In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access. The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the
European Data Protection Supervisor Reprimands European Parliament for Illegal Transfers post-Schrems II CJEU ruling
On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a reprimand to the European Parliament for its offering of a website to its staff and members to schedule Covid-19 tests which violated the transparency and transfer provisions of Regulation (EU) 2018/1725 (“Regulation”). In addition, the EDPS ordered the European Parliament to bring the
Austrian Supervisory Authority Finds that Website Deploying Google Analytics Carried out Unlawful Transfers to the US
On December 22, 2021, the Austrian Supervisory Authority (“Authority”) found that an Austrian website that implemented the (free version of) Google analytics violated the GDPR’s rules on international data transfers (see here).
The Authority decided that the Standard Contractual Clauses, combined with the Austrian website operator’s supplementary measures to transfer personal data to Google
French National Assembly’s Committee Approves Bill on Internet Parental Control
On 12 January 2022, the French National Assembly’s Committee on Cultural Affairs and Education (the “Committee”) unanimously approved a draft bill seeking to “encourage the use of parental controls on certain equipment and services sold in France and allowing access to the Internet” (the “Bill”).
- Background
In 2021, the French Supervisory Authority (“CNIL”)
EU Consumer Law Webinars
Consumer Law Developments
Over the past 5 years, the EU has launched several legislative initiatives aimed at revamping EU consumers protection laws. One such initiative was the “New Deal for Consumers” adopted by the European Commission on April 11, 2018. The New Deal for Consumers amends existing EU consumer legislation in order to, on the
Court of Justice of the EU Finds that Advertising Shown in Email Inbox is Subject to Rules on Direct Marketing
On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here
Progress on the Pending EU ePrivacy Regulation
According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):
- Chapter III (End-Users’ Rights
EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea
On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea. Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.
The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR. In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.
Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea
EDPB Publishes Guidelines on Codes of Conduct for Data Transfers
On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation. These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies. Interested parties have until October 1, 2021 to respond to the consultation.
The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection. They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.
Continue Reading EDPB Publishes Guidelines on Codes of Conduct for Data Transfers
Belgian Supervisory Authority Launches Public Consultation on the Use of Biometric Data
On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.
Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data). The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.