An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising. The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection author... Read More

On 27 June 2023, the EU formally adopted a novel set of rules regarding cross-border access to data by law enforcement during criminal investigations. The electronic evidence package, Regulation (EU) 2023/1543, includes a regulation with internal EU rules on law enforcement data access and a directive with compliance requirements for service providers receiving production and preservation requests.   The package represents a notable advancement in criminal justice in cyberspace because it allow... Read More

Following the European Data Protection Board's dispute resolution decision, Ireland's Data Protection Commission in September adopted its final decision against TikTok Technology Limited related to the company's processing of children's personal data.  The findings build on many positions established in the DPC's September 2022 decision concerning Instagram's processing of children's personal data. For example, regarding transparency information for child users, the DPC found that stating "peop... Read More

The European Commission published the compliance report template for gatekeepers defined under the Digital Markets Act. The report must include required information in a "detailed and transparent manner" and be submitted within six months after designation with annual updates thereafter. The initial round of gatekeepers designated 6 Sept. have until 7 March 2024 to file.Full story... Read More

Ireland's Data Protection Commission released a case study handbook documenting notable actions from the first five years of EU General Data Protection Regulation enforcement. The booklet contains 126 case studies showing relevant examples of the DPC's focus and approach to various types of complaints.Full story... Read More

Ireland's Data Protection Commission continues to demonstrate the repercussions companies will face if they fail to meet the core principles of the EU General Data Protection Regulation. The latest example comes with the DPC's adoption of a 345 million euro fine and corrective measures against TikTok over alleged GDPR violations concerning children's data protection. The enforcement action concerns claims against TikTok's platform settings for kids that it had in place over a five-month span 31... Read More

The European Union's Artificial Intelligence Act is on track to become the world's first comprehensive regulation of this emerging technology. As a first mover, and by virtue of the "Brussels Effect," the AI Act may be talked up as one of the global standards for the regulation of AI — much as the EU General Data Protection Regulation has been for the regulation of data protection. Following a series of amendments adopted by the European Parliament in June, the final legislative deliberations of... Read More

Switzerland's Federal Data Protection and Information Commissioner, published an information sheet for conducting data protection impact assessments. Following the passage of the revised Data Protection Act, the document instructs federal bodies and citizens to "prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or the fundamental rights of the persons concerned."Full story... Read More

Ireland's Data Protection Commission marked the beginning of the new school year with a blog directed at parents posting back-to-school photos on the web. The DPC pointed to potential unintended oversharing of children's personal data, recommending attention be paid to sharing school details and physical location of photos while informing kids of privacy risks.Full story... Read More

On 8 June, U.K. Prime Minister Rishi Sunak and U.S. President Joe Biden announced the Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership. It is the latest, most high level (it doesn’t get higher) and most conclusive development in the development of a comprehensive U.S.-U.K. partnership on data and artificial intelligence. Data Sharing data across borders is a fact of life for all organizations doing businesses or operating internationally. Yet, doing so ... Read More

The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland's data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to... Read More

A key concern in today's digital era is the amplified risk of unauthorized reidentification brought on by artificial intelligence, specifically by the large and diverse data sets used to train generative AI models, such as large language models. However, these risks can be effectively mitigated. By adopting technology solutions that uphold legal mandates, organizations can harness the power of AI to realize commercial and societal objectives without compromising data security and privacy. This ... Read More

Like most of the "free" internet, online social media is funded through online advertising tailored to individual users' behavior and interests. The Court of Justice in the European Union decision in Case C-252/21 relates to one such platform, Meta, regarding its online social network, Facebook. The case is noteworthy for the advertising industry because it involves a competition authority determining data protection issues and calls into question whether platforms can carry out personalized adv... Read More

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

The concept of anonymization — a concept that is, despite its ambiguities, critical for data science programs around the world — can be confusing across jurisdictions. Data that meets the standards for "anonymization," for example, are generally not subject to privacy or data protection laws. With the rapid adoption of artificial intelligence, which is typically trained on vast amounts of data, the need for clarification has only become stronger, as has the push toward standardization. Nowhere ... Read More

As with a colorblindness hue test, if you stare at the new version of the EU Artificial Intelligence Act for long enough, some patterns form (or maybe you are just losing your vision or your mind). Below is a decision tree to help assess whether you fall in scope. Is it an AI system? Per the pending legislation, an AI system is "a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predicti... Read More

The European Union has been working on the world's first comprehensive law to regulate artificial intelligence. The file is approaching the finish line two years after the legislative proposal was presented. The EU AI Act has the potential to become the international benchmark for regulating the fast-paced AI field, much like the General Data Protection Regulation inspired data protection regimes in countries worldwide, from Brazil to Japan to India. "We are on the verge of building a real lan... Read More

On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months. Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a... Read More

Ireland's Data Protection Commission published a guidance note to assist data controllers in compliance with Article 30 of the EU General Data Protection Regulation, which requires a maintained record of processing activities. The DPC drafted the guidance following a "sweep" of processing activity records of 30 public and private sector organizations and said it includes "particular emphasis" on the "positive practices identified" through the process, as well as identified shortcomings "to assis... Read More

The Irish Data Protection Commission published three guides for children to explain data protection and their rights under the EU General Data Protection Regulation. The guides are intended for children ages 13 and older because that is the minimum age required to sign up for many social media platforms. The subject matter of the DPC’s guides are data protection, which would introduce children to the concept of what data is, a guide for educating children about their rights under the EU GDPR, an... Read More

When the Russian military invaded neighboring Ukraine 24 Feb. 2022, western defense analysts were in near-consensus that Ukraine would collapse in a matter of weeks, if not days. Though questions remain about how the conflict will ultimately conclude, a year into the invasion, the need to secure Ukrainian citizens' personal data has often taken on a life-and-death importance. Teaching the teachers in privacy  PrivatBank senior data privacy specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, and ... Read More

The Office of the European Data Protection Supervisor announced its intentions to join the European Data Protection Board in its coordinated enforcement of data protection officers. While data protection authorities will cover private and public DPOs at a national level, the EDPS will focus its attention on "the role, responsibilities and tasks of data protection officers in the (EU institutions)." Editor's note: The IAPP's Jennifer Bryant reported on the EDPB's coordinated enforcement launch.Fu... Read More

Mobile apps, artificial intelligence and cybersecurity will be the main focus areas of France's data protection authority, the Commission nationale de l'informatique et des libertés, in coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator's focus areas, as well as the projects it has or will soon launch in those key areas.According to Dutheillet de Lamothe, the EU General Data Protection Regu... Read More

