With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that could potentially help its auditors

On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting.  The company provided the shareholder only with extracts of his/her interventions.  Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings.  The Supervisory Authority rejected the complaint.  As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.

Continue Reading CJEU Advocate General Finds That Data Subjects May in Parallel Lodge a Complaint with a Supervisory Authority and Start Proceedings Before a Court

According to several news reports in the past month of August (for example, Heise.de), the German Government is working on a regulation that will set out the requirements for so-called “consent management services”, which are services for collecting and storing the consent of website users to the placement of cookies and similar technologies.  These services would serve as an alternative to cookie banners.  Among others, they may obtain consent for several websites at once.  More specifically, dedicated software applications could enable users to replicate the consent provided on one website to other websites, therefore generalizing and sorting their consent by category of devices or websites.  Users would be asked to review their consents every six months.

Continue Reading The German Government is Drafting a Regulation on Cookie Consent Management Services

On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority.  The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.

Continue Reading Brussels Appeal Court Refers IAB Europe Case to CJEU

On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive

On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics.  The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools

On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for  the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”).  However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights.  Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data.  It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.

The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.

The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives.  The Belgian Constitutional Court referred certain questions to the CJEU.

Continue Reading Court of Justice of the EU Decides that the Passenger Name Record Directive is Compatible with EU Law

On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here).  These recommendations are based on relevant requirements