Archives: European Union

Subscribe to European Union RSS Feed

EDPB Publishes Article 28 Standard Clauses Adopted by Danish Supervisory Authority

On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”).  The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities.  … Continue Reading

German Supervisory Authorities Propose Changes to the GDPR

On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, … Continue Reading

UK ICO and The Alan Turing Institute Issue Draft Guidance on Explaining Decisions Made by AI

The UK’s Information Commissioner’s Office (“ICO”) has issued and is consulting on draft guidance about explaining decisions made by AI.  The ICO prepared the guidance with The Alan Turing Institute, which is the UK’s national institute for data science and artificial intelligence.  Among other things, the guidance sets out key principles to follow and steps … Continue Reading

New E-Privacy Proposal on the Horizon?

On December 3, 2019, the EU’s new Commissioner for the Internal Market, Thierry Breton, suggested a change of approach to the proposed e-Privacy Regulation may be necessary.  At a meeting of the Telecoms Council, Breton indicated that the Commission would likely develop a new proposal, following the Council’s rejection of a compromise text on November … Continue Reading

German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations

In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.… Continue Reading

Commission Expert Group Report on Liability for Emerging Digital Technologies

On November 21, 2019, the European Commission’s Expert Group on Liability and New Technologies – New Technologies Formation (“NTF”) published its Report on Liability for Artificial Intelligence and other emerging technologies.  The Commission tasked the NTF with establishing the extent to which liability frameworks in the EU will continue to operate effectively in relation to … Continue Reading

UPDATE: AG Opinion in Schrems II Delayed

The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019.  (The original publication date was set for the week before, on the 12th December.) The primary question before the European Court of Justice (“ECJ”), and the AG, in Schrems … Continue Reading

EDPB Adopts Final Version of Guidelines on Territorial Scope of the GDPR

On November 14, 2019, the EDPB adopted a final version of Guidelines 3/2018 on the territorial scope of the GDPR (Art. 3). This takes into account the contributions and feedback that the EDPB received during a public consultation on a draft version of the guidelines (see here). The draft version of the guidelines raised many … Continue Reading

French Supervisory Authority Publishes Guidance on Facial Recognition

On November 15, 2019, the French Supervisory Authority (“CNIL”) published guidance on the use of facial recognition. The guidance is primarily directed at public authorities in France that want to experiment with facial recognition. The guidance warns that this technology risks leading to biased results because the algorithms used are not 100% reliable and the … Continue Reading

The Spanish Supervisory Authority Issues Guidance on the Use of Cookies

On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters: Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002); Chapter 2: terminology … Continue Reading

EU adopts New Deal for Consumers

On November 8, 2019, the European Union adopted the “Directive Modernizing Consumer Law”. This directive is part of the so-called “New Deal for Consumer” (see here), a package of legislative reforms designed to revise existing EU consumer laws. The main objective of these reforms is to adapt EU consumer protection legislation to the realities of … Continue Reading

Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy By Design

On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release … Continue Reading

Spanish Supervisory Authority and EDPS Release Guidance on Hashing for Data Pseudonymization and Anonymization Purposes

On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages. The AEPD explains that the probability of re-identification increases if more … Continue Reading

Privacy Shield Third Annual Review

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see … Continue Reading

New Calculation Model for Data Protection Fines in Germany

On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board. … Continue Reading

New Draft ePrivacy Regulation Released

The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”).  Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency.  Below we highlight some selected topics that … Continue Reading

CJEU Issues Decision on Consent for Cookies and Intersection with the GDPR

On September 10, 2019, the Court of Justice of the European Union (“CJEU“) issued its decision in the Planet 49 case.  The case centers on the consent requirements for the use of cookies. Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a … Continue Reading

European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI

On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI.  Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue. … Continue Reading

GDPR’s right to be forgotten limited to EU websites

On September 24, 2019, the Court of Justice of the European Union (“CJEU”) adopted a decision on the geographical scope of the right to erasure under the GDPR (decision available here).  The court decided, in line with the opinion of Advocate General Szpunar, that a US-based search engine does not have to remove (de-reference) search … Continue Reading

New Calculation Model for Data Protection Fines in Germany

Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model … Continue Reading

FTC Settles Enforcement Actions Relating to Privacy Shield Certifications

On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”).  These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other … Continue Reading

German court decides that GDPR consent can be tied to receiving advertising

On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR. The case concerned an electricity company that relied on consent obtained by another company to advertise its products and services to the claimant. … Continue Reading

European Parliament Publishes Study on Blockchain and the GDPR

On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?”  The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law.  The study also explores … Continue Reading

New Research Exposes Perils of Bogus Access Requests Under GDPR, With Implications for CCPA

At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here).  Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests in her … Continue Reading
LexBlog