On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient

On December 20th, 2022, the French Data Protection Authority (“CNIL”) closed down an investigation against a US company providing a browser extension (the “Company”), after finding that its activities were not subject to the GDPR. The CNIL’s decision is available here in French.

The Company provides a browser extension (the “Extension”) allowing users to obtain

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.

Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data

On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework.  The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post

On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing

The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair.  The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.

Continue Reading Ireland Expands Leadership Structure of Data Protection Commission

On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data.  In practice, this means the new

On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics.  The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools

On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides

The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here).  Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.

Continue Reading Irish DPC Reports on Cross-Border Activity and Resources