On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure. (Case C‑46/23)Continue Reading The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data
Kristof Van Quathem
Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.
Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.
Kristof is admitted to practice in Belgium.
European Court Clarifies Concept of Personal Data
On March 7, 2024, the European Court of Justice (“CJEU”) rendered its judgment in an appeal against a decision of the EU General Court (C-479/22P). In the original decision, the General Court decided that the information contained in a press release by OLAF (a European anti-fraud organization) regarding fraud committed by an unnamed scientist was not personal data as the scientist was not identifiable from the press release (for more on the General Court’s decision, see our blog post here). The scientist appealed the decision arguing that she could easily be identified from the information released by OLAF and thus that the data were personal data. The EU law concerned in this case is Regulation (EU) 2018/1725, which applies to the processing of personal data within EU bodies, rather than the GDPR, though the definition of personal data is the same in both regulations.Continue Reading European Court Clarifies Concept of Personal Data
CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership
On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22). The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations. The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.Continue Reading CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership
Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
2023 was marked by the adoption of key EU legislation in the field of data privacy, such as the Digital Services Act (“DSA”) and Digital Markets Act (“DMA”). Both introduce limitations and obligations on online platforms that process personal data for digital advertising. Ahead of the DSA and DMA’s implementation deadlines in February and March 2024 respectively, we will discuss below the key requirements they introduce specifically in relation to online targeted advertising. This blog post complements our previous blog post on the EU’s targeted advertising rules.Continue Reading Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
EU Rules Restricting the International Transfers of Non-Personal Data
While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR. In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions. Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted. In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.Continue Reading EU Rules Restricting the International Transfers of Non-Personal Data
Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment
In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment
Belgian Supervisory Authority Sanctions Data Broker
On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR. In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.
The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”). The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients. The relevant data were mainly used for advertising by postal mail.Continue Reading Belgian Supervisory Authority Sanctions Data Broker
EU Supervisory Authorities Publish New Guidance on Cookies
Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies. On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only). On December 20, 2023, the Austrian SA published FAQs on cookies and data protection (available in German only). On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).
The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies
French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments. Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold
EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold