Archives: European Union

Subscribe to European Union RSS Feed

EU Reaches Political Agreement on Additional New Rules for Digital Platforms in the Digital Services Act

The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in … Continue Reading

EU Adopts New Rules to Significantly Limit the Power of Tech Platforms

The European Union (EU) will soon be handed sweeping new rules to regulate the conduct of the largest digital platforms with the long-awaited Digital Markets Act (DMA). Following 15 months of intense negotiations on amendments to the original Proposal, the presidents of the main EU institutions (the Parliament, Council, and Commission) reached a political agreement on the final … Continue Reading

EU Parliament and Council Take Next Steps to Advance Major New Rules for Digital Platforms

The EU Parliament and the EU Council recently adopted their respective versions of the Digital Markets Act (DMA) and Digital Services Act (DSA), which intend to create new antitrust-related (DMA) and regulatory (DSA) rules applicable to digital platforms.1 The adoption of the draft amendments by the EU Parliament and the EU Council constitutes a critical … Continue Reading

Belgian DPA Finds That IAB Europe’s Cookie Consent Framework Violates the GDPR

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an … Continue Reading

European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing

On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2] The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under … Continue Reading

EU Regulators Define Data Transfers

They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer … Continue Reading

CNIL Issues Guidance on Alternatives to Third-Party Cookies

On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies. While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent … Continue Reading

CJEU Confirms Exceptions to One-Stop-Shop Mechanism Under the GDPR

On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.… Continue Reading

Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative

On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch … Continue Reading

Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading

Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading

Council of the EU Adopts Its Text on the ePrivacy Regulation

On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.… Continue Reading

European Commission Proposes New Rules for Digital Platforms

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online … Continue Reading

The Privacy Impact of the New Brexit Deal

On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:… Continue Reading

European Commission Issues New SCCs for Data Transfers to Third Countries

On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high … Continue Reading

EDPB Publishes Draft Recommendations on Supplementary Measures for Data Transfers

On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.… Continue Reading

The CJEU Condemns Broad Data Access by UK, French, and Belgian Law Enforcement and Intelligence Services

In a long anticipated ruling, the Court of Justice of the European Union (CJEU) confirmed on October 6, 2020 (joint-cases C-623/17 and C-511/18 et seq., “Ruling”) that general and indiscriminate transmission or retention of traffic and location data for law enforcement and national security purposes breaches EU law.… Continue Reading

France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands. In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining … Continue Reading

CNIL Issues Updated Cookie Guidance

On October 1, 2020, the French data protection authority (the CNIL) issued the final version of its guidelines on the use of cookies and other trackers (the Guidelines), replacing a first draft published on July 4, 2019. While the main principles remain unchanged, this version provides further practical guidance for website and mobile application publishers … Continue Reading

Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).… Continue Reading

EDPB Issues Guidelines on Social Media Targeting Under GDPR

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish … Continue Reading

Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions. The EDPB … Continue Reading

ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses

On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.… Continue Reading

EDPB Adopts Updated Consent Guidance

On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic. The guidelines remain … Continue Reading
LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree