Photo of Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

On 12 January 2022, the French National Assembly’s Committee on Cultural Affairs and Education (the “Committee”) unanimously approved a draft bill seeking to “encourage the use of parental controls on certain equipment and services sold in France and allowing access to the Internet” (the “Bill”).

  1. Background

In 2021, the French Supervisory Authority (“CNIL”)

Consumer Law Developments

Over the past 5 years, the EU has launched several legislative initiatives aimed at revamping EU consumers protection laws.  One such initiative was the “New Deal for Consumers” adopted by the European Commission on April 11, 2018.  The New Deal for Consumers amends existing EU consumer legislation in order to, on the

On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here

According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):

  • Chapter III (End-Users’ Rights

On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea.  Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.

The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR.  In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.
Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea

On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation.  These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies.  Interested parties have until October 1, 2021 to respond to the consultation.

The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection.  They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.

Continue Reading EDPB Publishes Guidelines on Codes of Conduct for Data Transfers

On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.

Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data).  The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.

Continue Reading Belgian Supervisory Authority Launches Public Consultation on the Use of Biometric Data

On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.
Continue Reading EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers

On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States.  In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.
Continue Reading CJEU Decides on Competence of Supervisory Authorities to Bring Cases Before National Courts under the GDPR

Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.  When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.

In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.

Continue Reading European Commission Publishes New Standard Contractual Clauses