In our Alert Memorandum of 19 July 2022 (available here), we outlined the European Commission’s (the “Commission”) proposal for a regulation on the “European Health Data Space” (the “Regulation” or the “EHDS”). The proposal, which was published in May 2022, is the first of nine European sector- and domain-specific data spaces set out by the Commission in 2020 in the context of its “European strategy for data”.Continue Reading EHDS – The EU Parliament formally adopts the Provisional Agreement: Key Takeaways and Next Steps
Gareth Kristensen
EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond
On March 7, 2024, the Court of Justice of the European Union (the “CJEU”) handed down its judgment in the IAB Europe case, answering a request for a preliminary ruling under Article 267 TFEU from the Brussels Market Court.[1] The case revolves around IAB Europe’s Transparency and Consent Framework (“TCF”) and has been closely monitored by the AdTech industry ever since the Belgian DPA investigated and subsequently imposed a 250,000 euro fine on IAB Europe for alleged breaches of GDPR and e-Privacy rules back in 2022.[2]Continue Reading EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond
The UK ICO launches consultation series on GenAI
On 15 January 2024, the UK Information Commissioner’s Office (“ICO”)[1] launched a series of public consultations on the applicability of data protection laws to the development and use of generative artificial intelligence (“GenAI”). The ICO is seeking comments from “all stakeholders with an interest in GenAI”, including developers, users, legal advisors and consultants.[2]
This first public consultation (which closes on 1 March 2024) focuses on the lawful basis for training GenAI models on web-scraped data.[3]Continue Reading The UK ICO launches consultation series on GenAI
Key Takeaways from the Irish Data Protection Commission’s decision on Meta Data Transfers
On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.Continue Reading Key Takeaways from the Irish Data Protection Commission’s decision on Meta Data Transfers
EU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.Continue Reading EU-U.S. Data Privacy Framework
The UK Government Publishes the New Data Protection Bill
On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime. Continue Reading The UK Government Publishes the New Data Protection Bill
Key Takeaways from the EDPB’s Cookie Banner Taskforce Report
On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.Continue Reading Key Takeaways from the EDPB’s Cookie Banner Taskforce Report
Privacy and Data Protection Compliance Will Remain a Top Priority in 2023
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world…
Irish Data Protection Commission’s decisions regarding Facebook and Instagram
On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry. The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram
The Draft Adequacy Decision on the EU-US Data Privacy Framework
On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework