EU

The French Data Protection Authority Announces Stricter Enforcement

By Cédric Burton, Jan Dhont & Rossana Fol on April 17, 2019

On April 15, 2019, the French Data Protection Authority (CNIL) published its 2018 activity report and announced its 2019 enforcement agenda. The CNIL’s message is clear: if some leniency was tolerated in 2018, this transitional period for GDPR enforcement is now over. Going forward, the CNIL will adopt a stricter approach when investigating companies’ GDPR compliance and make full use of its enforcement powers, including the power to fine.

Background

As of May 25, 2018, the EU General Data Protection Regulation (GDPR) imposes new and strict obligations on companies processing personal data. Most EU privacy regulators adopted a somewhat lenient approach when enforcing the new rules. Beside the €50 million fine against Google in early 2019, the CNIL has not made broad use of its enforcement powers since the GDPR became effective. All in all, 2018 was a transition year to allow companies to bring their practices into compliance.Continue Reading The French Data Protection Authority Announces Stricter Enforcement

EDPB Opinion on Consent and Legal Basis in Clinical Trials

By Cédric Burton, Jan Dhont, Lore Leitner & Elli Laine on February 6, 2019

Posted in Clinical Trial, Cybersecurity, European Union, Regulatory

On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.

In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials

France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

By Cédric Burton & Rossana Fol on October 8, 2018

Posted in Cybersecurity, European Union, Privacy

In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo¹ and Fidzup²—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.³ The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,⁴ as it considered that its updated practices now comply with the GDPR.⁵ The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR.
Continue Reading France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

A Look Ahead at Privacy and Data Security in 2018

By Edward Holman, Beth George & Bastiaan Suurmond on January 24, 2018

Posted in Cybersecurity, European Union, Privacy, Regulatory

2018 promises to be an interesting year in the world of privacy and cybersecurity. In this article, we highlight a few of the most notable developments we expect this year, including major developments in Europe, changes and pending cases at the Federal Trade Commission (FTC), notable U.S. Supreme Court cases scheduled to be decided this year, and some areas of legislation that actually may become law in the U.S.

Big Changes Taking Effect in the European Union

One of the biggest areas where everyone in the privacy field will be looking in 2018 is the European Union (EU). On the legislative front, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018; the proposed e-Privacy Regulation is scheduled to be adopted this year; and the EU parliament will issue a report on the proposed Regulation on Non-Personal Data. Additionally, the Court of Justice of the EU (CJEU) will rule on several important data protection cases, including on third-party tracking, the right to be forgotten, and the possibility of class actions.Continue Reading A Look Ahead at Privacy and Data Security in 2018

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

By Cédric Burton, Sarah Cadiot & Laura De Boel on January 11, 2017

Posted in European Union, Privacy, Regulatory

ThinkstockPhotos-479430151-web On January 10, 2017, the European Commission published a Proposal for a Regulation that if adopted would have significant and far-reaching implications for Internet-based services and technologies.

The proposal seeks to revise the current EU…
Continue Reading EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

By Cédric Burton, Laura De Boel, Sarah Cadiot & Sára Hoffman on July 27, 2016

Posted in European Union, Privacy, Regulatory

On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to…
Continue Reading Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

The Data Advisor

EU

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

ABOUT OUR DATA, PRIVACY, AND CYBERSECURITY PRACTICE