In a landmark judgment issued on July 4, 2023, the European top court, the Court of Justice (ECJ), ruled that competition authorities in the EU can consider a company’s compliance with the EU’s data protection rules when assessing whether it abused its dominant position. In addition, the ECJ ruled on important General Data Protection Regulation (GDPR) clarifications on the legal bases for personalized advertising.

The judgment sets out how competition agencies should cooperate with data protection agencies when conducting competition investigations involving the consideration of whether a company’s data collection and processing practices comply with EU data protection rules.Continue Reading EU’s Top Court Rules That Competition Authorities Can Consider Data Protection Breaches in Their Investigations

On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).Continue Reading UK and U.S. Commit to Establish a “Data Bridge” to Facilitate the Free Flow of Personal Data

On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation.

In

Continue Reading EU Court Opinion: Competition Authorities May Consider Data Protection Breaches in Their Investigations

Given Broad Definitions, the Law Could Apply to Businesses That Do Not Consider Themselves Data Brokers

While amending the California Consumer Privacy Act of 2018 (CCPA) last term, the California legislature also passed a CCPA-related privacy bill that applies to “data brokers.” Assembly Bill 1202 (AB 1202) requires businesses that qualify as data brokers to register, pay a fee, and provide certain information to the California attorney general. Because AB 1202 relies on the CCPA’s broad definitions of “sell” and “personal information,” many businesses that might not otherwise consider themselves to be data brokers may fall within the data broker definition.
Continue Reading Data Brokers Must Register with California Attorney General by January 31

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.

As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:

  1. Age of Consent

The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.Continue Reading Greece Publishes Draft Legislation for Implementing GDPR

On May 22, 2019, a federal district court largely denied a facial challenge by Disney, Viacom, and several online advertising networks to claims alleging these defendants violated the privacy rights of children by collecting data through online gaming apps.

In McDonald v. Kiloo APS,[1] the defendants consisted of two groups: the developers who created the gaming apps and made them available for download, and the mobile advertising and app monetization companies who provided software code inserted into the gaming apps to collect user data for advertising purposes. The defendants allegedly collected a variety of data from the children’s devices without appropriate consent, including the IP address; the specific device name; IDs for Apple and Android devices; the device’s International Mobile Equipment Identity; the timestamp at which an advertising event was recorded; and device fingerprint data (the user’s language, time zone, country, and mobile network).Continue Reading Federal Court Allows Children’s Online Privacy Claims Against Disney, Viacom, and Online Ad Networks That Collected Data from Gaming Apps to Go Forward

On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive.

In particular, the AG opines that: 1) a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent; 2) consent for cookies should not be bundled with other consents; and 3) users must be informed about the cookies’ lifespan and the third parties accessing the cookies. AG opinions are not binding on the CJEU, but are often influential. If the CJEU follows the AG Opinion, it will likely impact widely-adopted cookie consent practices in the EU and underlying business models that rely on such consent.
Continue Reading CJEU Advocate General Opinion Calls for Active and Separate Cookie Consents