On October 13, 2022, the European Data Protection Supervisor (“EDPS”) released its Opinion 20/2022 on a Recommendation issued by the European Commission in August 2022 calling for a Council Decision authorising the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the
On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.
The EDPB/EDPS joint opinion proposes…
On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages.
The AEPD explains that the probability of re-identification increases if more…
On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU.
The EDPB is an independent body composed of representatives from the EU Member States’ Supervisory Authorities for data protection, the national bodies enforcing EU data protection law, such as the General Data Protection Regulation (“GDPR”). The EDPS is a separate European body whose primary role is to ensure that European institutions respect data protection law. Though separate bodies, the EDPB and EDPS (hereafter “the institutions”) work jointly on some matters. Opinions issued by the institutions are not legally binding, but may be influential and are indicative of the stance of European privacy regulators regarding certain issues.
The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”…
As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.” This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here).
According to the EDPS, data-driven technologies and services are important for economic growth, but the users of those services are generally unaware of the nature and extent of the “covert tracking” that fuels the sector. The growing imbalance between consumers and service providers would diminish choice and innovation and threaten the privacy of individuals. In fact, the rights of individuals enshrined in the EU Charter of Fundamental Rights would be threatened by “normative behavior and standards that now prevail in cyberspace.” At the same time, EU rules on data protection, consumer protection, and antitrust and merger control are applied in silos, despite their common objectives.
Continue Reading EDPS Issues Opinion on Big Data and Enforcement
On September 19, 2016, PaRR reported that the European Data Protection Supervisor (“EDPS”) is working on guidelines to increase coordination on the interface between data protection and competition law. The guidelines would be released later this month.
According to the report, the EDPS will recommend the creation of a “digital clearing…
On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).
That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11). Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.
However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.
Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield. Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Continue Reading Privacy Shield Deal Passes Major EU Hurdle
On June 16, 2016, the French data protection authority (“CNIL”) launched a public consultation on the General Data Protection Regulation (“GDPR). The consultation focuses on four priority themes set out in the Article 29 Working Party’s 2016 Action plan:
- the data protection officer;
- the right to data portability;
- data protection impact assessments; and
May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention. The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier. In parallel, the French data protection authority announced a possible crackdown on mHealth app non-compliance with European data protection legislation. This post briefly summarizes these developments.
Continue Reading May 2015 EU mHealth Round-Up
- The CJEU “Right to be Forgotten” Ruling. In May 2014, the Court of Justice of the European Union (CJEU) delivered an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12). The CJEU’s decision re-interpreted European data protection law to include a so-called “right to be forgotten” that enabled individuals to request search engines to block links that appear on searches of their names if the links go to information that is incomplete, inaccurate, irrelevant, or otherwise damaging to an individual’s privacy. (This right is limited in the case of public figures, however.) The decision also found that Google was subject to European data protection law because it operated subsidiaries in Europe whose business was to raise advertising revenues in relation to the search engine’s data processing activities. The decision triggered an immediate tidal wave of tens of thousands of requests to Google and other search engines that continues to raise controversies to this day.
- CJEU strikes down the Data Retention Directive as invalid. In April 2014, the CJEU took the rare step of annulling the controversial Data Retention Directive, which mandated the systematic (“bulk”) retention of communications metadata by telecommunications companies in the EU, for potential access by law enforcement authorities (see our blog post here). The Court criticised the Directive’s indiscriminate targeting of suspects and non-suspects alike, and the law’s general lack of safeguards, finding that it amounted to an “interference with the fundamental rights of practically the entire European population” contrary to Articles 7 and 8 of the Charter of Fundamental Rights of the EU. The Directive’s invalidation raised questions about the continuing validity of the national laws that had implemented the Directive throughout the EU. In the UK, this lead to the accelerated adoption of substitute legislation, the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), and its implementing regulations.
Continue Reading Top 10 International Privacy Developments of 2014