On May 4, 2020 the European Data Protection Board (“EDPB”) updated the guidelines on consent under the EU General Data Protection Regulation 2016/679 (the “GDPR”). The guidelines were originally published by the Article 29 Working Party on April 10, 2018 and later endorsed by the EDPB.[1] The full text of the updated EDPB guidelines can be read here.
Continue Reading Cookie Walls and Scrolling Don’t Make the Grade – EDPB Clarifies Guidance on Consent Under GDPR

On April 28, 2020, the Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données, the “Belgian DPA”), handed down a decision imposing a €50,000 fine on Proximus, Belgium’s largest telecommunications operator, on the ground that Proximus had failed to protect its data protection officer (“DPO”) from conflicts

On February 19, 2020 the European Data Protection Board (“EDPB”) published its second statement on privacy in the context of corporate transactions.

The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and  the protection of personal data.
Continue Reading EDPB Publishes Statement on Privacy Implications of M&A Transactions

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below).
Continue Reading UK ICO Finally Issues GDPR Fine

The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”.
Continue Reading European Commission Provides Further Hints at Post-Brexit Adequacy Decision for the UK

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1]
Continue Reading French Regulator Fines Futura Internationale €500,000 for Infringements of the GDPR in Connection With Telephone Advertising Campaigns

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.
Continue Reading The Way the Cookie Crumbles: CJEU Clarifies European Data Protection Rules for the Use of Cookies

On September 24, 2019[1], the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment[2] in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.

Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment[3] (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU.
Continue Reading RTBF Stops at the Border: CJEU Sides with Google on the Scope of De-Referencing

In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here

Facebook appealed and on August 26, 2019, the Düsseldorf Court of Appeal (“DCA”) in an interim decision granted suspensive effect to Facebook’s appeal against the FCO decision.

The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid.  Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings.
Continue Reading German Court Divorces GDPR and Competition Law in Facebook Appeal