Photo of Jetty Tielemans

As part of an ongoing European tour, President Obama has met with several EU political leaders in Brussels today.  After the meeting, Herman van Rompuy, President of the EU, stated that the US has agreed to review the Safe Harbor.  There are no further details known at this stage but most likely the changes will

Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy regulators should be able to impose “significant” sanctions on companies for violating EU privacy rules.

Under the current EU Data Protection Directive, dating back to 1995, each EU Member State autonomously decides on the sanctions for data protection violations, resulting in considerable differences throughout the EU. According to critics, the fines are “too small” in most Member States, particularly in comparison to the turn-over of the companies concerned. Frequently used examples are the fines imposed on Google last year by Spain and France (EUR 900,000 and EUR 150,000, respectively).

Continue Reading Dissuading Companies from Violating Data Protection Rules: Senior European Commission Official Calls for ‘Significant’ Fines

Recent events in the European Parliament and European Council demonstrate that concerns over the U.S.-EU Safe Harbor Agreement are continuing to mount, and reform or even revocation of the Safe Harbor Agreement remains a possibility.  Today, Covington published a client alert that discusses recent developments involving the Safe Harbor Agreement and the potential impact of

In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended.  The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments.  The implementation efforts that have occurred vary, suggesting that that there will be variations among national outcomes rather than an EU-wide approach.

As background, the ePrivacy Directive regulates the use of “technology aimed at storing and accessing information on the user’s terminal equipment.”   The 2002 Directive required that users (i) be informed about the use of such technology, and (ii) be offered the right to refuse it.  This requirement, better known as “the cookie-rule”  traditionally has been implemented through website privacy policies that inform visitors of the use of cookies and how they can refuse them through browser settings. 

But the 2009 revision of the ePrivacy Directive calls into question the well established practice of relying on browser settings to infer user consent.  The revised article 5.3 replaces the “right to refuse” of the old article 5.3 with a “consent that has been obtained” — a language change that suggests that prior consent may be required.  At the same time, however, the amending Directive contains a recital stating that “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”  The contradiction between the strengthening of the consent requirement in section 5.3 of the revised Directive, on the one hand, and the reference to the traditional browser-consent in the recital, on the other hand, has caused uncertainty for businesses and national legislators. 

Given this uncertainty, national outcomes are expected to diverge from one Member State to another.  The below examples of (partial) implementation of the revised article 5.3 to date illustrate the difficulty of forecasting a possible EU wide outcome:

Continue Reading European Regulators Continue to Struggle With New Cookie Rule

Today the European Commission adopted an evaluation report on the Data Retention Directive.  This Directive requires EU Member States to ensure that telecommunications service providers retain certain categories of data for the purpose of investigations, detection and prosecution of  serious crime, as defined by the national law of the Member States.  Since its adoption in

At a recent presentation in Frankfurt, Peter Hustinx, head of the European Data Protection Supervisor Office in Brussels, launched an intriguing idea: sanctioning violations of data protection law in the same manner as violations of competition law.

The trade press regularly reports on multi-million euro fines for cartels or abuses of dominant positions by companies