On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce its first reading position in early 2022, after which the Council and the Parliament will enter into negotiations with the goal of reaching an agreement on a final text for both acts.

The acts lay down rules for intermediary service providers (e.g., Internet access providers, cloud providers, search engines, social networks, and online marketplaces) covering areas such as:

  • liability of mere conduit, caching and hosting services;
  • content moderation;
  • transparency of services and electronic communications;
  • transparency of online advertising;
  • openness and interoperability of the services to businesses and consumers; and
  • fair competition between service providers.

If you like to receive an overview of the  draft DSA and DMA, as well as a short explanation of the sanctions regime in the event of a breach, please let us know.

Significantly, on November 18, the European Data Protection Board issued a related statement (see here).  In that statement, the Board identified three main lingering concerns with respect to the DSA: (1) lack of protection of individuals’ fundamental rights and freedoms; (2) fragmented supervision by competent regulatory authorities; and (3) the risk of inconsistencies between the DSA and EU data protection law.  The Council’s reactions to these recommendations have yet to be published.

We will continue to monitor and report on the legislative process of the DSA and DMA.

On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.

To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights.  This is evident in the GDPR and in the decisions of the CJEU to date.  But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other.  These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.

Continue Reading Advocate General Releases Opinion in CJEU Referrals on Data Retention

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here).  The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.

In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.

Continue Reading EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules

The Virginia Consumer Data Protection Act (“VCDPA”) Work Group has issued its 2021 Final Report. The final report, which is based on the six Work Group meetings between June and October 2021, summarizes information presented at the meetings on topics such as enforcement, definitions and rulemaking authority, as well as consumer rights and education.  We summarize some of the comments below. Continue Reading Virginia Consumer Data Protection Act Work Group Issues Final Report

On November 1, 2021, the Supreme Court denied a petition for a writ of certiorari in American Civil Liberties Union v. United States. In its petition, the American Civil Liberties Union (ACLU) sought the Supreme Court’s review of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review’s (FISCR) decisions declining to release court records to the ACLU. Continue Reading The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States

According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):

  • Chapter III (End-Users’ Rights to Control Electronic Communications) – this chapter is expected to regulate: (i) the presentation of calling and connected line identification (g., whether the device’s screen identifies the number of the incoming call); (ii) the blocking of unwanted malicious or nuisance calls; (iii) the inclusion of information, including personal data, in publicly available directories; and (iv) unsolicited direct marketing communications (e.g., spam email and SMS texts).
  • Chapter V (Remedies, Liability and Penalties) – this chapter is expected to regulate: (i) remedies; (ii) right to compensation and liability; (iii) general conditions for imposing administrative fines; and (iv) penalties.
  • Chapter VI (Final Provisions) – this chapter is expected to regulate the entry into force of the draft Regulation and the subsequent monitoring of its implementation by the European Commission.

However, the Council and Parliament still disagree on a number of significant issues.  For example, the Council and Parliament have not yet agreed on a definition of “unwanted calls”.  They also disagree on the scope of the prohibition for sending direct marketing communications without the recipient’s consent:  the Council intends to apply this prohibition only to communications sent to “natural persons”, while Parliamentarians want the prohibition to apply to sending communications to legal persons (e.g., companies) as well.  The Parliament also seeks to extend the traditional definition of direct marketing (which includes automated calling machines, telefaxes, and e-mails, including SMS messages) to various other types of advertisements, such as “pop-up windows or email-like advertisements” (e.g., push notifications), something not currently endorsed by the Council.

The Council and Parliament plan to hold a second trilogue on November 18, 2021 with the aim of closing the above three chapters, to the extent possible, and moving on to the other chapters of the draft ePrivacy Regulation.  We will continue to monitor and report on the developments in future blog posts on Inside Privacy.

On August 27, 2021, Illinois Governor J.B. Pritzker signed into law the Protecting Household Privacy Act (“PHPA”).  The law governs how, and under what conditions, Illinois law enforcement agencies may acquire and use data from household electronic devices, commonly referred to as “smart devices” or the “internet of things.”  The PHPA will go into effect on January 1, 2022.

