On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here
On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption. The European Parliament will discuss the drafts on December 9 and plans to announce…
According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):
- Chapter III (End-Users’ Rights
On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea. Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.
The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR. In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.…
Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea
On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here). However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).
Continue Reading Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here). To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:
- a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
- a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).
The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021. In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.
On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation. These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies. Interested parties have until October 1, 2021 to respond to the consultation.
The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection. They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.
With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.
Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19. This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)). This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).
On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.…
Continue Reading EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers
On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French). These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here). The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale. In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.…
Continue Reading French CNIL Publishes Recommendations for Protecting Minors Online