The U.K. Information Commissioner’s Office approved the fourth set of U.K. General Data Protection Regulation certification scheme criteria for training and qualifying service providers. The scheme's intention will "enable … candidates to make informed choices when applying for training" programs so they can maintain confidence their personal data is being processed in accordance with the law. Other certification schemes released so far cover secure disposal and reuse of IT equipment, age assura... Read More

The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.  The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.  "Co-designed with business from the st... Read More

At the time of last year’s IAPP Data Protection Intensive: U.K., no legislative proposals to reform the U.K. General Data Protection Regulation had been made public. This year, on the first day of the conference in London, the U.K. government published the Data Protection and Digital Information (No.2) Bill. As the title suggests, this is the second iteration of a set of proposals to reform the U.K. GDPR. The first iteration — the Data Protection and Digital Information Bill — was published Jul... Read More

The first annual coordinated action under the European Data Protection Board's Coordinated Enforcement Framework, on the use of cloud-based services by the public sector, concluded in January. Starting mid-March, European data protection authorities will prioritize joint actions focusing on the position of data protection officers. IAPP Managing Director, Europe, Isabelle Roccia describes the process behind the CEF, the role of DPAs in coordinated enforcement actions and possible outcomes, sayin... Read More

With the EU elections in May 2024 fast approaching, policymakers in Brussels are scrambling to close open files, plan their next move and set the groundwork for the upcoming mandate. At this stage of the legislative cycle, the European Commission assigns external studies that provide significant indicators of its future areas of interest. Online advertising seems to have caught the regulators’ attention in the digital domain. The appetite to regulate this sector became evident during negotiatio... Read More

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and metho... Read More

U.K. Prime Minister Rishi Sunak announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology focused on technical innovations. The changes remove digital and data policy responsibility from the Department for Culture, Media and Sport and create the DSIT. The department will “drive the innovation that will deliver improved public services, create new and better-paid jobs and grow the economy,” a press release stated. “Having ... Read More

The European Commission released guidance to assist companies in complying with the Digital Services Act's user reporting requirements. The reporting will help determine whether increased DSA obligations for "very large" online platforms and search engines are to be applied. Under the law, additional obligations are triggered for companies that "show that they reach more than 10% of the EU's population." Companies are required to report initial user numbers by Feb. 17 and offer updates at least ... Read More

With the European elections in spring 2024 fast approaching, in the next 12 months, EU policymakers will focus on closing the most important legislative files. Artificial Intelligence Act The EU's Artificial Intelligence Act is the first attempt to establish a regulatory framework for artificial intelligence. As Brussels doesn't want to lose its first-mover advantage and set up the international standard in the field, there will be a rush to close the negotiations before the end of the year. ... Read More

Data anonymization is an important tool for organizations to protect the personal data of individuals, while averting the onerous requirements of the EU and U.K. General Data Protection Regulations. Unfortunately, guidance on this subject is often unclear, with standards for anonymization differing among jurisdictions. This article provides privacy practitioners with a concise guide to understanding these divergent approaches. It further discusses ways in which the European Data Protection Board... Read More

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy ackno... Read More

Nearly five years after the implementation of the EU General Data Protection Regulation, Europe is immersed in a digital market strategy that is giving rise to a host of new, interconnected regulation. Among this complexity resides the proposed Artificial Intelligence Act. Originally presented by the European Commission April 2021, the AI Act is now in the hands of the Council of the European Union and European Parliament. If passed, this would be the world’s first comprehensive, horizontal reg... Read More

The proposed Artificial Intelligence Act would be the first horizontal regulation of AI in the world, but, as always, the devil is in the details. Though the Council of the European Union has nearly completed its version, the European Parliament is still negotiating its version. IAPP Editorial Director Jedidiah Bracy, CIPP, looks at how other EU lawmakers and stakeholders are crafting this massive, precedent-setting legislation.Full Story The Privacy Advisor Podcast: MEP Tudorache unpacks think... Read More

Data retention has long been a blind spot of Europe's otherwise strict data protection regime. But a possible practical solution might be in sight. The European Union has a long history of asking the same question several times until the answer is the desired one. For example, in the 2000s, Ireland rejected the treaties of Nice and Lisbon before a second referendum approved them. For some, the same is happening in the data protection sphere. In a recent interview, privacy activist and Austrian... Read More

Last May, the European Commission presented a proposal to fight Child Sexual Abuse Materials. The proposed legislation has spurred controversy as it touches upon the delicate issue of private interpersonal communications and might affect end-to-end encryption. The issue of child pornography has exploded recently, as abusive online content has increased by 60 times in the last 10 years. While content production mainly takes place in the "global south," groups of countries in Africa, Latin Americ... Read More

I leave the pen to my colleagues for a couple of weeks, and I come back with a whole shopping list of things I want to share with you all. DSA and DMA update The Digital Services Act was approved by the Council of Member States, marking the end of a legislative process that started with the commission's proposal in December 2020. The final text, as approved by the EU co-legislators, is expected to be published in the EU Official Journal in November for an entry into force 20 days following. It... Read More

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

Two years ago, the Court of Justice of the European Union invalidated Privacy Shield, the legal framework for EU-U.S. data flows. The consequences of that ruling reinforce the EU's digital sovereignty agenda, which increasingly sees data localization as one of its core elements. Since the "Schrems II" judgment by the CJEU, the U.S. presidential administration and European Commission have been working on replacing the trans-Atlantic agreement with a new one that could stand judicial review befor... Read More

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

The U.K. government Monday introduced a pair of post-Brexit data reform initiatives aimed at guiding responsible use of data while promoting innovation in the economy, according to two government releases.  In the House of Commons, the government released the Data Protection and Digital Information Bill. In a separate statement, Minister for Media, Data and Digital Infrastructure Matt Warman said the data protection reform bill will help "transform the UK's independent data laws."  In parallel... Read More

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

A ruling by the Court of Justice of the European Union confirming consumer groups have a right to file representative actions over alleged EU General Data Protection Regulation violations, when permitted under national law, unblocks dozens of cases and puts an end to a lingering enforcement question. The court’s April 28 judgment allows consumer protection organizations to autonomously bring forward lawsuits on behalf of consumers against an individual or entity claimed to be responsible for “a... Read More

In December 2020, the British government presented its national data strategy, outlining its ambition to unlock data value and promote responsible growth by reducing the administrative burden on technology innovators and digital entrepreneurs. The strategy prompted concerns in Brussels that the new U.K. data policy might strive away from the EU General Data Protection Regulation. In early 2020, Prime Minister Boris Johnson announced that the U.K. would establish its own "sovereign" rules in the... Read More

