Privacy

France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

By Jan Dhont, Christopher Olsen, Alexandre Lépine & Maximin Orsero on November 10, 2020

Posted in European Union, Privacy, Regulatory

On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands.

In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining a COVID-19 related health database, the risks of access by U.S. authorities, although real, do not justify the suspension of the platform. The judgment provides useful insights in light of the recent Schrems II ruling for organizations transferring health data outside of the EU^[1] (for more information on the Schrems II ruling, see our blog post ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses).
Continue Reading France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

CNIL Issues Updated Cookie Guidance

By Cédric Burton, Jan Dhont, Lore Leitner & Alexandre Lépine on October 7, 2020

Posted in European Union, Privacy, Regulatory

On October 1, 2020, the French data protection authority (the CNIL) issued the final version of its guidelines on the use of cookies and other trackers (the Guidelines), replacing a first draft published on July 4, 2019. While the main principles remain unchanged, this version provides further practical guidance for website and mobile application publishers using cookies and trackers. The CNIL indicated that the deadline for compliance with the new rules should not exceed six months, which means that companies have until March 2021 to ensure compliance.
Continue Reading CNIL Issues Updated Cookie Guidance

U.S. Government Publishes White Paper on International Data Transfers Following Schrems 2.0 Judgment

By Jan Dhont, Nikolaos Theodorakis & Roberto Yunquera Sehwani on October 7, 2020

Posted in Privacy, Regulatory

On September 28, 2020, the U.S. Department of Commerce (DoC) published a white paper co-authored by the U.S. Department of Justice (DoJ) and the Office of the Director of National Intelligence (white paper)^[1] which provides information on the safeguards under U.S. law to limit the collection of data from private companies by U.S. intelligence services. The white paper addresses concerns raised by the EU Court of Justice (ECJ) when it invalidated the EU-U.S. Privacy Shield framework (Privacy Shield) and imposed certain conditions on the use of Standard Contractual Clauses (SCCs).
Continue Reading U.S. Government Publishes White Paper on International Data Transfers Following Schrems 2.0 Judgment

Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

By Cédric Burton, Laura Brodahl, Rossana Fol & Lore Leitner on September 24, 2020

Posted in Cybersecurity, European Union, Privacy

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

EDPB Issues Guidelines on Social Media Targeting Under GDPR

By Cédric Burton, Christopher Olsen, Bastiaan Suurmond, Nikolaos Theodorakis & Alexandre Lépine on September 15, 2020

Posted in European Union, Privacy, Regulatory

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.

The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
Continue Reading EDPB Issues Guidelines on Social Media Targeting Under GDPR

Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

By Christopher Foo, Josephine Jay, Lore Leitner, Nikolaos Theodorakis, Christopher Olsen, Cédric Burton & Alexandre Lépine on July 22, 2020

Posted in European Union, Privacy

Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions.

The EDPB is working on a set of FAQs that will hopefully provide some level of clarification on key issues that companies now face. The EDPB is meeting on July 22 and 23, and we expect the FAQs to be published shortly thereafter. We will report on these FAQs as soon as they are issued.
Continue Reading Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

The Data Advisor

Privacy

France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

CNIL Issues Updated Cookie Guidance

U.S. Government Publishes White Paper on International Data Transfers Following Schrems 2.0 Judgment

Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

ABOUT OUR DATA, PRIVACY, AND CYBERSECURITY PRACTICE