultation on its initiative (Initiative) to revise procedural rules relating to the enforcement of the EU General Data Protection Regulation (GDPR). The EC invites companies to give feedback on the Initiative by March 24, 2023.… Continue Reading

EU Regulators Adopt Opinion on Draft EU-U.S. Data Privacy Framework

Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from the EU to the U.S. A draft of a new “Data Privacy Framework” (DPF), which is designed to serve as the basis … Continue Reading

CJEU Finds That Companies Must Provide Individuals with the Identity of Data Recipients When Responding to Data Access Requests

On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled1 that the data subject’s right of access to personal data2 requires controllers to provide the data subject with the identity of the companies that they have shared or will share data with. This is a sharp departure from current market practice since many … Continue Reading

EU Court Opinion: Competition Authorities May Consider Data Protection Breaches in Their Investigations

On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation. In his Opinion (Opinion), Advocate General (AG) Athanasios Rantos of the EU’s Court of Justice (CJEU) noted that competition authorities do not have … Continue Reading

President Biden Signs Executive Order to Implement the New EU-U.S. Data Privacy Framework

On October 7, 2022, President Biden signed an Executive Order (Order) on Enhancing Safeguards for United States Signals Intelligence Activities. This marks the latest step towards the new EU-U.S. Data Privacy Framework (Framework), a replacement for the defunct EU-U.S. Privacy Shield (Privacy Shield). The next stage in the process is for the European Commission (EC), with input from the … Continue Reading

Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling

On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but … Continue Reading

CJEU Confirms Exceptions to One-Stop-Shop Mechanism Under the GDPR

On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.… Continue Reading

EU Commission Publishes Template Data Processing Agreement

On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.… Continue Reading

Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading

Council of the EU Adopts Its Text on the ePrivacy Regulation

On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.… Continue Reading

EDPB Clarifies Key Health Research Data Protection Rules

On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document … Continue Reading

European Commission Proposes New Rules for Digital Platforms

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online … Continue Reading

The CJEU Condemns Broad Data Access by UK, French, and Belgian Law Enforcement and Intelligence Services

In a long anticipated ruling, the Court of Justice of the European Union (CJEU) confirmed on October 6, 2020 (joint-cases C-623/17 and C-511/18 et seq., “Ruling”) that general and indiscriminate transmission or retention of traffic and location data for law enforcement and national security purposes breaches EU law.… Continue Reading

U.S. Government Publishes White Paper on International Data Transfers Following Schrems 2.0 Judgment

On September 28, 2020, the U.S. Department of Commerce (DoC) published a white paper co-authored by the U.S. Department of Justice (DoJ) and the Office of the Director of National Intelligence (white paper)[1] which provides information on the safeguards under U.S. law to limit the collection of data from private companies by U.S. intelligence services. … Continue Reading

EDPB Issues Guidelines on Social Media Targeting Under GDPR

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish … Continue Reading

Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions. The EDPB … Continue Reading

ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses

On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.… Continue Reading

EDPB Publishes Guidelines on COVID-19 Related Data Usage

On April 21, 2020, the European Data Protection Board (EDPB) published two sets of guidelines addressing data processing in the context of the COVID-19 pandemic. These guidelines address the use of location data and contact tracing tools to combat the spread of COVID-19 and the use of health data for the purposes of scientific research into COVID-19 (together, the … Continue Reading
LexBlog