On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.

To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights.  This is evident in the GDPR and in the decisions of the CJEU to date.  But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other.  These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.


Continue Reading Advocate General Releases Opinion in CJEU Referrals on Data Retention

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here).  The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.

In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.


Continue Reading EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules

According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):

  • Chapter III (End-Users’ Rights

Date: October 29, 2021

In Case You Missed It: EU Privacy, Data and Consumer Legislative Updates of the Past Month

Date Tag News Link to Source
October 29 Cybersecurity The European Commission announced that it adopted a delegate act to the Radio Equipment Directive (Directive (EU) 2014/53).  This act sets out measures to (1) improve

With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces.  They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19.  As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.
Continue Reading COVID-19: Legal Considerations and Best Practices for Employers Processing Vaccination Data

On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.

Continue Reading Irish DPC Finds Against WhatsApp

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

On 26 August 2021, the UK Government unveiled a package of announcements which effectively set out its post-Brexit data strategy.

This blog looks at the politics around the costs and benefits of a Brexit divergence dividend in this sector, which the UK Government views as a key area of competitive advantage.
Continue Reading Data Divergence: A Brexit Dividend?

On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“).  The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here).  The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).

Continue Reading Ireland’s Joint Committee on Justice Publishes Recommendations to Reform the Irish Data Protection Commission

On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation.  These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies.  Interested parties have until October 1, 2021 to respond to the consultation.

The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection.  They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.


Continue Reading EDPB Publishes Guidelines on Codes of Conduct for Data Transfers