As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research. Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements. On March 13, 2023, the

Kristof Van Quathem
Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.
National Transposition of the EU Representative Actions Directive: What is the Current Status?
The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.
As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.…
Italian Garante Fines Three Hospitals Over Their Use of AI for Risk Stratification Purposes, Establishes That Predictive Medicine Processing Requires the Patient’s Explicit Consent
On 24 January 2023, the Italian Supervisory Authority (“Garante”) announced it fined three hospitals in the amount of 55,000 EUR each for their unlawful use an artificial intelligence (“AI”) system for risk stratification purposes, i.e., to systematically categorize patients based on their health status. The Garante also ordered the hospitals to erase all the data they obtained as a consequence of that unlawful processing.…
EDPB Publishes Report of Cookie Banners Taskforce
On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.
The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.…
Continue Reading EDPB Publishes Report of Cookie Banners Taskforce
EDPB Releases Outcome of its Investigation into the Use of Cloud-Based Services by the Public Sector
On January 18, 2023, the European Data Protection Board (“EDPB”) published a report on the outcome of its investigation into the use of cloud-based services by the public sector.
The EDPB prepared the report as part of its first coordinated enforcement action under the Coordinated Enforcement Framework (“Framework”), a key part of the EDPB’s 2021-2023 strategy. The Framework facilitates coordinated actions between the EDPB and national data protection authorities to (i) share information and best practices on a topic related to data privacy, and (ii) provide recommendations to better support compliance with data protection laws. Through the Framework, the EDPB and national authorities investigate compliance with a specific data protection topic each year; in 2023, the EDPB will investigate the designation and role of data protection officers (“DPOs”).
This blog summarizes the main takeaways of the 2022 Coordinated Enforcement Action, and highlights its most relevant data privacy concerns.…
Belgian Constitutional Court Invalidates Enforcement Provisions of Data Protection Law
On January 12, 2023, the Belgian Constitutional Court decided that a provision of the Belgian data protection law is unconstitutional.
The relevant provision prevented parties from challenging a decision of the Belgian Supervisory Authority if they were not a party to the proceedings before the Belgian Supervisory Authority that led to the decision.
The Constitutional…
Brazil’s Senate Committee Publishes AI Report and Draft AI Law
On December 1, 2022, a committee of the Brazilian Senate presented a report (currently available only in Portuguese) with research on the regulation of artificial intelligence (“AI”) and a draft AI law (see pages 15-58) (“Draft AI Law”) that will serve as the starting point for deliberations by the Senate on new AI legislation. When preparing the 900+ page report and Draft AI Law, the Senate committee drew inspiration from earlier proposals for regulating AI in Brazil and its research into how OECD countries are regulating (or planning to regulate) in this area, as well as inputs received during a public hearing and in the form of written comments from stakeholders. This blog posts highlights 13 key aspects of the Draft AI Law.…
Continue Reading Brazil’s Senate Committee Publishes AI Report and Draft AI Law
Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”…
New Data Laws Prompt European Commission to Open Consultation on EU Consumer Laws
On November 28, 2022, the European Commission launched a public consultation on whether the following three EU consumer laws remain adequate for ensuring a high level of consumer protection in the digital environment:
- the Consumer Rights Directive (Directive 2011/83/EU, as amended), which sets out the minimum information traders must provide to EU consumers and which offers consumers certain rights, such as the right to withdraw from a contract;
- the Unfair Contract Terms Directive (Directive 93/13/EEC, as amended), which prohibits terms in “standardized” (i.e., non-negotiable) business-to-consumer agreements that cause a significant imbalance between the parties rights and obligations to the detriment of consumers; and
- the Unfair Commercial Practices Directive (Directive 2005/29/EC, as amended), which prohibits commercial practices considered unfair, for example, because they are misleading or aggressive.
The public consultation consists of filling out a short questionnaire, which needs to be submitted by February 20, 2023. It is aimed at stakeholders that operate in the digital environment, such as online platforms.…
Continue Reading New Data Laws Prompt European Commission to Open Consultation on EU Consumer Laws
The Spanish AEPD Publishes Statement on the Interplay Between its Code of Conduct for the Pharmaceutical Industry and the Potential EU Code of Conduct on Clinical Trials
On December 28, 2022, the Spanish Data Protection Authority (“AEPD”) published a statement on the interplay between its recently approved Spanish code of conduct for the pharmaceutical industry and the European Federation of Pharmaceutical Industries and Associations’ (“EFPIA”) proposal for an EU code of conduct on clinical trials and pharmacovigilance. The statement relates specifically to the legal basis for processing personal data in the context of clinical trials.…