Tag Archives: EU

Council of the EU Proposes Amendments to Draft AI Act

On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.… Continue Reading

EU Introduces Legislative Proposal to Collect Data from Short-Term Accommodation Platforms

On November 7, 2022, the European Commission (EC) published its proposal for a regulation on data collection and sharing for short-term accommodation rental services (proposal). The proposal includes data sharing and website design requirements for online platforms providing short-term accommodation rental services. It also prompts EU countries to create a harmonized registration process for hosts providing such … Continue Reading

Some Light Holiday Reading: Draft Procedural Guidance on the EU’s Digital Market Act Open for Consultation

On December 9, 2022, the European Commission (EC) published its draft Digital Markets Act (DMA) Implementing Regulation, which will be open for public comment until January 6, 2023. The package is designed to give guidance on the practical aspects of gatekeeper designation and sets out the information required from gatekeepers and their procedural rights. The … Continue Reading

EU Court Opinion: Competition Authorities May Consider Data Protection Breaches in Their Investigations

On September 20, 2022, an adviser to the EU’s top court opined that competition authorities may consider a company’s compliance with the EU’s data protection rules as part of an abuse of dominance investigation. In his Opinion (Opinion), Advocate General (AG) Athanasios Rantos of the EU’s Court of Justice (CJEU) noted that competition authorities do not have … Continue Reading

European Union Adopts Flagship Digital Services Act

On October 27, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, sweeping in a new era in the regulation of digital services. (See Wilson Sonsini’s DSA Fact Sheet.) The DSA applies to providers of digital services, including those based outside the EU that provide services to users in the … Continue Reading

Formal Publication of the DMA and Timelines for Compliance

On October 12, 2022, the EU Digital Markets Act (DMA) was published in the Official Journal of the European Union (see here), giving clarity as to when the new rules will apply. The DMA will enter into force on November 1, 2022, and it will become fully applicable in May 2023. At that point, the gatekeeper … Continue Reading

European Commission Proposes New EU Cybersecurity Rules for Software and Hardware Products

On September 15, 2022, the European Commission (EC) published a Proposal for a Cyber Resilience Act (CRA Proposal) that sets out new rules in the European Union (EU) for software and hardware products and their remote data processing solutions. The CRA Proposal introduces mandatory cybersecurity-related requirements and reporting obligations, including about product vulnerabilities, for manufacturers, … Continue Reading

EU Reaches Political Agreement on Additional New Rules for Digital Platforms in the Digital Services Act

The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in … Continue Reading

Political Agreement on a New Framework for EU-U.S. Personal Data Transfers

On March 25, 2022, the U.S. and EU announced that they reached a political agreement in principle on a new “Trans-Atlantic Data Privacy Framework” (the Framework). This would be the third framework for EU-U.S. personal data transfers, after the invalidation of the Privacy Shield in 2020 and of its predecessor, the Safe Harbor, in 2015. … Continue Reading

EU Parliament and Council Take Next Steps to Advance Major New Rules for Digital Platforms

The EU Parliament and the EU Council recently adopted their respective versions of the Digital Markets Act (DMA) and Digital Services Act (DSA), which intend to create new antitrust-related (DMA) and regulatory (DSA) rules applicable to digital platforms.1 The adoption of the draft amendments by the EU Parliament and the EU Council constitutes a critical … Continue Reading

European Court of Justice Finds That “Inbox Advertising” Is Direct Marketing

On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2] The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under … Continue Reading

CNIL Issues Guidance on Alternatives to Third-Party Cookies

On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies. While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent … Continue Reading

Bavarian SA Finds the Use of SCCs Without Supplementary Measures Unlawful

On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading

Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading

Council of the EU Adopts Its Text on the ePrivacy Regulation

On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.… Continue Reading

The Privacy Impact of the New Brexit Deal

On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:… Continue Reading

EDPB Issues Guidelines on Social Media Targeting Under GDPR

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish … Continue Reading

ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses

On July 16, 2020, the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield framework (Privacy Shield) invalid. The ECJ upheld the EU Standard Contractual Clauses (SCCs), but ruled that companies must verify prior to any transfer using SCCs that the parties can effectively provide the level of protection required by EU law.… Continue Reading

The European Commission Publishes Guidance on COVID-19 Mobile Apps

On April 16, 2020, the European Commission (EC) published guidance (guidance) regarding mobile applications developed to combat the spread of the COVID-19 pandemic (COVID-19 mobile apps). As previously mentioned in our blog posts, the guidance follows the EC recommendation last week on the same topic, and takes into account a prior consultation with the European … Continue Reading

European Commission Calls for a Common Approach to COVID-19 Apps and Anonymized Data Use

On April 8, 2020, the European Commission (the Commission) released its recommendation for a pan-EU approach on the use of technology and data to combat the COVID-19 pandemic (the Recommendation). The Commission calls for the creation of a “toolbox” consisting of practical measures taken at the EU level to address the use of mobile applications … Continue Reading

EU Privacy Regulators Issue Draft Guidelines on Connected Vehicles and Mobility Applications

On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations of … Continue Reading

CJEU Advocate General Confirms Validity of EU Data Transfer Tools

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this … Continue Reading

Greece Publishes Draft Legislation for Implementing GDPR

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR. As an EU regulation, the GDPR has legally taken effect in every EU country, including … Continue Reading

The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance. Background … Continue Reading
LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree