Photo of Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

On November 22, 2022, the Grand Chamber of the Court of Justice of the European Union (“CJEU”) issued its judgment in joint cases C‑37/20 and C‑601/20, holding that provisions of an EU anti-money laundering directive relating to the publication of beneficial ownership registers were incompatible with the EU Charter of Fundamental Rights (“CFR”). The Court found that while deterring money laundering was a valid objective, making data available to the general public was neither a necessary nor proportionate way to achieve this objective, so contravened the CFR. The judgment demonstrates the Court’s view that sharing a person’s personal data with a third party is a serious intrusion, and that the Court will carefully scrutinize any such sharing.

Although the case concerned the CFR, it sheds light on how the Court approaches similar principles that apply in other contexts, including in the context of the GDPR.

Continue Reading CJEU Invalidates Public Anti-Money Laundering Registers on Privacy Grounds

On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR.  According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.

Continue Reading CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach

On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.

Continue Reading EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority

The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021.  As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.

Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.

Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments

With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that could potentially help its auditors

According to several news reports in the past month of August (for example, Heise.de), the German Government is working on a regulation that will set out the requirements for so-called “consent management services”, which are services for collecting and storing the consent of website users to the placement of cookies and similar technologies.  These services would serve as an alternative to cookie banners.  Among others, they may obtain consent for several websites at once.  More specifically, dedicated software applications could enable users to replicate the consent provided on one website to other websites, therefore generalizing and sorting their consent by category of devices or websites.  Users would be asked to review their consents every six months.

Continue Reading The German Government is Drafting a Regulation on Cookie Consent Management Services

On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority.  The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.

Continue Reading Brussels Appeal Court Refers IAB Europe Case to CJEU

On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data.  In practice, this means the new

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive