On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection
GDPR
Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”…
French CNIL Finds GDPR Not Applicable to a US Company Providing a Browser Extension
On December 20th, 2022, the French Data Protection Authority (“CNIL”) closed down an investigation against a US company providing a browser extension (the “Company”), after finding that its activities were not subject to the GDPR. The CNIL’s decision is available here in French.
The Company provides a browser extension (the “Extension”) allowing users to obtain…
CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data
On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR. The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.…
President Biden Signs Executive Order to Implement EU-U.S. Data Privacy Framework
On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework. The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post…
Special Category Data by Inference: CJEU significantly expands the scope of Article 9 GDPR
On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing…
Ireland Expands Leadership Structure of Data Protection Commission
The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair. The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.…
Continue Reading Ireland Expands Leadership Structure of Data Protection Commission
The New Italian Sunshine Act Introduces Mandatory Individual Disclosure With Implied Consent Mechanism For Transfers Of Value
On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data. In practice, this means the new…
Italian Garante Bans Use of Google Analytics
On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics. The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools…
Irish DPC Publishes Child-Facing Privacy Guides
On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides…