Photo of Emmanuel Ronco

Emmanuel Ronco’s practice focuses on intellectual property and technology matters, including in the context of corporate transactions such as mergers and acquisitions or joint ventures.

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now.
Continue Reading

On February 7, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service.  After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position.  For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment.[1]
Continue Reading

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase

The European Data Protection Board (“EDPB”)[1] adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019.

The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC).

The GDPR’s extraterritorial scope is based on two main criteria described in its Article 3:

  • the “establishment” criterion, according to which the GDPR applies where processing of personal data is undertaken by a person in the context of the activities of an establishment in the European Union regardless of whether the processing takes place in the European Union or not, and
  • the “targeting” criterion, according to which the GDPR applies where processing activities conducted by a person established outside the European Union relate to the offering of goods or services or the monitoring of behavior of data subjects in the European Union.

As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s territorial scope. The Guidelines  are intended to bring clarity to non-EU businesses doing business with the EU, either directly or through “establishments”, which must undertake a careful assessment of their data processing activities in order to determine whether the GDPR applies. The full text of the Guidelines can be accessed here and their key features are summarized below.
Continue Reading

Tomorrow, May 25, the European Union’s (“E.U.’s”) sweeping and much-awaited data security and privacy regulation known as the General Data Protection Regulation, or “GDPR,” will come into force.  We have previously written a full analysis of the new requirements under the GDPR for companies subject to its jurisdiction.

Since the GDPR was formally approved in 2016, organizations around the world have devoted significant time and resources to preparing for the new law’s implementation.  But while tomorrow is a deadline, it is also a start date—for compliance efforts that will require ongoing attention and adjustments in the months and years ahead.  With this in mind, we have compiled the following tips and resources to aid companies in their ongoing efforts that will come after May 25:
Continue Reading

Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018.  In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission).
Continue Reading

Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was

The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company.  According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.

Continue Reading

On October 18, 2017, the European Commission published its report on the functioning of the EU-U.S. Privacy Shield framework (the “Privacy Shield”), marking the conclusion of its first joint annual review of the regime.  The Privacy Shield, which is administered by the International Trade Administration within the U.S. Department of Commerce (“DOC”), provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.  To join the Privacy Shield, a U.S.-based organization is required to self-certify to the DOC and publicly commit to comply with the Privacy Shield requirements.  While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Privacy Shield requirements, the commitment will become enforceable under U.S. law.
Continue Reading

Earlier this month, in the latest ruling to emerge from the privacy campaign initiated by activist Max Schrems, the Irish High Court cast fresh doubt on the legitimacy of so-called Standard Contractual Clauses (“SCCs”, also commonly referred to as Model Contracts) as an approved method of ensuring lawful personal data transfers from the European Economic Area (“EEA”) to the United States.  In this case, Mr. Schrems, joined by the Irish Data Protection Commissioner (“DPC”), objected to Facebook Ireland Ltd. transferring personal data to its parent company in the U.S., Facebook Inc.
Continue Reading