On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.

Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

On January 28, 2022, the European Data Protection Board (“EDPB”) initiated a public consultation on its draft Guidelines 01/2022 on data subject rights – Right of access (“draft Guidelines”). Running to 60 pages, the draft Guidelines cover a range of topics relating to the right of access, including analyzing a request; establishing

On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.

Continue Reading Irish DPC Finds Against WhatsApp

On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

Continue Reading European Data Protection Board Answers Commission’s Questions on Health Research

On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.

Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples

On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.

The EDPB/EDPS joint opinion proposes

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”).  (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:


Continue Reading EDPB adopts recommendations on international data transfers following Schrems II decision

On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.

Continue Reading EDPB Publishes Draft Guidelines on the Targeting of Social Media Users

On September 2, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on the concepts of “controller” and processor” under the GDPR. The Article 29 Working Party had already issued a guidance on this topic in 2010. Although the GDPR did not change the definitions of “controller” and “processor”, the EDPB’s guidelines aim to bring further clarity to these critical concepts and discuss the relationship between them.

The EDPB’s guidelines are divided in two parts.
Continue Reading EDPB Publishes Guidelines on the GDPR Concepts of “Controller”, “Joint Controller” and “Processor”

On June 19, 2020, the French Council of State (Conseil d’État) decided that the French Supervisory Authority (“CNIL”) had gone too far in its guidance on cookies and similar technologies when it stated that conditioning a user’s access to a website upon his or her acceptance of certain cookies (commonly known as “cookie walls”) is never compliant with the consent requirements in the EU General Data Protection Regulation (“GDPR”).

According to the Council of State, such a blanket prohibition cannot be deduced from the text of the GDPR. The Council of State reminded the CNIL that its guidance is only soft law and therefore must follow the text of the GDPR. The CNIL has announced that it will adapt its guidance in light of the Council of State’s decision. The decision serves as a stark reminder that even EDPB or CNIL guidance is can only interpret the text of the GDPR, and cannot break fresh legal ground.
Continue Reading French Council of State Decides that the French Supervisory Authority Cannot Prohibit Cookie Walls