On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space. More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer Rights Directive (“CRD”); and (iii) the Unfair Contract Terms Directive (“UCTD”). It also identifies and analyses the main provisions in the DSA, DMA, Data Act, and AI Act that are of particular relevance for protecting consumers in the digital environment. The report is the result of the 2022 public consultation we mentioned in our previous blog post.Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space
Kristof Van Quathem
Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.
Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.
Kristof is admitted to practice in Belgium.
The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation
Now that the EU Artificial Intelligence Act (“AI Act”) has entered into force, the EU institutions are turning their attention to the proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the so-called “AI Liability Directive”). Although the EU Parliament and the Council informally agreed on the text of the proposal in December 2023 (see our previous blog posts here and here), the text of the proposal is expected to change based on a complementary impact assessment published by the European Parliamentary Research Service on September 19.Continue Reading The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation
EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022. The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
CNIL Opens Public Consultation on Its Standards for Processing Health Data
On May 16, 2024, the CNIL launched a public consultation on all of its health data standards. Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.
French law has specific requirements for the processing of health data. In particular, it…
Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health DataItalian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.
The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code. The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.
We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
France Publishes Updated Certification Standard for the Hosting of Health Data
The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification. In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard. On May 16, 2024, France officially published an updated version of this “HDS”…
Continue Reading France Publishes Updated Certification Standard for the Hosting of Health DataEHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines
In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS). Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted. This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.
The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines
EHDS Series – 4: The European Health Data Space’s Implications for “Wellness Applications” and Medical Devices
In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS). For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted. This article focuses on the implications for “wellness applications” and medical devices; for an overview of the EHDS generally, see our first post in this series.
The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.Continue Reading EHDS Series – 4: The European Health Data Space’s Implications for “Wellness Applications” and Medical Devices
EFPIA Issues Statement on Application of the AI Act in the Medicinal Product Lifecycle
On April 22, 2024, the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) issued a statement on the application of the AI Act in the medicinal product lifecycle. The EFPIA statement highlights that AI applications are likely to play an increasing role in the development and manufacture of medicines. As drug development is already governed by a longstanding and detailed EU regulatory framework, EFPIA stresses that care should be taken to ensure that any rules on the use of AI are fit-for-purpose, adequately tailored, risk-based, and do not duplicate existing rules. The statement sets forth five “considerations”:Continue Reading EFPIA Issues Statement on Application of the AI Act in the Medicinal Product Lifecycle
Rounding up Five Recent CJEU Cases on GDPR Compensation
In recent months, the European Court of Justice (“CJEU”) issued five judgments providing some clarity on the scope of individuals’ rights to claim compensation for “material and non-material damage” under Article 82 of the GDPR. These rulings will inform companies’ exposure to compensation claims, particularly in the context of the EU’s Collective Redress Directive, but open questions remain about the quantum of compensation courts will offer in these cases and we expect both the CJEU and national courts to deliver additional case-law clarifying this topic in the coming year (for more information on recent CJEU cases related to compensation, see our previous blog posts here and here).
- In VB v Natsionalna agentsia za prihodite (C-340/21), the CJEU concluded that individuals may have suffered “non-material damage”—and therefore be able to claim compensation—if they can demonstrate that they feared future misuse of personal data that was compromised in a personal data breach.
- In VX v Gemeinde Ummendorf (C-456/22), the CJEU found that there is no de minimis threshold for damage, below which individuals cannot claim for compensation.
- In BL v MediaMarktSaturn (C-687-21), the CJEU restated its existing case-law, and expanded upon its analysis in VB by clarifying that alleged harms cannot be “purely hypothetical”.
- In Kočner v Europol (C-755/21), the CJEU awarded non-material damages of €2000 for the publication in newspapers of transcripts of “intimate” text messages.
- In GP v Juris GmbH (C-741/21), the CJEU found that where one processing activity infringes multiple provisions of the GDPR, this should not allow claimants to “double-count” the harm they suffered.
We provide further detail on each case below.Continue Reading Rounding up Five Recent CJEU Cases on GDPR Compensation