EU Data Protection

Subscribe to EU Data Protection

On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.

Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data).  The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.


Continue Reading Belgian Supervisory Authority Launches Public Consultation on the Use of Biometric Data

With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).


Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU.  The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here).  The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.
Continue Reading European Commission Adopts Final UK Adequacy Decisions

On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.
Continue Reading EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers

The new standard contractual clauses (“SCCs“) issued by the European Commission (see our prior blog post here) continue to prove controversial.  Among other things, the SCCs require that the law of the European Union (“EU“) Member State underpinning them provides third-party beneficiary rights.  Most EU Member States are civil law jurisdictions that already provide such rights.  Ireland, however, is a common law jurisdiction like the U.S. and the UK, and as such, depends largely on evolving case law to define the scope of various rights and obligations.
Continue Reading New Standard Contractual Clauses Raise Questions Under Irish Law

On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States.  In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.
Continue Reading CJEU Decides on Competence of Supervisory Authorities to Bring Cases Before National Courts under the GDPR

On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French).  These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here).  The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale.  In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.
Continue Reading French CNIL Publishes Recommendations for Protecting Minors Online

On June 1, 2021, several German supervisory authorities (“SAs”) announced the launch of a “nationwide investigation” into German companies transferring personal data outside of the European Economic Area.  Currently, there is no official list of all the SAs participating in the investigation, but at least 8 of Germany’s 16 regional SAs have announced their intention to take part in it, including: Baden Wuerttemberg, Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate, and Saarland.
Continue Reading German Supervisory Authorities Probe Data Transfers

Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.  When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.

In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.


Continue Reading European Commission Publishes New Standard Contractual Clauses

In April 2021, the European Commission released its proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (the “Regulation”), which would establish rules on the development, placing on the market, and use of artificial intelligence systems (“AI systems”) across the EU. The proposal, comprising 85 articles and nine annexes, is part of a wider package of Commission initiatives aimed at positioning the EU as a world leader in trustworthy and ethical AI and technological innovation.

The Commission’s objectives with the Regulation are twofold: to promote the development of AI technologies and harness their potential benefits, while also protecting individuals against potential threats to their health, safety, and fundamental rights posed by AI systems. To that end, the Commission proposal focuses primarily on AI systems identified as “high-risk,” but also prohibits three AI practices and imposes transparency obligations on providers of certain non-high-risk AI systems as well. Notably, it would impose significant administrative costs on high-risk AI systems of around 10 percent of the underlying value, based on compliance, oversight, and verification costs. This blog highlights several key aspects of the proposal.


Continue Reading European Commission Proposes New Artificial Intelligence Regulation