European Union

On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions.  The words “without a mandate” refers to the fact that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR, without naming particular data subjects.Continue Reading Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate

Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation.  It’s open for feedback until July 14, 2022.


Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.

Continue Reading Draft Version of the European Health Data Space Regulation

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021.  The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records.
Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection

As many readers will be aware, a key enforcement trend in the privacy sphere is the increasing scrutiny by regulators and activists of cookie banners and the use of cookies. This is a topic that we have been tracking on the Inside Privacy blog for some time. Italian and German data protection authorities have

The Irish Data Protection Commission has announced its Strategy for 2022-2027, highlighting 5 strategic goals:

  • (1) “consistent and effective” regulation;
  • (2) promoting data protection awareness;
  • (3) protecting children;
  • (4) providing clarity for stakeholders; and
  • (5) supporting organisational compliance.

The strategy is based on a risk based approach to regulation which, according to the DPC, “resonated with the majority of commentators” to the public consultation the Commission conducted as it developed its new 5 year strategy.
Continue Reading New 5 Year Irish Data Protection Commission’s Strategy

On 22 December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services (Orientierungshilfe für Anbieter von Telemedien).  Particularly relevant for providers of websites and mobile applications, the Guidance is largely devoted to the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021.  The publication  focuses on the consent requirement for cookies and similar technologies, as well as relevant exceptions, introduced by the law.
Continue Reading German Regulators Publish Cookie Guidance

In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access.  The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the

On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here).  The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.

In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.Continue Reading EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law