On December 9, 2022, the European Commissioner for Justice and Consumer Protection, Didier Reynders, announced that the European Commission will focus its next 2023 mandate on regulating dark patterns, alongside transparency in the online advertising market and cookie fatigue. As part of this mandate, the EU’s Consumer Protection Cooperation (“CPC”) Network, conducted a sweep of 399 retail websites and apps for dark patterns, and found that nearly 40% of online shopping websites rely on manipulative practices to exploit consumers’ vulnerabilities or trick them.

In order to enforce these issues, the EU does not have a single legislation that regulates dark patterns, but there are multiple regulations that discuss dark patterns and that may be used as a tool to protect consumers from dark patterns. This includes the General Data Protection Regulation (“GDPR”), the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), and the Unfair Commercial Practices Directive (“UCPD”), as well as proposed regulations such as the AI Act and Data Act.

As a result, there are several regulations and guidelines that organizations must consider when assessing whether their practices may be deemed as a dark pattern. In this blog post, we will provide a snapshot of the current EU legislation that regulates dark patterns as well as upcoming legislative updates that will regulate dark patterns alongside the current legal framework.

Continue Reading The EU Stance on Dark Patterns

On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.

Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data

On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF.  The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).

As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities.  In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here). 

Continue Reading European Commission Releases Draft Adequacy Decision on the EU-U.S. Data Privacy Framework

On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR.  According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.

Continue Reading CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach

Update: On January 12, 2023, the Court of Justice of the European Union sided with the Advocate General’s opinion, confirming that a data subject can lodge a complaint with a Supervisory Authority and, concurrently, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

More specifically, the CJEU held that the remedies provided for in Article 77(1) and Article 78(1) GDPR, on the one hand, and Article 79(1) GDPR, on the other, can be exercised in parallel and are independent of each other.  Concerning the material outcome of the case, the referring court must determine how to implement the remedies, in line with national procedural law.

*                             *                             *

On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting.  The company provided the shareholder only with extracts of his/her interventions.  Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings.  The Supervisory Authority rejected the complaint.  As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.

Continue Reading CJEU Advocate General Finds That Data Subjects May in Parallel Lodge a Complaint with a Supervisory Authority and Start Proceedings Before a Court

The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).

As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).

While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.

Continue Reading 8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law

On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions.  The words “without a mandate” refers to the fact that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR, without naming particular data subjects.

Continue Reading Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate

The California Privacy Protection Agency (“CPPA”) held two informational hearings on March 29, 2022 and March 30, 2022, in anticipation of its upcoming rulemaking later this year.  While the CPPA Board was present throughout the hearings, its members did not present any views as part of the program.  The speakers covered the following topics of note:
Continue Reading California Privacy Protection Agency Holds Informational Hearings

As many readers will be aware, a key enforcement trend in the privacy sphere is the increasing scrutiny by regulators and activists of cookie banners and the use of cookies. This is a topic that we have been tracking on the Inside Privacy blog for some time. Italian and German data protection authorities have