Kristof Van Quathem

Kristof Van Quathem

Subscribe to all posts by Kristof Van Quathem

German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry into force … Continue Reading

European Data Protection Board Issues Draft Guidelines on Extra-Territorial Application of the GDPR

On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of … Continue Reading

Dutch Supervisory Authority Imposes GDPR Security Standard for Processing Broadly Defined Health Data

In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July. The UWV allows employers to submit data about their employees for social security purposes.  The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, … Continue Reading

CNIL imposes GDPR-consent in online advertising space

On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.   Vectaury is an advertising network that … Continue Reading

Portuguese hospital receives and contests 400,000 € fine for GDPR infringement

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).  The decision has not been made public.  Earlier this week, the hospital publicly announced that it will contest the fine. According to press reports, the CNPD … Continue Reading

Dutch Supervisory Authority releases guidance on the interaction between the GDPR and PSD2

On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”).  The PSD2 intends to open the financial services market to a larger scale of innovative online services.  To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers.  … Continue Reading

Italian court decides that a data protection officer does not have to be a certified ISO 27001 Auditor

On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading

The Implications of the GDPR on Clinical Trials in Europe

On October 23, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership will organize a workshop entitled, “Can GDPR Work for Health Research.”  In the first session, the workshop will discuss the implications of the General Data Protection Regulation (“GDPR”) on clinical … Continue Reading

The GDPR and Blockchain

Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”.  Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in … Continue Reading

Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly … Continue Reading

Post GDPR: ECHR Ruling Confirms the Prevalence of Freedom of Expression and Information Over the Right of Erasure

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses The European Court of Human Rights (“ECHR”) decided on 28 June 2018 that the right to request the erasure of personal data on prior convictions, may be trumped by the right to freedom of expression and information.  The court confirmed prior case law deciding that the … Continue Reading

National Cybersecurity Awareness Month Q&A with Kristof Van Quathem

Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the … Continue Reading

Switzerland and US Announce New Commercial Data Transfer Framework

On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement.  Companies have a three month grace period to switch from the old to the new regime. The Swiss version of the Privacy Shield had to be negotiated following the invalidation … Continue Reading

EDPS Issues Opinion on Big Data and Enforcement

As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.”  This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here). … Continue Reading

Report: EDPS to Recommend Clearing House to Increase Coordination Among EU Regulators

On September 19, 2016, PaRR reported that the European Data Protection Supervisor (“EDPS”) is working on guidelines to increase coordination on the interface between data protection and competition law.  The guidelines would be released later this month. According to the report, the EDPS will recommend the creation of a “digital clearing house” in which regulators … Continue Reading

The CNIL and EDPS Launch Public Consultations

On June 16, 2016, the French data protection authority (“CNIL”) launched a public consultation on the General Data Protection Regulation (“GDPR).   The consultation focuses on four priority themes set out in the Article 29 Working Party’s 2016 Action plan: the data protection officer; the right to data portability; data protection impact assessments; and certification.… Continue Reading

Right to be Forgotten – High Courts Disagree

On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press.  In this case, two brothers took legal action against a famous French daily newspaper. The two individuals requested that their respective names be removed from search results … Continue Reading

Digital Single Market – New Initiatives for Cloud Computing and Internet of Things

By Kristof Van Quathem Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things (“IoT”), quantum technologies and high … Continue Reading

EU DPA Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an … Continue Reading

EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, … Continue Reading

EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities

On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14).  The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities. The case arose out of a dispute between Weltimmo, a company registered … Continue Reading

Article 29 Working Party Updates BCR Guidance

On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs.  In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to  law enforcement agencies (LEAs). By means of Processor BCRs, data processors are able to share EU-originating personal data within … Continue Reading

Belgian Government Calls for EU Data Protection Authority

On Wednesday, January 28, 2015, better known as “Data Protection Day,” the Belgian Under-Secretary for Data Protection Bart Tommelein called for the creation of an EU Data Protection Authority.  He intends to present this position of the Belgian Government to the informal meeting of Ministers of Justice and of the Interior in Riga (Latvia).  The … Continue Reading

Trans-Atlantic Business Dialogue Holds Briefing Session on EU-U.S. Safe Harbor Agreement

On October 23, the Trans-Atlantic Business Dialogue held a briefing session on the EU-U.S. Safe Harbor Agreement.  Ted Dean, Deputy Assistant Secretary at the U.S. Department of Commerce, gave an update on the negotiations with the European Commission.  Following the Snowden revelations and a resolution of the European Parliament, the European Commission on November 17, … Continue Reading
LexBlog