On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws
On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR. The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities). If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.Continue Reading European Commission Proposes GDPR Enforcement Procedure Regulation
On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019. The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).
The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions. According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well. We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement
In May 2023, the Spanish Supervisory Authority (“SA”) issued a detailed guidance paper on GDPR compliance in the context of data spaces. The paper acknowledges EU and Member State level initiatives for the creation of data spaces (such as the Data Governance Act, the proposed Data Act, and the proposed European Health Data Space) and provides insight into how the SA expects companies to meet their GDPR obligations when participating in those data spaces.Continue Reading Spanish Data Protection Authority Issues Guidance on Data Spaces
On March 4, 2023, the European Court of Justice (”CJEU”) issued its judgment on case C-300/21, UI v Österreichische Post AG. The CJEU held that the mere infringement of the GDPR does not, alone, give rise to a right to compensation for individuals. In the Court’s view, Article 82 requires establishing: (i) “damage”, either material or non-material; (ii) an actual infringement of the GDPR; and (iii) a causal link between the two. However, the CJEU also ruled that the right to compensation in the GDPR cannot be made contingent upon individuals satisfying a certain “seriousness” threshold, which is the case under Austrian law at present.Continue Reading CJEU Clarifies the GDPR’s Right to Compensation
On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments. It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data. This case will be relevant for organizations assessing their lawful basis for processing personal data.Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency
On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.
In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.
As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.Continue Reading The EU Stance on Dark Patterns
On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR. The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data
On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF. The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).
As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities. In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here). Continue Reading European Commission Releases Draft Adequacy Decision on the EU-U.S. Data Privacy Framework