GDPR

Subscribe to GDPR

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.

Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

In May 2023, the Spanish Supervisory Authority (“SA”) issued a detailed guidance paper on GDPR compliance in the context of data spaces.  The paper acknowledges EU and Member State level initiatives for the creation of data spaces (such as the Data Governance Act, the proposed Data Act, and the proposed European Health Data Space) and provides insight into how the SA expects companies to meet their GDPR obligations when participating in those data spaces.

Continue Reading Spanish Data Protection Authority Issues Guidance on Data Spaces

On March 4, 2023, the European Court of Justice (”CJEU”) issued its judgment on case C-300/21, UI v Österreichische Post AG. The CJEU held that the mere infringement of the GDPR does not, alone, give rise to a right to compensation for individuals.  In the Court’s view, Article 82 requires establishing: (i) “damage”, either material or non-material; (ii) an actual infringement of the GDPR; and (iii) a causal link between the two. However, the CJEU also ruled that the right to compensation in the GDPR cannot be made contingent upon individuals satisfying a certain “seriousness” threshold, which is the case under Austrian law at present.

Continue Reading CJEU Clarifies the GDPR’s Right to Compensation

On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments.  It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data.  This case will be relevant for organizations assessing their lawful basis for processing personal data.

Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency

On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.

In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.

As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.

Continue Reading The EU Stance on Dark Patterns

On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.

Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data

On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF.  The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).

As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities.  In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here). 

Continue Reading European Commission Releases Draft Adequacy Decision on the EU-U.S. Data Privacy Framework

On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR.  According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.

Continue Reading CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach

Update: On January 12, 2023, the Court of Justice of the European Union sided with the Advocate General’s opinion, confirming that a data subject can lodge a complaint with a Supervisory Authority and, concurrently, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

More specifically, the CJEU held that the remedies provided for in Article 77(1) and Article 78(1) GDPR, on the one hand, and Article 79(1) GDPR, on the other, can be exercised in parallel and are independent of each other.  Concerning the material outcome of the case, the referring court must determine how to implement the remedies, in line with national procedural law.

*                             *                             *

On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting.  The company provided the shareholder only with extracts of his/her interventions.  Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings.  The Supervisory Authority rejected the complaint.  As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.

Continue Reading CJEU Advocate General Finds That Data Subjects May in Parallel Lodge a Complaint with a Supervisory Authority and Start Proceedings Before a Court