The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”.
Continue Reading

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1]
Continue Reading

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.
Continue Reading

While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover),[1] a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”)[2] – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery.  Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective.
Continue Reading

Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.

The preliminary assessment by the European

In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here

Facebook appealed and on August 26, 2019, the Düsseldorf Court of Appeal (“DCA”) in an interim decision granted suspensive effect to Facebook’s appeal against the FCO decision.

The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid.  Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings.
Continue Reading

On July 29, 2019, the Court of Justice of the European Union (“CJEU”) issued its judgment in Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV). This is a landmark decision regarding the assessment of who has the responsibility for complying with data protection legislation in the context of embedding third-party features that regularly takes place on websites.

The CJEU adopted a broad view of the situations in which a “joint controllership” can arise. It held that, under EU data protection legislation, the operator of a website featuring the Facebook ‘Like’ button (a social plugin that causes the transmission to Facebook of website users’ personal data) can qualify as a controller, jointly with Facebook. Consequently, the website operator is directly responsible for complying with legal obligations in this respect, including by informing its users that their personal data will be transferred to Facebook.

However, the CJEU importantly clarified that the website operator’s role as controller (and the corresponding legal obligations) is limited to the collection and transmission of the data to Facebook and does not include any subsequent personal data processing that Facebook carries out.

The CJEU’s findings will potentially affect third-party technologies other than the Facebook ‘Like’ button, which are often incorporated into websites, such as cookies and pixels.


Continue Reading

On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.

Continue Reading

The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018).  The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).
Continue Reading

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019.
Continue Reading