European Parliament's Committee on the Internal Market and Consumer Protection, and Committee on Civil Liberties, Justice and Home Affairs released a joint report with their recommendations for the proposed Artificial Intelligence Act. Proposed amendments from the committee include a ban on predictive policing, a public AI technology registration requirement and further alignment with the EU General Data Protection Regulation. Advocacy group Access Now was among the first on-lookers to examine a... Read More

There’s a lot happening in privacy in the EU — from a new trans-Atlantic data flow agreement reached in principle with the U.S. to a suite of proposed data laws as part of the EU digital strategy, enforcement activity and more. European Data Protection Supervisor Wojciech Wiewiórowski and European Data Protection Board Chair and Head of the Austrian Data Protection Authority Andrea Jelinek shared their insights on the latest in a session moderated by Microsoft Corporate Vice President and CPO J... Read More

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known.  In a press conference from Brussels, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, prom... Read More

The European Parliament and Council reached a provisional agreement on the Digital Markets Act, regulation targeting online advertising, messaging services and other practices of large technology platforms. “I think we have created something with an original architecture that’s effective, with more challenging obligations,” European Commissioner for Competition Margrethe Vestager said. IAPP Staff Writer Jennifer Bryant has the details. Following the provisional agreement, journalist Luca Bert... Read More

The EU's Digital Markets Act is a legislative proposal meant to define a list of do's and don'ts for online platforms so large that they are deemed to play a "gatekeeper" role. The rationale is that these platforms enjoy such an entrenched and durable position that they prevent competition in the European single market. A gatekeeper has a dominant position in a critical digital market and acts as a gateway for businesses that want to reach their customers. These digital markets include cloud se... Read More

The EU General Data Protection Regulation aims to empower individuals and give them "control" over their personal data. To do this, data subjects have been granted various rights, including the right to data portability, which did not exist under the Data Protection Directive. Contrary to the well-known access right, data portability allows data subjects to obtain and reuse their personal data, at least in theory. In January 2022, we asked data protection expert lawyers in our Lex Mundi Network... Read More

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

In the past month, PrivatBank Senior Data Protection Specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, has seen his entire world thrown into chaos by the Russian invasion of his country. Korchynskyi, co-founder of the non-governmental organization Privacy Hub, spoke with IAPP Staff Writer Alex LaCasse about his experiences. Korchynskyi said he was forced to flee to Lviv, Ukraine, in the western part of the country, due to military strikes on civilian infrastructure in Irpin. He has also been inv... Read More

Editor's note: This is the second article in a two-part series on the European Union's anti-money laundering regulation. Part One of this article explained how the European Union’s 2015 fourth anti-money laundering directive (2015/849 or 4AMLD) required financial institutions to apply data protection safeguards to their anti-money laundering/countering the financial terrorism compliance programs, but the guidance never materialized. In 2021, the Commission introduced 2021/0240 (COD) to establis... Read More

On Dec. 10, 2021, political agreement was reached on the Data Governance Act. The remaining (largely) procedural steps are likely to be completed by March 2022 and the Act will become applicable 15 months after the date of its entry into force — i.e., summer 2023. The Data Governance Act applies to “data” — “any digital representation of acts, facts or information …” — in general, not just to personal data. It is the first of the European Union’s new initiatives on “data” to get to the legislati... Read More

In April last year, the European Commission published its ambitious proposal to regulate Artificial Intelligence. The regulation was meant to be the first of its kind, but the progress has been slow so far due to the file's technical, political and juridical complexity. Meanwhile, the EU lost its first-mover advantage as other jurisdictions like China and Brazil have managed to pass their legislation first. As the proposal is entering a crucial year, it is high time to take stock of the state o... Read More

The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications." The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The "Schrems II" decision invalidated ... Read More

On January 12, 2022, the French data protection authority, Commission nationale de l'informatique et des libertés, issued guidance on the reuse of personal data by processors for their own purposes under the EU General Data Protection Regulation. The guidance addresses one of the most common — and hotly contested — aspects of privacy negotiations between commercial parties: Namely, when can a processor use personal data it obtains from a controller for purposes broader than just strictly providi... Read More

Organizations have been “struggling” with the EU General Data Protection Regulation since its implementation in 2018, while awaiting the ePrivacy Regulation, originally intended to take effect alongside the regulation three years ago. “And we thought that’s the only thing we would need to be struggling with,” IAPP Senior Westin Research Fellow Jetty Tielemans said. But this past year, the European Commission announced its digital strategy, including the proposed Data Governance Act, Digital Se... Read More

Though many privacy pros are still grappling with the EU General Data Protection Regulation, the EU is now busy leading a new generation of data regulations. As part of its Digital Single Market strategy, the EU is looking to not only protect data but also to create frameworks that allow for data flows, while aiming to mitigate hate speech and misinformation. Through an ambitious line of proposed laws — including the Data Act, Data Governance Act, Digital Markets Act, Digital Services Act and th... Read More

On Dec. 1, the Wiesbaden Administrative Court issued a first-of-its-kind decision holding that companies cannot use a cookie management provider that relies on a U.S.-based service to collect data, irrespective of whether the data actually ever leaves the EU. Because cookie management requirements apply for EU websites generally, EU-wide adoption of this case’s theories would affect a broad range of companies that do business both within and outside the EU. Although the decision was made at the ... Read More

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn. Part one of this two-part series ... Read More

At the recent IAPP Data Protection Congress 2021 in Brussels, Editorial Director Jedidiah Bracy, CIPP, reported on pending data-related legislation. He noted the EU General Data Protection Regulation is not the only statute privacy professionals dealing with the EU need to be familiar with. Many of us are aware of the ePrivacy Directive, currently updated to become the ePrivacy Regulation, the draft Data Governance Act, the draft Act on Artificial Intelligence and the (postponed) Data Act, but f... Read More

Hamburg's Commissioner for Data Protection and Freedom of Information announced Germany's Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia took force Dec. 1. The HmbBfDI said the law pairs with the EU General Data Protection Regulation and covers "undesired access to information stored on computers, tablets or mobile phones." Additionally, the regulator highlighted user consent provisions for cookies, browser fingerprinting and other tracking. Lowe... Read More

With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR's original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others. EDPB Secretariat Head Isabelle Vereecken said during a Lin... Read More

On Sept. 2, the Irish Data Protection Commission announced a decision to fine WhatsApp 225 million euros. The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users, as required by EU General Data Protection Regulation Article 13; provide privacy information relevant to contacts of WhatsApp users — "non-users" — whose personal data was processed in order to show users which of their contacts were also WhatsApp users, as required by GDPR Article 14; make privacy ... Read More

On Nov. 9, 2018, Serbia adopted the Personal Data Protection Law. The law went into effect the following summer, Aug. 21, 2019. In general, the LPDP is harmonized with the EU General Data Protection Regulation, as this was the obligation of Serbia as an EU member candidate in the process of EU integration. Provisions of the LPDP mirror the normative provisions of the GDPR in almost all aspects, including provisions regulating the territorial application of the LPDP, legal basis for data process... Read More

