In January 2023, the European Data Protection Board (EDPB) published a report on cookie banners (Report). The Report provides practical guidance to companies doing business in the EU on how to comply with
Continue Reading EDPB Issues Guidance on Cookie BannersRossana Fol
Formal Publication of the DMA and Timelines for Compliance
On October 12, 2022, the EU Digital Markets Act (DMA) was published in the Official Journal of the European Union (see here), giving clarity as to when the new rules will apply. The DMA will enter into force on November 1, 2022, and it will become fully applicable in May 2023. At that point, the gatekeeper designation process will start, and once designated, gatekeepers will have six months to comply with the DMA. This means that the DMA will only be fully enforceable against companies in spring 2024, likely around March.
Continue Reading Formal Publication of the DMA and Timelines for Compliance
Increased Scrutiny for AI Systems and Draft AI Legislation in the EU
EU lawmakers are preparing a new Artificial Intelligence Act (AIA). Timing for adoption remains unclear, but once the AIA enters into force, it will impose strict obligations on providers and users of AI systems. In the meantime, EU regulators have started issuing fines against companies using AI systems on the basis of the EU General Data Protection Regulation (GDPR). For example, the Hungarian privacy regulator recently issued a fine of approximately $680,000 against a bank for non-compliance with GDPR rules in the context of its use of AI software to analyze customer service calls. To learn more about the upcoming legislation, please see Wilson Sonsini’s Fact Sheet below on the current draft AIA.
Continue Reading Increased Scrutiny for AI Systems and Draft AI Legislation in the EU
Political Agreement on a New Framework for EU-U.S. Personal Data Transfers
On March 25, 2022, the U.S. and EU announced that they reached a political agreement in principle on a new “Trans-Atlantic Data Privacy Framework” (the Framework). This would be the third framework for EU-U.S. personal data transfers, after the invalidation of the Privacy Shield in 2020 and of its predecessor, the Safe Harbor, in 2015. The new Framework is yet to be set out in legal documents, which will need to be negotiated and adopted. Timing for the adoption remains unclear.
Continue Reading Political Agreement on a New Framework for EU-U.S. Personal Data Transfers
New Model Clauses for Personal Data Transfers Outside the UK
On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March 21, 2024 to update existing contracts, but should use the new model clauses for any new contracts they sign as of September 21, 2022.
Background
Continue Reading New Model Clauses for Personal Data Transfers Outside the UK
EU Regulators Define Data Transfers
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR
On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers