EU

Subscribe to EU via RSS

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.

At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.

As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:

  1. Age of Consent

The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.Continue Reading Greece Publishes Draft Legislation for Implementing GDPR

On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.

Background

When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.

Background

When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. Both the GDPR and PECR govern how data is collected and further processed in the online advertising industry, including requiring notice and a legal basis for processing. The PECR specifically applies to the use of cookies and similar technologies and sets out the rules for consent to use these technologies.Continue Reading The ICO Publishes Its Stance on Adtech and Real-Time Bidding

On May 22, 2019, WSGR and the Future of Privacy Forum (FPF) co-hosted an event focusing on advertising technology and how to overcome the challenges of complying with evolving global privacy requirements.

Jules Polonetsky from FPF opened the program, focusing on the evolution of online advertising, from contextual to programmatic behavioral advertising. WSGR attorneys Lydia Parnes, Cédric Burton, Libby Weingarten, and Lore Leitner discussed the legal regime that applies to this technology: new legal requirements, recent case law, and data protection authorities’ decisions affecting the ad tech ecosystem, as well as the differences between EU and U.S. legislation applying to ad tech.Continue Reading WSGR Event Recap: Online Advertising and Privacy—An Overview of Global Legal Developments

On April 25, 2019, the new chairman and the four directors of the new Belgian data protection authority were sworn in before the Belgian Parliament. This marks a new era for data protection law in Belgium.

Background

Following the effective date of the General Data Protection Regulation (GDPR) on May 25, 2018, the Belgian Privacy Commission was restructured into a Supervisory Authority under the GDPR, thus becoming the Belgian Data Protection Authority. It was given new enforcement powers, including the ability to impose fines up to €20 million or 4 percent of total worldwide annual turnover (whichever is higher).Continue Reading Belgian Data Protection Authority Is Up and Running