Italy’s data protection authority, the Garante, issued a 2.5 million euro fine against food delivery company Deliveroo for inappropriately processing driver's personal data. The company held personal and contract data, payment data, data relating to the driver's rides and data relating to vehicles used for deliveries for insurance coverage. The detailed opinion raises points that delivery companies, ride sharing companies and even vehicle original equipment manufacturers with proprietary applic... Read More

That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More

The fine for not appointing an EU General Data Protection Regulation representative imposed by the Netherlands' data protection authority, Autoriteit Persoonsgegevens, and a recent high court decision in the U.K. put the spotlight on the obligation of the GDPR's Article 27 and brought some clarity to the role of representative. Prighter Founder Andreas Mätzler, CIPP/E, and Associate Clara Sator take a look at the Dutch case, saying it “shows supervisory authorities are willing to fine instances ... Read More

On June 21, the European Data Protection Board issued its highly anticipated final recommendations on supplementary measures for data transfers. The recommendations outline a process organizations can follow to transfer personal data outside the European Economic Area to ensure compliance with the "Schrems II" judgment. The initial draft of the recommendations, released in November 2020, took the data protection world by surprise by preventing organizations from considering the “subjective” lik... Read More

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the Official Journal. The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. Given the timing requirements in the commission's decision, the U.S. and other service providers located in third countries should expe... Read More

It has been nearly a decade since former European Commission Vice President Neelie Kroes pitched plans for an EU Code of Conduct for cloud services. In 2012, data protection was very much a nascent field on European soil: There was no EU General Data Protection Regulation and privacy had hardly reached the priority files of European regulators and was far from an issue at the forefront of public minds. Nevertheless, public and private stakeholders recently gathered to announce the finalization ... Read More

On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States. According to the order, Statistics Portugal had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards in use of standard contractual clauses. Statistics... Read More

The free flow of data could make or break a business. This needs no explanation, especially to privacy pros and data specialists with a clear view of both sides of the spectrum. On the one hand, data is the fuel needed to run the business engine, thereby driving the total value and growth of modern businesses; on the other hand are the commercial and reputational risks attached to hefty fines prescribed by data protection and other laws for noncompliance. This makes access to data by creating tr... Read More

The European Data Protection Board adopted a statement on data transfer agreements between EU member states and third countries. The EDPB tells member states all data transfer agreements made before May 2016 should remain intact as stated within the provisions of the EU General Data Protection Regulation and the Law Enforcement Directive, but the EDPB invites member states to assess and, where necessary, review those agreements. The EDPB also published its guidelines on the application of Art... Read More

Many global service providers and their customers rely on binding corporate rules for processors to transfer European Economic Area customer data to processors outside the EEA. There are strong indicators that the European Data Protection Board is about to restrict the application of BCRs for processors to internal transfers within the processor group of companies. This would mean that BCRs for processors can no longer be used as a mechanism for transfers from an EEA customer directly to a proce... Read More

With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint ... Read More

As data breaches and other security incidents are the dominating cause of regulatory fines in areas like security and data protection, prevention and proper management are becoming a priority for many organizations. Proper technical and security measures are essential in preventing security incidents. Nevertheless, when managing incidents, it can be challenging to identify and properly follow all the applicable rules and mandatory notifications of different regulators. To flesh this out, let's ... Read More

While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them. In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authori... Read More

On Jan. 13, 2021, Court of Justice of the European Union Advocate General Michal Bobek issued his Opinion in case 645/19 opposing Facebook to Belgium's Data Protection Authority. The opinion has been widely covered in the media, with reports that the advocate general will allow “any EU country to take legal action against Facebook or any other tech firm,” therefore undermining the one-stop-shop enforcement mechanism of the EU General Data Protection Regulation. Contrary to media reports, the ad... Read More

The EU General Data Protection Regulation's one-stop-shop mechanism received a boost amid ongoing questions about the best way to approach cross-border enforcement. Court of Justice of the European Union Advocate General Michal Bobek issued a non-binding opinion supporting the future application of OSS while bringing clarity to the limited exceptions that would allow data protection authorities besides a lead supervisory authority to act on a cross-border action. "It is clear that one-stop shop... Read More

On Nov. 25, 2020, the European Commission published its draft Data Governance Act. The act is one of the deliverables included in the commission’s 2020 European Strategy for Data, which sets out policy measures and investments designed to give the EU a competitive advantage by enabling it to capitalize on its vast quantity of data. Other deliverables that will follow before the end of the year are the Digital Services Act and the Digital Markets Act. The act aims to create a framework that enco... Read More

Italy's data protection authority, the Garante, released recommendations on how schools can protect the privacy of students, staff and families. The guidelines cover topics including how photos taken on school trips should be managed, regulatory updates and how to protect privacy while using education technology.Full story... Read More

The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland's data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to... Read More

On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months. Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a... Read More

Ireland's Data Protection Commission announced fresh employer guidance on handling the data of current, former and prospective employees. The DPC said the guidance is aimed at standard data collection, including employees' names and contact information, but added employers need to also consider nontraditional data like "information on occupational health, sick leave, performance reviews or disciplinary actions." The guidance also includes guidelines for employee monitoring and tracking.Full Stor... Read More

Spain's data protection authority, the Agencia Española de Protección de Datos, issued guidelines to aid public administrations' data protection impact assessments on proposed legislation. The AEPD stated DPIAs in the public sector need to occur "from the design of the standards," while outlining the criteria for execution of assessments and analysis of results.Full Story... Read More

Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance to help public administrations manage risks around data exchanges. "The document addresses the need to effectively manage risks that, due to the high volume of personal data and the interconnection of infrastructures, can give rise to massive, high-impact breaches," the AEPD said, noting the guidance includes a list of preventive measures. Full Story   ... Read More

When the Russian military invaded neighboring Ukraine 24 Feb. 2022, western defense analysts were in near-consensus that Ukraine would collapse in a matter of weeks, if not days. Though questions remain about how the conflict will ultimately conclude, a year into the invasion, the need to secure Ukrainian citizens' personal data has often taken on a life-and-death importance. Teaching the teachers in privacy  PrivatBank senior data privacy specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, and ... Read More

Mobile apps, artificial intelligence and cybersecurity will be the main focus areas of France's data protection authority, the Commission nationale de l'informatique et des libertés, in coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator's focus areas, as well as the projects it has or will soon launch in those key areas.According to Dutheillet de Lamothe, the EU General Data Protection Regu... Read More

