Court of Justice of the European Union (CJEU)

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms.
Continue Reading EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14).  The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities.

The case arose out of a dispute between Weltimmo, a company registered in Slovakia, which operates property dealing websites concerning Hungarian properties, and the Hungarian data protection authority.  Several advertisers lodged a complaint with the data protection authority, which imposed a fine on Weltimmo for a violation of the Hungarian Law on Information.Continue Reading EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities

Late last week, the Article 29 Working Party released a short press statement announcing that it had agreed guidance for the implementation of the May 2014 CJEU ruling against Google on the “right to be forgotten.”  See our first post on the Working Party’s guidance here.  The Working Party
Continue Reading Article 29 Working Party Publishes Full Guidance On CJEU Right To Be Forgotten Ruling Against Google

Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.

The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12).  At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name.  For example, the right enables requests to take down “irrelevant” or out of date search results.Continue Reading Article 29 Working Party Meets To Discuss The Right To Be Forgotten

Covington will be hosting a book launch for the 2014 title ‘Data Protection & Privacy Law 2nd Edition’, edited by Monika Kuschewsky, in partnership with The European Lawyer (Thomson Reuters) on September 23, 2014 in Brussels. The event will comprise a half-day workshop followed by a drinks reception.
Continue Reading Client Event: “Data Protection & Privacy Law – 2nd Edition,” September 23, 2014

By Philippe Bradley and Mark Young

The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC)1 is invalid.  The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.

The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law.  Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.

The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force.  This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.Continue Reading EU Data Retention Directive Declared Invalid by Court of Justice of the EU

By Maria-Martina Yalamova & Mark Young

On 12 December 2013, the Advocate General (“AG”) to the Court of Justice of the European Union (the “CJEU”), Mr Cruz Villalón, gave an opinion that the EU’s Data Retention Directive 2006/24/EC (the “Directive”) violates the fundamental right to privacy in the EU.  His reason, in short, is that the Directive mandates the blanket retention of citizens’ traffic and location data by telecom companies, but fails to establish rules on minimum guarantees regarding access to and use of such data.  

This is not the first time the lawfulness of the Directive has been challenged.  Originally introduced to help fight serious crime and terrorism, the Directive quickly became one of the most controversial pieces of European legislation.  In 2011, the European Commission identified in its evaluation report several flaws, such as a lack of clear guidance on what constitutes “serious crime” and on the purposes for which data can be retained and accessed.  The European Data Protection Supervisor (EDPS) (see 2011 opinion here), the Article 29 Working Party (see 2010 report here and 2006 Opinion here), and civil rights groups have also publically expressed doubts about the lawfulness of the data retention measures.  In addition, the constitutional courts of Germany, the Czech Republic and Romania have ruled that national laws implementing the Directive are unconstitutional as they violate the right to privacy. 

Continue Reading Advocate General finds the EU’s Data Retention Directive Incompatible with the Fundamental Right to Privacy