On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps. The … Continue Reading
On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure. The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular focus on the telecommunications sector (for … Continue Reading
Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps. Accordingly, on January 15, 2020, the German government published a draft regulation setting … Continue Reading
On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French). The draft guidance is open for public consultation until February 25, 2020. In its nine articles, the guidance sets out how to properly inform users … Continue Reading
In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch). The Court was asked to decide on the scope of the right of access under the GDPR. The defendant in this case was a bailiff involved in the bankruptcy procedure. The individual who was target of … Continue Reading
On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month. Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative. In … Continue Reading
On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case. In brief, the AG recommended that … Continue Reading
On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”). The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities. … Continue Reading
On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany. The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice. For each of these provisions, … Continue Reading
In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.… Continue Reading
The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019. (The original publication date was set for the week before, on the 12th December.) The primary question before the European Court of Justice (“ECJ”), and the AG, in Schrems … Continue Reading
On November 14, 2019, the EDPB adopted a final version of Guidelines 3/2018 on the territorial scope of the GDPR (Art. 3). This takes into account the contributions and feedback that the EDPB received during a public consultation on a draft version of the guidelines (see here). The draft version of the guidelines raised many … Continue Reading
On November 15, 2019, the French Supervisory Authority (“CNIL”) published guidance on the use of facial recognition. The guidance is primarily directed at public authorities in France that want to experiment with facial recognition. The guidance warns that this technology risks leading to biased results because the algorithms used are not 100% reliable and the … Continue Reading
On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters: Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002); Chapter 2: terminology … Continue Reading
On November 8, 2019, the European Union adopted the “Directive Modernizing Consumer Law”. This directive is part of the so-called “New Deal for Consumer” (see here), a package of legislative reforms designed to revise existing EU consumer laws. The main objective of these reforms is to adapt EU consumer protection legislation to the realities of … Continue Reading
On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages. The AEPD explains that the probability of re-identification increases if more … Continue Reading
On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR. The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board. … Continue Reading
The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”). Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency. Below we highlight some selected topics that … Continue Reading
On September 10, 2019, the Court of Justice of the European Union (“CJEU“) issued its decision in the Planet 49 case. The case centers on the consent requirements for the use of cookies. Planet49 GmbH offered an online lottery service for which interested users had to register. The registration form asked users to tick a … Continue Reading
On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here). The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search … Continue Reading
On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian). The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the … Continue Reading
On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR. The case concerned an electricity company that relied on consent obtained by another company to advertise its products and services to the claimant. … Continue Reading
In a previous post, this blog reported on German guidance on the scope of the right of access under Art. 15 of the GDPR and in particular on the right to receive a copy. The Supervisory Authority of Hesse region stated that the term “copy” in Art 15 GDPR should not be understood literally but … Continue Reading
On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU. The EDPB is an independent body composed … Continue Reading