Denmark’s data protection authority, Datatilsynet, published an overview of its primary topics of focus for 2023. Major priorities include protecting children online, upholding personal data protections for website visitors, supervising television surveillance and processing of personal data in “pan-European information systems.”Full Story... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, released a report on sanctions and corrective measures taken in 2022. The CNIL said a record 147 formal notices and 21 sanctions were adopted and fines exceeded 100 million euros. Penalty decisions and formal notices concerned various sectors and issues, including 22 decisions against municipalities that failed to appoint data protection officers. The CNIL said it is "continuing the substantial increa... Read More

Sweden's data protection authority, the Integritetsskyddsmyndigheten, released "Data Protection in Practice," a privacy operations management survey of more than 800 Swedish data protection officers. Four in 10 respondents said their companies work "continually and systematically with data protection" and half of all respondents said company management is receptive and understanding of data protection matters. IMY Analyst Andrea Amft said the survey results are "concerning" while noting DPOs req... Read More

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

The director of Belarus' National Center for Personal Data Protection signed an order implementing rules for the cross-border transfer of personal data. The order includes member states of the Eurasian Economic Union and defines allowable cases of cross-border data transfers, including transfers by state bodies and other organizations. The DPA said this will solve "issues related to the cross-border transfer by employers of personal data of their employees in cases necessary for the implementati... Read More

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information released a code of conduct for processors, offering standardized rules to support companies in applying the EU General Data Protection Regulation. Processors following the code submit to regular monitoring by a body accredited by the LfDI, Commissioner Stefan Brink said. "Self-regulation is an excellent opportunity to tailor data processing to the needs of industries — the GDPR provides this opportunity, whic... Read More

On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece. The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Ho... Read More

“Europe as a task.” In 1996, then-Czech Republic President Václav Havel fathered this expression to call on Europeans to take responsibility for global environmental and social and economic challenges and to lead by example. Setting this motto in EU-policy-speak relevant to privacy pros, it means that the Czech Republic — already a third into its Presidency of the EU Council — will seek to accomplish the following by end of December: Continue discussions on the Artificial Intelligence Act and... Read More

Slovenia's data protection authority, Informacijski Pooblaščenec, created an infographic to help data controllers conduct impact assessments. The infographic features the common shortcomings missing from impact assessments and offers recommendations to controllers. It also provides a checklist to help determine if an impact assessment is comprehensive enough. The country’s information commissioner said some mistakes are often repeated, such as missing risk assessment methodology.Full Story... Read More

Today, 1 July, the Czech Republic takes over the presidency of the EU Council of Member States for the next six months. It will have the challenging task of bringing major EU initiatives such as the Data Act and the Artificial Intelligence Act closer to the finish line, meaning at least reaching a common approach among Member States. You can visit its official website to keep up with the Czech Republic presidency program and events. The Czech Republic inherits a presidency that has, in the last... Read More

The Ukraine Parliamentary Commissioner for Human Rights issued guidance for the protection of personal data under martial law, amid the Russian invasion. The guidance included potential restrictions on the human right to privacy and legal grounds for the processing of personal data by government agencies, updated responsibilities to protect personal data for owners and managers, legal grounds for organizations involved in charitable aid to citizens, how to protect data from cybercriminals and ho... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, released its criteria for evaluating the legal use of third-party cookie walls. The criteria features four considerations based on informed consent, including alternative access to content, the price of that access, paid access without cookie placement and potential embedded consent overrides. The CNIL said the criteria hones in on "the most commonly observed practices" and the criteria is to be appli... Read More

The Berlin Commissioner for Data Protection and Freedom of Information published guidance for international data transfers according to the Court of Justice of the European Union's "Schrems II" ruling. The state regulator outlined transfer requirements under the EU General Data Protection Regulation while explaining the current legal landscape around global transfers, with particular focus on transfers to the U.S. and the lack of legal bases for transfers. Additionally, the guidance detailed the... Read More

The Hellenic Data Protection Authority in Greece released compliance guidelines for informational websites using trackers. The authority observed several websites whose methods for obtaining consent to use trackers — specifically, cookie banner pop-ups — did not comply with several points of the EU General Data Protection Regulation. The HDPA said it conducted an audit of 30 informative websites, giving them 15 days to achieve compliance. All websites, with one exception, did so by the deadline.... Read More

Spain's data protection authority, the Agencia Española de Protección de Datos, announced the creation of a new section on its website dedicated to health data processing. The new page offers "a compendium of legislation, criteria, doctrine and precedents" that will help professionals and various stakeholders address data protection in the health space. The seven sub-sections within the page aim to provide "general information on the treatment of health data and how to exercise the right of acce... Read More

Norway’s data protection authority, Datatilsynet, issued guidance around the sharing and processing of children’s personal data and consent, noting the rules “are slightly different than for adults.” The authority discusses the potential for informed and voluntary consent by a minor under age 18 — such as in cases related to social media, health care and education — and areas where parental consent is necessary. “The greater the privacy consequences the processing of information may have, the hi... Read More

Addressing a room full of privacy professionals at the IAPP Global Privacy Summit 2022, U.K. Information Commissioner John Edwards envisioned many would be looking to regulators to “just tell us what we need to do” to minimize risks, reach compliance and reduce associated costs. “That’s fine,” Edwards said. But he was quick to point out, the most “important thing” about privacy and data protection is “the human story.” “You’re going to see your drug counselor later today. You made that insuran... Read More

Ukraine Vice Prime Minister Mykhailo Fedorov said the military has been using Clearview AI software to identify Russian soldiers killed in combat so officials can track down and inform their families, Reuters reports. Fedorov, who is also the head of the ministry of digital transformation, said Ukraine has used Clearview AI facial recognition to find the social media accounts of killed Russian soldiers. Civil rights groups have criticized the use of the technology by Ukraine due to possible misi... Read More

Norway's data protection authority, Datatilsynet, published guidance for employers using video surveillance on employees in the workplace. The regulator stressed that requirements for employee monitoring under the EU General Data Protection Regulation and the Working Environment Act need to be met before cameras are installed and run. The guidance outlines purpose limitation as well as standards for disclosing, storing and securing recordings.Full Story... Read More

Smart cameras are not a simple extension of existing video surveillance techniques, but they raise new ethical and legal questions. Simply put, the main difference between smart cameras and a traditional video surveillance system is that smart cameras are coupled with software, allowing a real-time and continuous analysis of the captured images. Algorithms analyze those images and extract information such as pattern recognition, movement analysis and object detection, all without human analysis ... Read More

Last month, PrivatBank Senior Data Protection Specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, was focused on protecting the personal data of their Ukrainian customers. On Feb. 24, the Russian military launched a full-scale invasion of his homeland and upended all aspects of daily life as he and his fellow citizens have been bombarded on a scale that hasn’t been seen on the European Continent since World War II. A co-founder of Privacy Hub, a non-governmental organization that connects privacy... Read More

