On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French). These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here). The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale. In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.
Continue Reading French CNIL Publishes Recommendations for Protecting Minors Online
European Commission Publishes New Standard Contractual Clauses
Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates. When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.
In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.Continue Reading European Commission Publishes New Standard Contractual Clauses
German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies
On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE. The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.
This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company. In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies
French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors
In January 2021, the French Supervisory Authority (“CNIL”) published a summary report of contributions it received in response to a public consultation and survey on the digital rights of minors launched in April 2020 (see the press release here and a summary report here, both in French). Stakeholders who responded to the consultation included companies, professionals dedicated to the legal and educational issues related to children, parents and minors.
Continue Reading French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors
A New Day for GDPR Damages Claims in Germany?
Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low. This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages. Two recent cases decided by regional courts illustrate and confirm this prevailing stance. However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.
Continue Reading A New Day for GDPR Damages Claims in Germany?
EDPB Publishes Draft Guidelines on Data Breach Notification Examples
On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here). The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.
The Guidelines are currently open for public consultation until March 2, 2021. In this blog post, we summarize a few key takeaways from the Guidelines.Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples
French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021
On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines. In this blog post, we summarize the key points mentioned in the CNIL’s guidelines.
Continue Reading French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021
Life After Schrems II: Practical Recommendations In An Uncertain Time
On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case. In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination. For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.
Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement. The result of this impact analysis may be underwhelming for some. So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of. In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses. As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.
In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing. Note, however, that much depends on the nature of the personal data transfers concerned. As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector). These risk-based considerations should inform how businesses prioritize remedial actions going forward.Continue Reading Life After Schrems II: Practical Recommendations In An Uncertain Time
European Commission Publishes 2-Year Report on the Implementation of the GDPR
On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect. The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other stakeholders. The assessment considers a wider scope of issues surrounding GDPR implementation beyond international transfers and the cooperation and consistency mechanisms, the two topics the Commission is specifically tasked to consider under Article 97 of the GDPR.
The Commission’s overall conclusion is that the GDPR has successfully achieved its objectives of enhancing the protection of personal data and improving the free flow of personal data within the EU. The Commission specifically highlights the key role that the GDPR plays in the EU’s “human-centric approach to technology,” and notes that it will serve as a guiding legal framework for the EU as it rolls out its broader Data Strategy. The Commission also notes the impact that the GDPR has had worldwide, inspiring new or elevated standards for data protection in many countries, and serving as a “global standard-setter” for regulating the digital economy.
Notwithstanding these achievements, the Commission also makes clear that there are a number of areas for improvement.Continue Reading European Commission Publishes 2-Year Report on the Implementation of the GDPR
German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications
On April 21, 2020, the Regulation on the Requirements and Reimbursement Process for Digital Health Applications (Digitale Gesundheitsanwendungen-Verordnung or „DiGAV“, available here) entered into force in Germany. Among other provisions, the DiGAV includes specific IT security and privacy requirements. Shortly after the law took effect, Germany’s Federal Medicines and Medical Devices Agency (“BfArM”) also released an extensive explanatory Guidance (Leitfaden, available here) to the DiGAV.
Independently, on April 15, 2020, the German Federal Office for IT Security (“BSI”) published a draft version of its guidance on “Security Requirements for Digital Health Applications” (BSI TR-03161) (available here). The BSI is now seeking feedback from industry on this draft guidance before releasing a final version.
While the scope of application of the DiGAV and the BSI draft guidance may be limited, the documents can serve to provide useful insights and benchmarks for health applications generally.Continue Reading German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications