EU Data Protection

On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure.  (Case C‑46/23)Continue Reading The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data

On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22).   The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations.  The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.Continue Reading CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries

Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies.  On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only).  On December 20, 2023, the Austrian SA published FAQs  on cookies and data protection (available in German only).  On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).

The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies

On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”).  Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic.  The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods.  The Guidelines are open to public consultation through December 28, 2023. 

The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”).  The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms.  This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers.    Continue Reading EDPB Issues Draft Guidelines on Technical Scope of ePrivacy Directive Rules for Storage and Access

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR.  The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor  spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities).  If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.Continue Reading European Commission Proposes GDPR Enforcement Procedure Regulation

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.Continue Reading CJEU’s Advocate General Issues Opinion on Concept of Controller, Joint Controller, Processor, and Administrative Fines