European Union (EU)

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.Continue Reading Italy Proposes New Artificial Intelligence Law

On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.

The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code.  The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.  

We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research

In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted.  This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR.  The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.  

We provide below an overview of the EDPB’s opinion.Continue Reading EDPB Clarifies the Notion of “Main Establishment” under the GDPR

On January 24, 2024, the European Commission (“Commission”) announced that, following the political agreement reached in December 2023 on the EU AI Act (“AI Act”) (see our previous blog here), the Commission intends to proceed with a package of measures (“AI Innovation Strategy”) to support AI startups and small and medium-size enterprises (“SMEs”) in the EU.

Alongside these measures, the Commission also announced the creation of the European AI Office (“AI Office”), which is due to begin formal operations on February 21, 2024.

This blog post provides a high-level summary of these two announcements, in addition to some takeaways to bear in mind as we draw closer to the adoption of the AI Act.Continue Reading European Commission Announces New Package of AI Measures

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries