EDPB

On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU.  In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR.  This blog post summarizes the key findings of the EDPB’s 2023 CEF report.Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?

On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR.  For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.

In 2023, regulators focused upon data protection officers’ designation and role.  And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action.  This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?

On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.

In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.

As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.Continue Reading The EU Stance on Dark Patterns

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.Continue Reading EDPB Publishes Report of Cookie Banners Taskforce

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report on the outcome of its investigation into the use of cloud-based services by the public sector.

The EDPB prepared the report as part of its first coordinated enforcement action under the Coordinated Enforcement Framework (“Framework”), a key part of the EDPB’s 2021-2023 strategy. The Framework facilitates coordinated actions between the EDPB and national data protection authorities to (i) share information and best practices on a topic related to data privacy, and (ii) provide recommendations to better support compliance with data protection laws. Through the Framework, the EDPB and national authorities investigate compliance with a specific data protection topic each year; in 2023, the EDPB will investigate the designation and role of data protection officers (“DPOs”).

This blog summarizes the main takeaways of the 2022 Coordinated Enforcement Action, and highlights its most relevant data privacy concerns.Continue Reading EDPB Releases Outcome of its Investigation into the Use of Cloud-Based Services by the Public Sector

On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.Continue Reading EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

On January 28, 2022, the European Data Protection Board (“EDPB”) initiated a public consultation on its draft Guidelines 01/2022 on data subject rights – Right of access (“draft Guidelines”). Running to 60 pages, the draft Guidelines cover a range of topics relating to the right of access, including analyzing a request; establishing

On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.
Continue Reading Irish DPC Finds Against WhatsApp