On January 12, 2021, the German Ministry for the Economy and Energy released a new draft Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (“TTDSG” or “draft law”).  If enacted, the draft law will replace the existing data protection and privacy provisions of Germany’s Telemedia Act and Telecommunications Act (“Telemedia Act”), including provisions applicable to the use of cookies and similar technologies.  The draft text was subject to public consultation from its publication until January 22, 2021, and responses submitted during that period will now be considered by the German Federal Government in advance of a formal proposal for the Federal Parliament to consider.

Continue Reading Germany Publishes New Draft Rules for Cookies and Similar Technologies

On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive.  The European Commission approved a first draft of the ePrivacy Regulation in January 2017.  The draft regulation has since then been under discussion in the Council.

On January 1, 2021, Portugal took over the presidency of the Council for six months.  Ahead of the next meeting of the Council’s working party responsible for the draft ePrivacy Regulation, the Portuguese Presidency issued a revised version of the draft regulation.  This is the 14th draft version of the ePrivacy Regulation (including the European Commission’s first draft).

Once approved, the ePrivacy Regulation will set out requirements and limitations for publicly available electronic communications service providers (“service providers”) processing data of, or accessing devices belonging to, natural and legal persons “who are in the [European] Union” (“end-user”).  The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices.  These requirements and limitations will apply uniformly in all EU Member States.  However, EU Member States have the power to restrict the scope of these requirements and limitations where this is a “necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests.
Continue Reading Council of the EU Released a (New) Draft of the ePrivacy Regulation

On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.

Below we provide a brief FAQ about the Code.


Continue Reading The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

On 10 September 2020, the European Commission proposed an interim regulation designed to enable online communications service providers to combat child sexual abuse online. Once in force, this regulation will provide a legal basis for providers to voluntarily scan communications or traffic data on their services for the limited purpose of detecting child sexual abuse material online.

Continue Reading European Commission Proposes Interim Regulation to Combat Child Sexual Abuse Online

On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”).  The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.

The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters.   In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).

This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter.  We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.


Continue Reading EU Commission Releases Guidance on COVID-19 Apps

On December 3, 2019, the EU’s new Commissioner for the Internal Market, Thierry Breton, suggested a change of approach to the proposed e-Privacy Regulation may be necessary.  At a meeting of the Telecoms Council, Breton indicated that the Commission would likely develop a new proposal, following the Council’s rejection of a compromise text on November 27.

The proposed Regulation is intended as a replacement to the existing e-Privacy Directive, which sets out specific rules for traditional telecoms companies, in particular requiring that they keep communications data confidential and free from interference (e.g., preventing wiretapping).  It also sets out rules that apply regardless of whether a company provides telecoms services, including restrictions on unsolicited direct marketing and on accessing or storing information on users’ devices (e.g., through the use of cookies and other tracking technologies).


Continue Reading New E-Privacy Proposal on the Horizon?

On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:

  • Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
  • Chapter 2

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify

On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and the General Data Protection Regulation

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for