On February 8, 2024, the French data protection authority (CNIL) published a list of its enforcement focus areas for 2024.[1] The CNIL will focus on the processing of children’s data by online services, the handling of individuals’ requests to access their personal data (so-called “DSAR”), the re-use of data processed for loyalty programs, and data processed in connection with the upcoming Olympic and Paralympic games.Continue Reading French Data Protection Authority Publishes Its 2024 Enforcement Focus Areas
data protection
Into the Final Stretch: Six Gatekeepers Confirmed Under the EU’s Digital Markets Acts
On September 6, 2023, the European Commission (EC) returned from its summer break with full force and announced the designation of six tech companies as so-called “gatekeepers” under the EU’s Digital Markets Act (DMA) and…
Continue Reading Into the Final Stretch: Six Gatekeepers Confirmed Under the EU’s Digital Markets ActsMeta Receives Record 1.2 Billion EUR Fine and Is Ordered to Suspend Its EU-U.S. Data Transfers

On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and…
Continue Reading Meta Receives Record 1.2 Billion EUR Fine and Is Ordered to Suspend Its EU-U.S. Data TransfersEU Regulators Adopt Opinion on Draft EU-U.S. Data Privacy Framework
Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from…
Continue Reading EU Regulators Adopt Opinion on Draft EU-U.S. Data Privacy FrameworkEuropean Privacy Landscape: What to Expect in 2020



The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether.
Continue Reading European Privacy Landscape: What to Expect in 2020
Greece Publishes Draft Legislation for Implementing GDPR

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.
As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:
- Age of Consent
The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.Continue Reading Greece Publishes Draft Legislation for Implementing GDPR
The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting




On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.
Background
When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting