In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment
On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.
The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries
Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies. On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only). On December 20, 2023, the Austrian SA published FAQs on cookies and data protection (available in German only). On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).
The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies
On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”). Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic. The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods. The Guidelines are open to public consultation through December 28, 2023.
The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”). The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms. This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers. Continue Reading EDPB Issues Draft Guidelines on Technical Scope of ePrivacy Directive Rules for Storage and Access
On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments. Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR. The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities). If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.Continue Reading European Commission Proposes GDPR Enforcement Procedure Regulation
On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019. The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).
The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions. According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well. We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement
On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.Continue Reading CJEU’s Advocate General Issues Opinion on Concept of Controller, Joint Controller, Processor, and Administrative Fines
In May 2023, the Spanish Supervisory Authority (“SA”) issued a detailed guidance paper on GDPR compliance in the context of data spaces. The paper acknowledges EU and Member State level initiatives for the creation of data spaces (such as the Data Governance Act, the proposed Data Act, and the proposed European Health Data Space) and provides insight into how the SA expects companies to meet their GDPR obligations when participating in those data spaces.Continue Reading Spanish Data Protection Authority Issues Guidance on Data Spaces
On April 17, 2023, the Italian Supervisory Authority (“Garante”) published its decision against a company operating digital marketing services finding several GDPR violations, including the use of so-called “dark-patterns” to obtain users’ consent. The Garante imposed a fine of 300.000 EUR.
We provide below a brief overview of the Garante’s key findings.Continue Reading Italian Garante Fines Digital Marketing Company Over Use of Dark Patterns