On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States.  In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.
Continue Reading CJEU Decides on Competence of Supervisory Authorities to Bring Cases Before National Courts under the GDPR

On June 9, 2021, the French Supervisory Authority (“CNIL”) published recommendations to help strengthen the protection of minors online (see here, in French).  These recommendations are the result of a survey and public consultation conducted by the CNIL in 2020, which focused on the digital practices of minors (see our blog post here).  The results of the CNIL’s survey and public consultation indicate that children are accessing the Internet at an early age on a “massive” scale.  In light of this reality, the CNIL underscores the importance of ensuring that minors benefit from the effective protection of their personal data when engaging online.
Continue Reading French CNIL Publishes Recommendations for Protecting Minors Online

On June 1, 2021, several German supervisory authorities (“SAs”) announced the launch of a “nationwide investigation” into German companies transferring personal data outside of the European Economic Area.  Currently, there is no official list of all the SAs participating in the investigation, but at least 8 of Germany’s 16 regional SAs have announced their intention to take part in it, including: Baden Wuerttemberg, Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate, and Saarland.
Continue Reading German Supervisory Authorities Probe Data Transfers

Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here).  While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.  When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.

In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.


Continue Reading European Commission Publishes New Standard Contractual Clauses

On May 19, 2021, the Italian Supervisory Authority (“Garante”) fined a physician €5,000 for publishing a patient’s medical records without obtaining that patient’s specific consent to do so.  As background, the physician downloaded medical records about a patient she treated at a local hospital from the hospital’s online archive system, including images taken during surgery.  The physician used these records for a presentation at a medical conference, and also included them as documentation supporting a scientific research paper she submitted for a competition hosted by a surgeons’ association.  The physician’s paper was ultimately selected as the winner of that competition, resulting in the publication of her work on the association’s website.
Continue Reading Italian Supervisory Authority Fines Physician for Secondary Use of Patient Data Without Specific Consent

On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC).  The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer.  The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.

Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda.  Each participant was limited to a five minute opening statement after which member politicians attending queried them.  Discussion of ongoing cases was not permitted.

The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing.  Each in turn were the key participants in their panel discussions.  Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.
Continue Reading Irish Parliamentary Committee Hearing Discusses Criticism of the Irish DPC

On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.


Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies

In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data.  The report discusses three general types of health data uses:

  • primary use for health care services;
  • secondary use for public health purposes; and
  • secondary use for scientific research purposes.

For each of these general purposes, the report assesses real-world use cases.  For example, for health care services, the report considers e-health applications, among others.  For public health purposes, the report considers pharmacovigilance and product approvals.  The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.


Continue Reading European Commission Publishes Report on EU Member States’ Rules in Relation to Health Data

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Continue Reading A New Day for GDPR Damages Claims in Germany?

On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German).  The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”).  Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.

Continue Reading German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision