On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.

To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights.  This is evident in the GDPR and in the decisions of the CJEU to date.  But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other.  These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.


Continue Reading Advocate General Releases Opinion in CJEU Referrals on Data Retention

In January 2021, the Belgian Supervisory Authority issued detailed guidance (available in Dutch and French) on how to securely destroy personal data in accordance with the General Data Protection Regulation (“GDPR”).  Among other things, the guidance aims to help controllers and processors comply with their obligations under Article 32 of the GDPR.

Continue Reading Belgian Supervisory Authority Publishes Guidance on the Secure Destruction of Personal Data

On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.

The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples.  Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.


Continue Reading French Supervisory Authority Publishes Guidance for Website and App Developers

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not

By Philippe Bradley and Dan Cooper

On April 23rd, 2014 Brazil’s president signed into law a wide-ranging civil rights bill for Internet users and service providers (the “Marco Civil da Internet”, or “Marco Civil”).  The law had been in the works since 2009; it was made a priority by the Brazilian government in the wake of Edward Snowden’s revelations about NSA espionage activities targeting Brazilian communications data.  This short article discusses the main provisions of the new law.


Continue Reading Brazil Enacts “Marco Civil” Internet Civil Rights Bill

A judge in the Northern District of California recently agreed with the Seventh Circuit that the Video Privacy Protection Act (“VPPA”) does not provide a private right of action premised solely on an allegedly unauthorized retention of information. 

Plaintiffs sued Sony Computer Entertainment America LLC (“SCEA”) and Sony Network Entertainment International LLC (“SNEI”) for alleged violations of

Today the European Commission adopted an evaluation report on the Data Retention Directive.  This Directive requires EU Member States to ensure that telecommunications service providers retain certain categories of data for the purpose of investigations, detection and prosecution of  serious crime, as defined by the national law of the Member States.  Since its adoption in

In testimony before a House Judiciary subcommittee on Tuesday, Jason Weinstein (Deputy Assistant Attorney General for the DOJ Criminal Division) emphasized the importance of data retention from internet and cell phone service providers in fighting crime.  He invited Congress to consider legislation that would strengthen data retention standards.  Weinstein offered several examples of federal and

EU Home Affairs Commissioner Cecilia Malmström announced that the European Commission will propose amendments to the Data Retention Directive (2006/24/EC) following publication of an evaluation report on the Directive early next year.  Under the Directive, Member States must ensure that providers of publicly available electronic communications services or public communications networks retain certain traffic data on communications for a period of six months to two years.  Such data should ensure that authorities can determine the date, time, duration, source and destination of each communication, and the service and equipment used including the location of mobile devices.


Continue Reading EU Plans Revisions to Data Retention Directive