ePrivacy Directive

On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:

  • Chapter 1: scope of the Spanish cookie rules (Art. 22


Continue Reading The Spanish Supervisory Authority Issues Guidance on the Use of Cookies

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR.
Continue Reading German DSK publishes guidance on the applicability of the German Telemedia Act to telemedia services

On March 12, 2019, the European Data Protection Board (“EDPB”) issued an opinion in response to a series of questions about the competences, tasks and powers of European supervisory authorities for data protection (“SAs”), when the processing of personal data triggers the material scope of both the ePrivacy Directive and
Continue Reading EDPB Issues Opinion on the Interplay between the ePrivacy Directive and the GDPR

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered
Continue Reading EU Advocate General Issues Opinion on Consent for Cookies and Intersection with the GDPR

On January 12, the International Consumer Electronics Show (CES) in Las Vegas closed its doors for another year.  Each CES raises a new set of technology themes, ranging from robots to smart fridges — and this year, the winner was voice technologies.  Such technologies, while not entirely new, are now
Continue Reading Voice Technologies, Meet the EU E-Privacy Regulation

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection
Continue Reading CJEU Confirms That National Data Retention Laws May Only Be Adopted Where “Strictly Necessary”

Following the expected approval of the final text of the General Data Protection Regulation (“GDPR”) in the European Parliament this week, the Commission is now turning its attention towards the ePrivacy Directive.

On Monday (April 11, 2016), the Commission launched a public consultation to review and propose changes to the
Continue Reading European Commission Launches Consultation on Reform of the ePrivacy Directive

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.
Continue Reading Company Receives Record Fine from UK Regulator For Cold Calling

Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member States the European Commission has adopted technical implementing measures in form of a Regulation No 611/2013 on the notification of personal data breaches in the electronic communication sector which entered into force on 25 August.

The Regulation, which has direct effect in all EU Member States, specifies the circumstances, the format and procedures applicable to these notification requirements under the e-Privacy Directive in case of personal data breaches (that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the EU).Continue Reading Data Breach Notification within 24 hours in the Electronic Communication Sector – An Example to Follow in the Reform of the EU Data Protection Directive?