Regulatory

Subscribe to Regulatory via RSS

On December 8, 2020, the Supreme Court heard argument in Facebook, Inc. v. Duguid,1 a case addressing a split among federal circuit courts as to what constitutes an “automatic telephone dialing system”—often referred to as an “autodialer”—under the Telephone Consumer Protection Act (TCPA).2 The Court’s decision could significantly reduce the risk of TCPA litigation directed at online platforms and apps with text messaging functionality.
Continue Reading U.S. Supreme Court Hears Argument over Frequently Litigated Provision of the TCPA

On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.
Continue Reading EDPB Publishes Draft Recommendations on Supplementary Measures for Data Transfers

On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands.

In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining a COVID-19 related health database, the risks of access by U.S. authorities, although real, do not justify the suspension of the platform. The judgment provides useful insights in light of the recent Schrems II ruling for organizations transferring health data outside of the EU[1] (for more information on the Schrems II ruling, see our blog post ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses).
Continue Reading France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

On October 1, 2020, the French data protection authority (the CNIL) issued the final version of its guidelines on the use of cookies and other trackers (the Guidelines), replacing a first draft published on July 4, 2019. While the main principles remain unchanged, this version provides further practical guidance for website and mobile application publishers using cookies and trackers. The CNIL indicated that the deadline for compliance with the new rules should not exceed six months, which means that companies have until March 2021 to ensure compliance.
Continue Reading CNIL Issues Updated Cookie Guidance

On September 28, 2020, the U.S. Department of Commerce (DoC) published a white paper co-authored by the U.S. Department of Justice (DoJ) and the Office of the Director of National Intelligence (white paper)[1] which provides information on the safeguards under U.S. law to limit the collection of data from private companies by U.S. intelligence services. The white paper addresses concerns raised by the EU Court of Justice (ECJ) when it invalidated the EU-U.S. Privacy Shield framework (Privacy Shield) and imposed certain conditions on the use of Standard Contractual Clauses (SCCs).
Continue Reading U.S. Government Publishes White Paper on International Data Transfers Following Schrems 2.0 Judgment

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.

The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
Continue Reading EDPB Issues Guidelines on Social Media Targeting Under GDPR