On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a reprimand to the European Parliament for its offering of a website to its staff and members to schedule Covid-19 tests which violated the transparency and transfer provisions of Regulation (EU) 2018/1725 (“Regulation”). In addition, the EDPS ordered the European Parliament to bring the
Austrian Supervisory Authority Finds that Website Deploying Google Analytics Carried out Unlawful Transfers to the US
On December 22, 2021, the Austrian Supervisory Authority (“Authority”) found that an Austrian website that implemented the (free version of) Google analytics violated the GDPR’s rules on international data transfers (see here).
The Authority decided that the Standard Contractual Clauses, combined with the Austrian website operator’s supplementary measures to transfer personal data to Google
December 2021 EU Privacy, Data and Consumer Updates
| Date | Tag | News | Link to Source |
| December 16 | Artificial Intelligence | The European Parliament Research Service published a study on biometrics and AI, with recommendations for the draft Artificial Intelligence Act. | Link. |
| December 15 | Cybersecurity | The UK Government published its 2022 National Cyber Strategy. The strategy is built around five core pillars:
|
Inside Privacy Audiocast: Episode 17 – Children’s Privacy Developments
On Episode 17 of Covington’s Inside Privacy Audiocast, Dan Cooper, Sam Choi, Danielle Kehl and Nick Shepherd discuss the developments related to children’s privacy, looking at relevant legislation, standards, and guidelines in the UK, the EU, and the U.S., and zooming in on some child-specific topics such as age thresholds and age verification,
Tech Regulation in Africa: Recently Enacted Data Protection Laws
There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily, which has spurred a number of African countries to enact comprehensive data protection laws and establish data protection authorities. There is also a growing perception among African countries that there is a need to protect their citizen’s personal data, to regulate how public and private entities use personal data, and to establish data protection authorities tasked with enforcing these laws.
While countries like Kenya, Rwanda and South Africa now have comprehensive data protection laws, which share some elements found in the European Union’s General Data Protection Regulation (“GDPR”), many of the proposed data protection laws have specific rules that are different from those in other countries in Africa. Consequently, technology companies conducting business in Africa will be required to keep abreast of the evolving regulatory landscape as it relates to data protection on the continent.
Continue Reading Tech Regulation in Africa: Recently Enacted Data Protection Laws
Advocate General Greenlights GDPR Collective Claims Without a Mandate
On December 2, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) held that consumer protection associations may bring collective claims without a mandate for violations of the GDPR relying on national consumer law provisions (see here). The words “without a mandate” mean that the organization is not
November 2021 EU Privacy, Data and Consumer Updates
Date: December 3, 2021
In Case You Missed It: EU Privacy, Data and Consumer Updates of the Past Month
| Date | Tag | News | Link to Source |
| December 1 | Cybersecurity | The European Parliament published a progress report on the NIS2 Directive. | Link. |
| November 30 | Open Data | The Council of the EU and European Parliament reached a |
Council Agrees Draft Digital Services Act and Digital Markets Act
On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption. The European Parliament will discuss the drafts on December 9 and plans to announce
EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules
On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here). The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.
In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.
Progress on the Pending EU ePrivacy Regulation
According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):
- Chapter III (End-Users’ Rights