Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading
By Dan Cooper and Rosie Klement On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”). The Agreement was signed in 2014, but the CJEU … Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law.… Continue Reading
On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson. The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not necessarily … Continue Reading
On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here). That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11). Once translated and published in the Official … Continue Reading
On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press. In this case, two brothers took legal action against a famous French daily newspaper. The two individuals requested that their respective names be removed from search results … Continue Reading
On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice). The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its … Continue Reading
As forecast in our latest blog on the topic (available here), the European Parliament today voted into law a new General Data Protection Regulation (“GDPR”) that will replace the EU’s all-encompassing Data Protection Directive as of mid-2018. Today’s vote brings to a close a legislative process that has lasted nearly five years; the law’s official publication, which should be … Continue Reading
Following the expected approval of the final text of the General Data Protection Regulation (“GDPR”) in the European Parliament this week, the Commission is now turning its attention towards the ePrivacy Directive. On Monday (April 11, 2016), the Commission launched a public consultation to review and propose changes to the ePrivacy Directive (2002/58/EC). (See the Commission’s … Continue Reading
By Phil Bradley-Schmieg and Vera Coughlan. This post has been updated to include links to the final texts and comparisons with preceding drafts. After three months of legal-linguistic checks and translations, the EU is poised to formally adopt the new EU General Data Protection Regulation (GDPR) and its sister law, the EU Policing and Criminal Justice … Continue Reading
As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce. Commerce’s release coincided with the release of a draft adequacy decision by the European Commission. A … Continue Reading
On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government. The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the … Continue Reading
Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows. The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe … Continue Reading
The General Data Protection Regulation (GDPR) (see the latest text here), which was approved at the political level last week, heralds a new era of data protection in the EU and beyond. The GDPR imposes numerous new obligations on companies both within and outside the EU, strengthens the rights of individuals and foresees stiff penalties … Continue Reading
This morning, the European Parliament’s Civil Liberties, Justice and Home Affairs committee (“LIBE”) formally adopted the result of the negotiations on the EU’s General Data Protection Regulation (“GDPR”). The text of GDPR was the outcome of trilogue negotiations between the European Parliament and Council and the Commission, which concluded on December 15, 2015. The LIBE … Continue Reading
Today, the EU institutions reached the long-awaited political agreement on the General Data Protection Regulation (GDPR), which will fundamentally change the EU privacy landscape (for the Commission press release see here and the European Parliament press release here). Almost four years after the publication of the legislative proposal for the GDPR, the final trilogue meeting … Continue Reading
On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14). The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities. The case arose out of a dispute between Weltimmo, a company registered … Continue Reading
By Dan Cooper and Phil Bradley-Schmieg On March 24, 2015, the Court of Justice of the EU (CJEU) heard arguments in Case C-362/14 (Schrems). The High Court of Ireland has asked the CJEU whether Ireland’s data protection authority (DPA) — and by extension other EU DPAs — is bound by the Commission’s adequacy decision (Decision 520/2000/EC) … Continue Reading
By Sophie Noya and Henriette Tielemans From September 29 to October 7, 2014, parliamentary Committees of the European Parliament (“EP”) will be holding public confirmation hearings with Commissioners-designates with a view to assessing their skills and qualifications ahead of the EP’s vote on October 22 to approve (or reject) the Council’s appointment of the new … Continue Reading
The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related … Continue Reading
A recent statement from the Article 29 Working Party, the independent European advisory body on data protection and privacy, comprised of representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, finds that the EU data protection principles, outlined in the EU Data Protection … Continue Reading
Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed. The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read … Continue Reading
By Jacqueline Clover The Court of Justice of the European Union (‘CJEU’) has ruled that an analysis produced by an administrative agency to inform and support the agency’s formal decisions (‘legal analysis’) is not of itself “personal data” as defined under Directive 95/46/EC (the ‘EU Data Protection Directive’). This is the case even where the … Continue Reading