On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies). He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies. In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.Continue Reading CJEU’s Advocate General Issues Opinion on GDPR Fines Against Companies
Austria
Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency
On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments. It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data. This case will be relevant for organizations assessing their lawful basis for processing personal data.Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency
Austrian Supervisory Authority Finds that Website Deploying Google Analytics Carried out Unlawful Transfers to the US
On December 22, 2021, the Austrian Supervisory Authority (“Authority”) found that an Austrian website that implemented the (free version of) Google analytics violated the GDPR’s rules on international data transfers (see here).
The Authority decided that the Standard Contractual Clauses, combined with the Austrian website operator’s supplementary measures to…
Continue Reading Austrian Supervisory Authority Finds that Website Deploying Google Analytics Carried out Unlawful Transfers to the US
Dutch Supervisory Authority Prohibits “Cookie Walls” under GDPR
On March 7, 2019, the Dutch Supervisory Authority for data protection issued guidance prohibiting the use of “cookie walls” on websites. Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website. According to the regulator, it received…
Continue Reading Dutch Supervisory Authority Prohibits “Cookie Walls” under GDPR
Austrian Data Protection Authority Validates Paid Subscription Model as a Viable Alternative to Ad Tracking
On 30 November 2018, the Austrian Data Protection Authority (“DPA”) decided that the website of an online media publisher – which offers users the option to either consent to advertising cookies or pay for a subscription – gives users a free choice that is compatible with the requirements of consent…
Continue Reading Austrian Data Protection Authority Validates Paid Subscription Model as a Viable Alternative to Ad Tracking
European Regulators Are Intensifying GDPR Enforcement
Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced. Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging. Enforcement appears…
Continue Reading European Regulators Are Intensifying GDPR Enforcement
EU DPA Enforcement Guidance Post-Schrems
Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”). As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment. Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems
The European Court of Justice Rules That Austria’s Data Protection Authority Is Not Sufficiently Independent
On 16 October 2012, the Court of Justice of the European Union (“CJEU”) ruled in favour of the European Commission in its claim against Austria that the Austrian Data Protection Authority, the Datenschutzkommission (“DSK”), was not independent from the Austrian government as required under Article 28 of the EU’s Data Protection Directive. The Commission’s action was supported by the European Data Protection Supervisor (“EDPS”); Austria’s defence was supported by Germany.
Article 28, which was the focus of the case, requires data protection authorities to “act with complete independence in exercising the functions entrusted to them”. This principle is also made clear in the Charter of Fundamental Rights of the EU and in the Treaty on the Functioning of the EU (“TFEU”).Continue Reading The European Court of Justice Rules That Austria’s Data Protection Authority Is Not Sufficiently Independent