In October 2021, Poland’s data protection authority, the Urząd Ochrony Danych Osobowych, issued its first-ever view related to cookies in a decision (reference number ZSPR.440.331.2019. PR PAM) following a complaint from a data subject. Before this, neither rulings nor guidelines were published on the matter. Thus, every decision concerning this issue is eagerly anticipated in Poland. The UODO stated the use of cookies involves the processing of personal data and ordered online media company In... Read More

The Irish Data Protection Commission fined Meta Platforms 17 million euros over a series of 12 data breaches from June to December 2018. A DPC investigation determined Meta violated Articles 5 and 24 of the EU General Data Protection Regulation related to processing of data tied to the breach notifications. While two European supervisory authorities raised objections, the DPC said, “consensus was achieved through further engagement.” The DPC published a report with statistics on its handling ... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, published its 2022 to 2024 strategic plan. Despite the CNIL’s efforts, digitization of daily life has increased the deployment of regulators’ technological expertise. In the strategic plan, the CNIL would focus on controlling and respecting the rights of citizens online, promoting the EU General Data Protection Regulation as a tool organizations can use to build trust with consumers, and prioritizing ... Read More

Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision. The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to ... Read More

U.S.-based companies and regulators should fully understand the impact of a decision from Norway’s data protection authority, Datatilyset, regarding how consent is “done,” what constitutes special category data and what “manifestly made public” means. With the new U.S. privacy laws in California, Virginia and Colorado borrowing the definitions of “consent” and “sensitive data” verbatim from EU General Data Protection Regulation, as well as adopting a consumer intent-based standard for determinin... Read More

The Belgian Data Protection Authority fined IAB Europe 250,000 euros Wednesday, ruling its Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions. Through data processing under the TCF, which “facilitates the management of users’ preferences for online personalised advertising,” the DPA found IAB Europe acts as a data controller and can be held responsible for potential GDP... Read More

The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications." The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The "Schrems II" decision invalidated ... Read More

On January 12, 2022, the French data protection authority, Commission nationale de l'informatique et des libertés, issued guidance on the reuse of personal data by processors for their own purposes under the EU General Data Protection Regulation. The guidance addresses one of the most common — and hotly contested — aspects of privacy negotiations between commercial parties: Namely, when can a processor use personal data it obtains from a controller for purposes broader than just strictly providi... Read More

The new year for EU data protection enforcement has rung in with an early bang courtesy of the France's data protection authority, the Commission nationale de l'informatique et des libertés. The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive. Allegations against the companies focus on French users' inability to easily decline tracking via cookies. Google's U.S. and Irish operations received penalties of up to 90 and 6... Read More

Ireland's Data Protection Commission published its 2022-2027 regulatory strategy with an "ambitious vision" for "five crucial years in the evolution of data protection law, regulation and culture." The DPC notes its plan reflects "the wider context in which it regulates," realizing the ongoing change with the sectors and technologies it oversees. The regulator also mentions its regulatory ambitions will require "new partnerships and new ways of engaging" as it seeks to ultimately reach "one over... Read More

Ireland's Data Protection Commission published its Fundamentals for a Child-Oriented Approach to Data Processing. The guidance introduce principles and recommended best practices for children's data protection during processing activities. The DPC said children "cannot be expected to manage this process themselves" and expects the guidelines to "create safer, more appropriate and more privacy-respecting online environments." Axios reports the smart toy market is expected to grow to $70 bi... Read More

On Dec. 1, the Wiesbaden Administrative Court issued a first-of-its-kind decision holding that companies cannot use a cookie management provider that relies on a U.S.-based service to collect data, irrespective of whether the data actually ever leaves the EU. Because cookie management requirements apply for EU websites generally, EU-wide adoption of this case’s theories would affect a broad range of companies that do business both within and outside the EU. Although the decision was made at the ... Read More

France’s data protection authority, the Commission nationale de l'informatique et des libertés released its “first reflections” on a privacy maturity self-assessment model Sept. 9, thus becoming the first European DPA to propose a privacy maturity model. This offers an occasion to introduce the concept of a maturity model to those who are not already familiar with it while taking a closer look at the CNIL’s release. What is a maturity model? Maturity models are assessment systems that allow or... Read More

France's data protection authority, the Commission nationale de l’informatique et des libertés, published a guide to support data protection officers. The guidance discusses the process and factors to be considered when hiring a DPO as well as what resources should be provided to allow a DPO to do their job effectively. The CNIL noted the guidance was crafted with a focus on ensuring DPOs "can carry out (their) missions in complete independence." Editor's note: The IAPP offers a French DPO certi... Read More

France’s data protection authority, the Commission nationale de l’informatique et des libertés, published a guide to support charitable, political and other organizations with EU General Data Protection Regulation compliance. The guide outlines the legal framework for data protection, provides benchmarks for organization and professional practices, and an action plan presenting the main stages of compliance. “In order to comply with the GDPR, these structures may need to review and change their ... Read More

City officials in Venice are collecting tourists' cellphone data and using surveillance cameras to monitor visitors, The New York Times reports. Software can track individuals' speed and path of travel, as well as age, sex and country of origin. Officials say the data is being gathered to prevent crowding and cellphone data is gathered anonymously. A data manager in Venice, Luca Corsato, said the city's "massive and constant" use of data is "dangerous." Full Story... Read More

On Sept. 2, the Irish Data Protection Commission announced a decision to fine WhatsApp 225 million euros. The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users, as required by EU General Data Protection Regulation Article 13; provide privacy information relevant to contacts of WhatsApp users — "non-users" — whose personal data was processed in order to show users which of their contacts were also WhatsApp users, as required by GDPR Article 14; make privacy ... Read More

States worldwide are turning to technology to make the welfare state more efficient and mitigate welfare fraud. In the Netherlands, the state used a digital welfare fraud detection system called Systeem Risico Indicatie. The SyRI was a system that used personal data from different sources and uncovered fraud. In 2020, a Dutch court decided the SyRI legislation was unlawful because it did not comply with the right to privacy under the European Convention of Human Rights. This is among the first t... Read More

France’s data protection authority, the Commission nationale de l’informatique et des libertés, published a “data protection management maturity model.” The CNIL said the model “transposes the maturity levels defined in international standards to data protection management” and “allows organizations to assess their own level of maturity and determine how to improve their management of data protection.” Organizations can develop an action plan using the model to evaluate their current practices a... Read More

