On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Continue Reading EDPB Releases its Opinion on the Proposed EU-U.S. Data Privacy Framework

As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research.  Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements.  On March 13, 2023, the

On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels.  The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.

Continue Reading Key Takeaways from the Irish DPC’s 2022 Annual Report

On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years.  The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.

Continue Reading EDPB Releases its 2023-2024 Work Program

The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.

As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.

Continue Reading National Transposition of the EU Representative Actions Directive: What is the Current Status?

On February 20, 2023, the European Commission launched an initiative to further specify procedural aspects relating to the enforcement of the GDPR (“ procedural initiative”). The aim of the procedural initiative is to clarify the administrative procedure that applies in cross-border investigations and enforcement under the GDPR. These rules are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.

This procedural initiative was announced in the Commission’s work program for 2023, and the text of the proposal is not yet available. The European Commission is expecting to publish a draft regulation on procedural rules relating to the enforcement of the GDPR in Q2 2023.

Continue Reading European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases

On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.

Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.

In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.

As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.

Continue Reading The EU Stance on Dark Patterns

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.

Continue Reading EDPB Publishes Report of Cookie Banners Taskforce