GDPR

Subscribe to GDPR via RSS

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an action plan to bring the TCF into compliance within two months. To reach this conclusion, the DPA concluded that:
Continue Reading Belgian DPA Finds That IAB Europe’s Cookie Consent Framework Violates the GDPR

On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but the UK GDPR arguably does not change the essence of the Court’s ruling.[2]
Continue Reading Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling

On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.
Continue Reading CJEU Confirms Exceptions to One-Stop-Shop Mechanism Under the GDPR

On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”).
Continue Reading Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.

The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
Continue Reading EDPB Issues Guidelines on Social Media Targeting Under GDPR