Norway's data protection authority, Datatilsynet, published revised guidance on international data transfers in the wake of the Court of Justice of the European Union's "Schrems II" decision. The guidance calls on companies to assess the basis for a transfer in advance of execution and apply additional technical, legal or organizational measures to protect data when necessary. Datatilsynet also noted it will not grant companies pre-approval for transfer impact assessments before they are complet... Read More

The Office of the Information and Data Protection Commissioner of Malta published guidance on cookie consent requirements. The guidance lays out how cookies are handled in the ePrivacy Directive and the EU General Data Protection Regulation, and lists practices not compliant with data protection rules, such as cookie walls and pre-ticked boxes.Full Story ... Read More

On Nov. 9, 2018, Serbia adopted the Personal Data Protection Law. The law went into effect the following summer, Aug. 21, 2019. In general, the LPDP is harmonized with the EU General Data Protection Regulation, as this was the obligation of Serbia as an EU member candidate in the process of EU integration. Provisions of the LPDP mirror the normative provisions of the GDPR in almost all aspects, including provisions regulating the territorial application of the LPDP, legal basis for data process... Read More

Italy’s data protection authority, the Garante, issued a 2.5 million euro fine against food delivery company Deliveroo for inappropriately processing driver's personal data. The company held personal and contract data, payment data, data relating to the driver's rides and data relating to vehicles used for deliveries for insurance coverage. The detailed opinion raises points that delivery companies, ride sharing companies and even vehicle original equipment manufacturers with proprietary applic... Read More

The fine for not appointing an EU General Data Protection Regulation representative imposed by the Netherlands' data protection authority, Autoriteit Persoonsgegevens, and a recent high court decision in the U.K. put the spotlight on the obligation of the GDPR's Article 27 and brought some clarity to the role of representative. Prighter Founder Andreas Mätzler, CIPP/E, and Associate Clara Sator take a look at the Dutch case, saying it “shows supervisory authorities are willing to fine instances ... Read More

Germany’s Federal Data Protection Commissioner Ulrich Kelber asked government organizations to close their Facebook pages by the end of the year, Reuters reports. Kelber said the pages are not able to operate in a way that does not transmit followers’ data to the U.S., in violation of privacy laws. He also recommended organizations discontinue using Clubhouse, TikTok and Instagram due to similar concerns. "Given the continuing violation of personal data protection, there is no time to waste," Ke... Read More

The European Commission plans to take legal action against Belgium after complaints were filed alleging Belgium's Data Protection Authority has not been meeting the independence requirements under the EU General Data Protection Regulation, Politico reports. The infringement procedure will be launched in response to complaints filed last year claiming the DPA has not adhered to the independence requirement, as several of its members are affiliated with the government. The process will start once ... Read More

Italy's data protection authority, the Garante, issued guidelines on the role of the data protection officer. The DPA created the guidelines to help clarify longstanding uncertainties around the position since the EU General Data Protection Regulation went into effect. The guidelines detail the duties the DPO must perform in their role and will be sent to national and territorial administrators to promote "wider dissemination."Full Story ... Read More

Germany's Parliament passed a data protection and privacy law for regulating telecommunications and telemedia, Euractiv reports. The Data Protection Act brings the country's rules in line with the EU General Data Protection Regulation. Social Democrat MP Falko Mohrs said the new bill helps make the legal situation in Germany "clearer and more consistent" as requirements were previously split between the Telemedia Act and the Telecommunications Act.Full Story... Read More

The Irish High Court's May 14 judgment concerning Facebook's EU-U.S. data transfers sheds light on the Irish Data Protection Commission's and the court's initial views on issues with significant global implications. In the judgment, Justice David Barniville dismissed Facebook Ireland's arguments that the process followed by Ireland's Data Protection Commissioner in its own-volition inquiry into Facebook Ireland's EU-U.S. data transfers was flawed. This allows the inquiry to proceed.  As a proc... Read More

Pravo.by breaks down Belarus' data protection law. The law regulates personal data processing regardless of whether it was done by automation tools. It defines personal data, addresses transborder data flows and gives citizens new data subject rights. The main provisions of the legislation will go into effect six months after publication.Full Story... Read More

On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States. According to the order, Statistics Portugal had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards in use of standard contractual clauses. Statistics... Read More

Belarus' House of Representatives adopted a draft personal data protection law, Pravo.by reports. The draft law defines categories of personal data, determines the process for cross-border transfers, establishes the creation of an authorized oversight body and sets responsibilities for violations. “The adoption of this law will ensure an appropriate level of protection of personal data and will contribute to the development of business, trade and economic relations of the Republic of Belarus wit... Read More

A bill enabling the creation of a database for an automated biometric identification system has been approved by the Estonian government, Estonian Public Broadcasting reports. The system would create a central database of several currently under various ministries that contain biometric personal data. “The creation of the database and the resulting capability to compare biometric data will have a positive impact (on) the state's internal security as it will help law enforcement bodies resolve cr... Read More

On Feb. 23, 2021, Ukraine's Ministry of Digital Transformation, in cooperation with the United Nations Development Program, NGO "Privacy Hub," and other partners, launched a data protection self-assessment tool. Aimed at aligning personal data protection with international and European standards, Ukraine developed a framework to help Ukrainian small- to medium-sized enterprises understand Ukrainian privacy laws and the EU General Data Protection Regulation. Background Currently, Ukrainian priv... Read More

On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked... Read More

The Commissioner for Human Rights of the Verkhovna Rada of Ukraine announced it created recommendations for citizens' right to access information. The recommendations seek to address the best ways to respond toward individuals seeking public information, how to properly obtain information that must be provided within 48 hours and the proper way to follow information request requirements under the Law of Ukraine.Full Story... Read More

Recently, Croatia’s data protection authority, Personal Data Protection Agency, shut down the website called “rate me” (in Cro: “ocijeni me”), intended for citizens to evaluate public servants employed in 21 city administrations throughout the country. The website, established in 2018 by one association from the city of Dubrovnik, was represented by an attorney who obtained the data about city administration servants based on the constitutional right to access information. Namely, the Croatian ... Read More

Perhaps surprisingly, the Dutch are among the worst-performing European countries during the current COVID-19 pandemic. With its vaccination program struggling to gather speed, Minister of Health Hugo de Jonge is increasingly under fire. With public trust being key for any successful governmental policy in battling a pandemic, a recent scandal on the online sale of personal data is most unwelcome. On Jan. 25, RTL News discovered widespread trade in the personal data of COVID-19 test subjects. W... Read More

Euractiv reports the German government's proposed data strategy will seek to draw a common approach for its 16 state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information to share. The government acknowledged the authorities work together; however, their "legal interpretations may diverge." A spokesperson for Germany's Association of the Internet Industry said the alignment plan is "a fundamentally welcome goal." The strategy also discusses algor... Read More

