ePrivacy Directive

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify

On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and the General Data Protection Regulation

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not

Following the expected approval of the final text of the General Data Protection Regulation (“GDPR”) in the European Parliament this week, the Commission is now turning its attention towards the ePrivacy Directive.

On Monday (April 11, 2016), the Commission launched a public consultation to review and propose changes to the ePrivacy Directive (2002/58/EC).  (See the

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.
Continue Reading Company Receives Record Fine from UK Regulator For Cold Calling

Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member States the European Commission has adopted technical implementing measures in form of a Regulation No 611/2013 on the notification of personal data breaches in the electronic communication sector which entered into force on 25 August.

The Regulation, which has direct effect in all EU Member States, specifies the circumstances, the format and procedures applicable to these notification requirements under the e-Privacy Directive in case of personal data breaches (that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the EU).Continue Reading Data Breach Notification within 24 hours in the Electronic Communication Sector – An Example to Follow in the Reform of the EU Data Protection Directive?

On 28 November 2012, following an 18-month investigation, the UK Information Commissioner’s Office (ICO) announced that it had fined the joint owners of Tetrus Telecoms (Tetrus) a total of £440,000 under the Privacy and Electronic Communications Regulations (PECR).  The fine penalized Tetrus for sending millions of unsolicited text messages promoting opportunities to claim compensation for