Photo of Laura Somaini

Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

Contact:Read more about Laura SomainiEmail

On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here).  EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.

The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.

We’ve outlined below some key aspects of the new legislation.

Continue Reading European Parliament and Council Release Agreed Text on Data Act

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.

Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

On April 17, 2023, the Italian Supervisory Authority (“Garante”) published its decision against a company operating digital marketing services finding several GDPR violations, including the use of so-called “dark-patterns” to obtain users’ consent.  The Garante imposed a fine of 300.000 EUR. 

We provide below a brief overview of the Garante’s key findings.

Continue Reading Italian Garante Fines Digital Marketing Company Over Use of Dark Patterns

On March 22, 2023, the German Conference of Independent Supervisory Authorities (“SAs”) adopted an opinion on websites that offer users a choice between (i) a free version that tracks users’ behavior or (ii) a (usually paid) version that does not track users’ behavior.

Continue Reading German Supervisory Authorities Publish Opinion on (Paid) Subscription Websites

On March 24, 2023, the Italian data protection authority (“Garante”) approved a Code of conduct (“Code”) on telemarketing and telesales activities.  The Code was promoted by various Italian industry and consumer associations, pursuant to Article 40 of GDPR. 

The Garante notes that the Code reflects broad industry consensus, and welcomes it as an important step to ensuring the lawful performance of the covered activities.  The Garante have been historically active in regulating telemarketing and telesales companies, and has applied some of its largest fines to this sector. We provide below an overview of the Code’s key provisions and obligations.

Continue Reading Italian Garante Approves Code of Conduct on Telemarketing and Telesales

Regulators in Europe and beyond have been ramping up their efforts related to online safety for minors, through new legislation, guidance, and by promoting self-regulatory tools.  We discuss below recent developments in the EU and UK on age verification online.

Continue Reading Age Verification: State of Play and Key Developments in the EU and UK

On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Continue Reading EDPB Releases its Opinion on the Proposed EU-U.S. Data Privacy Framework

On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years.  The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.

Continue Reading EDPB Releases its 2023-2024 Work Program

On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF.  The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).

As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities.  In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here). 

Continue Reading European Commission Releases Draft Adequacy Decision on the EU-U.S. Data Privacy Framework