On Episode 18 of Covington’s Inside Privacy Audiocast, Dan Cooper, Moritz Hüsch, Kristof van Quathem, and Petros Vinis discuss GDPR enforcement, and the evolution of regulatory fines since the GDPR was enacted in 2018.


Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside

On January 28, 2022, the European Data Protection Board (“EDPB”) initiated a public consultation on its draft Guidelines 01/2022 on data subject rights – Right of access (“draft Guidelines”). Running to 60 pages, the draft Guidelines cover a range of topics relating to the right of access, including analyzing a request; establishing

One of every five people (20.5%) in Ireland are children under the age of 14.  This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019.  Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%.  It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years.  This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks.  These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.

Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.

Introduction

Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data.  Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.

In addition to the usual GDPR expectations, the specific Fundamentals also include:

  • Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
  • “Know your customer” requirements focusing on child-oriented transparency; and
  • Specific guidance around age verification and consent

The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.

Continue Reading Irish DPC Publishes Guidance On Processing Children’s Personal Data

On 22 December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services (Orientierungshilfe für Anbieter von Telemedien).  Particularly relevant for providers of websites and mobile applications, the Guidance is largely devoted to the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021.  The publication  focuses on the consent requirement for cookies and similar technologies, as well as relevant exceptions, introduced by the law.

Continue Reading German Regulators Publish Cookie Guidance

In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access.  The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the

On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a reprimand to the European Parliament for its offering of a website to its staff and members to schedule Covid-19 tests which violated the transparency and transfer provisions of Regulation (EU) 2018/1725 (“Regulation”).  In addition, the EDPS ordered the European Parliament to bring the

On December 22, 2021, the Austrian Supervisory Authority (“Authority”) found that an Austrian website that implemented the (free version of) Google analytics violated the GDPR’s rules on international data transfers (see here).

The Authority decided that the Standard Contractual Clauses, combined with the Austrian website operator’s supplementary measures to transfer personal data to Google

On 12 January 2022, the French National Assembly’s Committee on Cultural Affairs and Education (the “Committee”) unanimously approved a draft bill seeking to “encourage the use of parental controls on certain equipment and services sold in France and allowing access to the Internet” (the “Bill”).

  1. Background

In 2021, the French Supervisory Authority (“CNIL”)

On January 9, 2022, the cookie guidelines (“guidelines”) published by the Italian Supervisory Authority (“Garante”) on July 9, 2021 entered into force.  This means that all those companies that have not yet conformed to the guidelines’ provisions should do so promptly, to avoid incurring in future sanctions.  The guidelines include precise indications on, e.g., the categorization of cookies and other tracking technologies (“cookies”), the recommended design of the cookie banners, the collection, review and renewal of consent, and on the information notices.

Continue Reading New Italian Guidelines on the Use of Cookies and Other Tracking Technologies Now in Force

On Episode 17 of Covington’s Inside Privacy Audiocast, Dan Cooper, Sam Choi, Danielle Kehl and Nick Shepherd discuss the developments related to children’s privacy, looking at relevant legislation, standards, and guidelines in the UK, the EU, and the U.S., and zooming in on some child-specific topics such as age thresholds and age verification,