The PHPA applies to “household electronic data,” which the statute defines as any information or input provided by a person to any device “primarily intended for use within a household that is capable of facilitating any electronic communication,” excluding personal computing devices (such as personal computers, cell phones, smartphones, or tablets) and digital gateway devices (such as modems, routers, wireless access points, or cable set-top boxes serviced by a cable provider).  Section 5.  The law imposes several limits on Illinois law enforcement’s acquisition and use of household electronic data:

  1. Warrant Requirement: The law generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.”  Section 10.  This prohibition is subject to a set of exceptions, permitting such acquisition if (i) “a law enforcement agency first obtains a warrant;” (ii) the data is needed to “respond to a call for emergency services concerning the user or possessor of a household electronic device;” (iii) there is “an emergency situation;” or (iv) the data is acquired “with [the] lawful consent of the owner of the household electronic device or person in actual or constructive possession of the household electronic device.”  Section 15.  Notably, the PHPA itself does not impose any obligations on providers, as it states that the Act “shall not be construed to require a person or entity to provide household electronic data to a law enforcement agency.”  Section 35.  At the same time, compliance would be compulsory to the extent the provider is served with a warrant in accordance with the statute.
  2. Confidentiality Requirement: The law also requires that any entity disclosing household electronic data “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.”  Section 40.
  3. Limited Data Retention: Finally, the PHPA limits how long law enforcement can retain household electronic data without filing criminal charges if the data was obtained pursuant to a warrant or in an emergency situation.  Section 20.  The Act requires that such data be destroyed within 60 days unless (1) “there is reasonable suspicion that the information contains evidence of criminal activity;” or (2) “the information is relevant to an ongoing investigation.”

On Episode 16 of Covington’s Inside Privacy Audiocast, Dan CooperYan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and bears a resemblance to the EU’s GDPR.


Previous episodes discussing privacy developments in China:


Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.


This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline. Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

Date: October 29, 2021

In Case You Missed It: EU Privacy, Data and Consumer Legislative Updates of the Past Month

Date Tag News Link to Source
October 29 Cybersecurity The European Commission announced that it adopted a delegate act to the Radio Equipment Directive (Directive (EU) 2014/53).  This act sets out measures to (1) improve network resilience; (2) better protect consumers’ privacy; and (3) reduce the risk of monetary fraud.

The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections.

October 28 Cybersecurity European Parliament adopts position on Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) and starts negotiations with Council link
October 20 AI European Commission launches public consultation ending on January 10 on the rules on compensation for damage caused by defective products with a specific focus on AI link and link
October 19 Cybersecurity European Commission invites the EU and Member States to further develop the EU cybersecurity crisis management framework, including by exploring the potential of building a joint cyber unit to tackle the rising number of serious cyber incidents impacting public services, businesses and citizens across the EU link
October 19 Cybersecurity European Commission will propose a European Cyber Resilience Act to establish common cybersecurity standards, and begin building an EU space-based global secure communications system to provide additional EU-wide broadband connectivity and secure independent communications to Member States link
October 13 Data Protection – Other European Data Protection Board (“EDPB”) issues guidelines on restrictions under Article 23 GDPR (i.e., restrictions will be defined as any limitation of scope of the obligations and rights provided for in Articles 12 to 22 and 34 GDPR as well as corresponding provisions of Article 5 in accordance with Article 23 GDPR) link
October 13 Children Data EDPB will adopt guidelines on children’s data link
October 13 Personal Data Transfers EDPB will adopt guidelines regarding the relationship between the GDPR’s extraterritorial reach and data transfer restrictions.  EDPB announced that the European Commission will develop a new set of standard contractual clauses for data transfers from the EEA to a non-EEA entity that is subject to the extra-territorial scope of the GDPR. link
October 13 Digital Services EDPB will adopt statement on overarching concerns regarding legislative proposals in Digital Services Package link
October 12 Cybersecurity European Parliament adopts position on new rules on EU critical infrastructure entities link
October 7 AI European Consumer Organization (“BEUC”) issues position paper on the AI Act link
October 6 AI European Parliament adopts resolution on AI in criminal law and its use by the police and judicial authorities in criminal matters link
October 1 Open Data Council of the EU approves version of the Data Governance Act, which will now be negotiated with the European Parliament link and link

What’s Coming Next

  • Negotiations on the Data Governance Act between Parliament and the Council are scheduled for November 9, and early December (see here)
  • Council of the EU is preparing position on the evaluation and findings on the application of the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (see here)