Archives: European Union

Subscribe to European Union RSS Feed

EDPB and EDPS Release Joint Opinion on Draft EU Standard Contractual Clauses

On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses. The EDPB/EDPS joint opinion proposes … Continue Reading

Council of the EU Released a (New) Draft of the ePrivacy Regulation

On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive.  The European Commission approved a first draft of the ePrivacy Regulation in January 2017.  The draft regulation has since then been under discussion in the Council. On January … Continue Reading

Brexit Deal Keeps EU-UK Data Flows Open as Parties Pursue Mutual Adequacy

On December 24th, with a year-end deadline and the holidays fast approaching, European Commission and United Kingdom (“UK”) officials announced they reached a deal on the EU-UK Trade and Cooperation Agreement (“Agreement”).  Once formally adopted by the European Union (“EU”) institutions, the Agreement will govern the relationship between the EU and UK beginning on January … Continue Reading

Twitter Fine: a View into the Consistency Mechanism, and “Constructive Awareness” of Breaches

On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The … Continue Reading

The European Commission publishes a proposal for a Regulation on European Data Governance (the Data Governance Act)

On 25 November 2020, the European Commission published a proposal for a Regulation on European Data Governance (“Data Governance Act”).  The proposed Act aims to facilitate data sharing across the EU and between sectors, and is one of the deliverables included in the European Strategy for Data, adopted in February 2020.  (See our previous blog … Continue Reading

EDPB adopts recommendations on international data transfers following Schrems II decision

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court … Continue Reading

Inside Privacy Audiocast: Episode 7 – Brexit and the Future of UK Data Privacy Law

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be … Continue Reading

French Court of Cassation Decides That an Employer Can Use a Facebook Post to Dismiss an Employee

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French).  In particular, the employee in this case posted a photograph of a new clothing collection of the employer on a … Continue Reading

French Supervisory Authority Releases Strict Guidance on the Use of Facial Recognition Technology at Airports

On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to … Continue Reading

New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II

On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.… Continue Reading

AI, IoT, and CAV Legislative Update: EU Spotlight (Third Quarter 2020)

In this edition of our regular roundup on legislative initiatives related to artificial intelligence (AI), cybersecurity, the Internet of Things (IoT), and connected and autonomous vehicles (CAVs), we focus on key developments in the European Union (EU).… Continue Reading

French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021

On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this … Continue Reading

U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for … Continue Reading

Five Key Themes from the FTC’s Data Portability Workshop

On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation … Continue Reading

EDPB Publishes Draft Guidelines on the Targeting of Social Media Users

On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.… Continue Reading

UK Information Commissioner’s Office Publishes Draft Accountability Framework Tool

On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO. The Framework will help those within organisations who … Continue Reading

Life After Schrems II: Practical Recommendations In An Uncertain Time

On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs … Continue Reading

AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to … Continue Reading

European Commission Publishes 2-Year Report on the Implementation of the GDPR

On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect.  The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other … Continue Reading

French Council of State Decides that the French Supervisory Authority Cannot Prohibit Cookie Walls

On June 19, 2020, the French Council of State (Conseil d’État) decided that the French Supervisory Authority (“CNIL”) had gone too far in its guidance on cookies and similar technologies when it stated that conditioning a user’s access to a website upon his or her acceptance of certain cookies (commonly known as “cookie walls”) is … Continue Reading

French CNIL Publishes Paper on Algorithmic Discrimination

On June 2, 2020, the French Supervisory Authority (“CNIL”) published a paper on algorithmic discrimination prepared by the French independent administrative authority known as “Défenseur des droits”.  The paper is divided into two parts: the first part discusses how algorithms can lead to discriminatory outcomes, and the second part includes recommendations on how to identify … Continue Reading

Dutch Supervisory Authority Fines Company for Processing Biometric Data of Employees

On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees. In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came … Continue Reading

European Data Protection Board Issues Guidelines on Processing Personal Data for Scientific Research Related to COVID-19

On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19.  The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps … Continue Reading
LexBlog