On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
New Data Laws Prompt European Commission to Open Consultation on EU Consumer Laws
On November 28, 2022, the European Commission launched a public consultation on whether the following three EU consumer laws remain adequate for ensuring a high level of consumer protection in the digital environment:
- the Consumer Rights Directive (Directive 2011/83/EU, as amended), which sets out the minimum information traders must provide to EU consumers and which offers consumers certain rights, such as the right to withdraw from a contract;
- the Unfair Contract Terms Directive (Directive 93/13/EEC, as amended), which prohibits terms in “standardized” (i.e., non-negotiable) business-to-consumer agreements that cause a significant imbalance between the parties rights and obligations to the detriment of consumers; and
- the Unfair Commercial Practices Directive (Directive 2005/29/EC, as amended), which prohibits commercial practices considered unfair, for example, because they are misleading or aggressive.
The public consultation consists of filling out a short questionnaire, which needs to be submitted by February 20, 2023. It is aimed at stakeholders that operate in the digital environment, such as online platforms.Continue Reading New Data Laws Prompt European Commission to Open Consultation on EU Consumer Laws
The Spanish AEPD Publishes Statement on the Interplay Between its Code of Conduct for the Pharmaceutical Industry and the Potential EU Code of Conduct on Clinical Trials
On December 28, 2022, the Spanish Data Protection Authority (“AEPD”) published a statement on the interplay between its recently approved Spanish code of conduct for the pharmaceutical industry and the European Federation of Pharmaceutical Industries and Associations’ (“EFPIA”) proposal for an EU code of conduct on clinical trials and pharmacovigilance. The statement relates specifically to the legal basis for processing personal data in the context of clinical trials.Continue Reading The Spanish AEPD Publishes Statement on the Interplay Between its Code of Conduct for the Pharmaceutical Industry and the Potential EU Code of Conduct on Clinical Trials
CJEU Invalidates Public Anti-Money Laundering Registers on Privacy Grounds
On November 22, 2022, the Grand Chamber of the Court of Justice of the European Union (“CJEU”) issued its judgment in joint cases C‑37/20 and C‑601/20, holding that provisions of an EU anti-money laundering directive relating to the publication of beneficial ownership registers were incompatible with the EU Charter of Fundamental Rights (“CFR”). The Court found that while deterring money laundering was a valid objective, making data available to the general public was neither a necessary nor proportionate way to achieve this objective, so contravened the CFR. The judgment demonstrates the Court’s view that sharing a person’s personal data with a third party is a serious intrusion, and that the Court will carefully scrutinize any such sharing.
Although the case concerned the CFR, it sheds light on how the Court approaches similar principles that apply in other contexts, including in the context of the GDPR.Continue Reading CJEU Invalidates Public Anti-Money Laundering Registers on Privacy Grounds
CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach
On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR. According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.Continue Reading CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach
EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority
On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.Continue Reading EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority
Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments
The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021. As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.
Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments
CNIL Tests Tools to Audit AI Systems
With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that
Continue Reading CNIL Tests Tools to Audit AI SystemsThe German Government is Drafting a Regulation on Cookie Consent Management Services
According to several news reports in the past month of August (for example, Heise.de), the German Government is working on a regulation that will set out the requirements for so-called “consent management services”, which are services for collecting and storing the consent of website users to the placement of cookies and similar technologies. These services would serve as an alternative to cookie banners. Among others, they may obtain consent for several websites at once. More specifically, dedicated software applications could enable users to replicate the consent provided on one website to other websites, therefore generalizing and sorting their consent by category of devices or websites. Users would be asked to review their consents every six months.Continue Reading The German Government is Drafting a Regulation on Cookie Consent Management Services
Brussels Appeal Court Refers IAB Europe Case to CJEU
On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority. The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.Continue Reading Brussels Appeal Court Refers IAB Europe Case to CJEU