France's data protection authority, the Commission nationale de l'informatique et des libertés, Superior Audiovisual Council, Defender of Rights, and Hadopi have partnered to release an educational kit for digital citizens. The kit brings together resources for parents, adults and young adults on topics like internet rights, online privacy protection and the protection of personal data. "The educational kit makes it possible to consult, online and free of charge, all the videos, tutorials, pract... Read More

One way or the other, Ireland's Data Protection Commission was going to set a precedent with its much-anticipated ruling on Twitter's EU General Data Protection Regulation violations related to a 2019 data breach. The decision was finalized Dec. 15, 2020, and amounted to a fine of just 450,000 euros against the social media company, marking the DPC's first GDPR enforcement against a multinational. "This inquiry was opened following the receipt of a breach notification from Twitter in January 20... Read More

The enhanced private right of action under the EU General Data Protection Regulation has seen a recent uptick, and that trend might continue.  A development in Belgium this week could catalyze increased efforts for civil litigation in that member state. Belgium's Ministry of Employment, Economy and Consumer Affairs granted NOYB, a nonprofit group created by Max Schrems, status as a "qualified entity," allowing it to bring collective-action suits under the Belgian Code of Economic Law. Belgium r... Read More

Germany has a data protection landscape that is far more complex than its sister EU member states. Owing to its constitution and federal construct, several political and policy areas, such as education and culture, are decentralized to the 16 state ("Landes") levels. One such remit is the regulatory oversight and enforcement of data protection and privacy policy. In Bonn, there is also the federal data protection authority that oversees and supervises the federal public sector, as well as priva... Read More

Despite concerns over data transfers to the U.S., France's Council of State will not call for a suspension of the country's Health Data Hub, which is under contract with Microsoft. Even though there is still a risk of U.S. intelligence services requesting health data, the council's judge determined it does not justify the temporary suspension of the platform. The judge called on France's data protection authority, the Commission nationale de l'informatique et des libertés, to ensure any use of t... Read More

In 2017, the European Union funded a “Twinning Ombudsman” project with a budget of 1.5 million euros to help Ukraine bring its data protection system in line with international and, in particular, European standards. In November 2018, the initiative completed its work. The project’s team prepared more than a dozen recommendations and methodologies for the effective implementation of the reform, but the draft legislative act was never brought to the Ukrainian Parliament. Contrary to the developm... Read More

Recent guidance by Germany’s Baden-Württemberg Commissioner for Data Protection and Freedom of Information instructs EU entities they cannot lawfully transfer data to cloud, software-as-a-service or other technology providers not organized under the laws of the EU, European Economic Area or an equivalent protection country, rendering off-limits providers from the U.S. and U.K. This applies unless the “exporting” EU data controller and technology data “importer” implement safeguards that overcome... Read More

More than two years have passed since the EU General Data Protection Regulation entered into force, and Croatia's Personal Data Protection Agency, AZOP, has for a long time been (reasonably) criticized as being inactive, not having imposed a single fine up to mid-2020. Now that AZOP is finally active, it seems that it either has a specific agenda — protecting the right of access to credit documentation against banks — or is searching for a breach where it might be easy to find, purporting the am... Read More

Switzerland has launched the SwissCovid contact-tracing app, the first app in Europe to use the Apple and Google application programming interface, SWI reports. In the U.S., the House Committee on Oversight and Reform is investigating data broker Venntel's sale of mobile phone location data to law enforcement agencies and mobile analytics company Mobilewalla gathered demographic data from more than 16,000 cellphones belonging to Black Lives Matter protesters in Atlanta, Los Angeles, Minneapolis ... Read More

Hungary's decision to pause EU General Data Protection Regulation obligations during COVID-19 is worrying the European Data Protection Board, Euractiv reports. According to EDPB Chair Andrea Jelinek, the board "considers further explanation necessary" as it relates to why Hungary opted for suspension, asking for details on the orders' "necessity and proportionality." Jelinek added that a suspension like Hungary's is "not recommended" by the EDPB.Full Story... Read More

Voting records of more than 4.9 million people in the country of Georgia were published in a hacking forum, ZDNet reports. The data included names, addresses, birthdates, ID numbers and mobile phone numbers from an unknown source. Meanwhile, Virgin Media could be liable to pay 4.5 billion GBP in compensation following a data breach that exposed 900,000 customers’ personal details, and Hawaii Pacific Health discovered an employee viewed 3,772 patients’ medical records over a five-year period.Full... Read More

Pope Francis is joining Microsoft and IBM in calling for ethical development of artificial intelligence and regulation on facial-recognition technology, Reuters reports. Francis said regulation should “promote transparency and compliance with ethical principles, especially for advanced technologies that have a higher risk of impacting human rights.” Meanwhile, Vice Features Senior Staff Writer Anna Merlan used the California Consumer Privacy Act to access the information facial-recognition compa... Read More

On Feb. 21, the Croatian presidency published its proposals to break the ePrivacy Regulation deadlock. Seven previous EU presidencies (the holder rotates every six months) have tried and failed to find a compromise between member states. In a radical departure from previous drafts, the presidency has suggested changes to Articles 6 and 8 that would see “legitimate interest” as a legal basis to process metadata and collect information from the terminal equipment — potentially replacing user con... Read More

Under a proposed bill announced by Dutch Minister for Medical Care Bruno Bruins, hospitals and health clinics would receive 75 million euros to enable medical data to be available to patients online, Healthcare IT News reports. The institutions would also digitally share data with each other. “Making patient data available online will save time, prevent medical errors and mean that patients do not have to repeat their stories multiple times when seeing different medical professionals,” the repor... Read More

The Directorate for Personal Data Protection announced the Parliament of the Republic of Northern Macedonia has adopted the Law on Personal Data Protection. The law applies to any form of automated data processing done in North Macedonia, regardless of if the data originated from North Macedonia or another country. Standards and principles for data processing, lawful bases and data subject rights are also included in the legislation. (Original article is in Macedonian.)Full Story... Read More

The Serbian Commissioner for Information of Public Importance and Personal Data Protection has issued the country's own standard contractual clauses, BDK Advokati reports. The Serbian SCCs are modeled after the data-processing agreement found under Article 28 of the EU General Data Protection Regulation. "Serbian SCCs are not designed as a cross-border transfer instrument first and foremost," the report states. "Rather, the clauses apply to a controller-processor relationship irrespective of whe... Read More

The Swiss data protection authority, the Federal Data Protection and Information Commission, has announced it entered into the Council of Europe's "Convention 223," which focuses on the protection of individuals with regard to automatic processing of personal data. Convention 223 is an amending treaty that seeks to modernize the provisions of the previous treaty for data processing, "Convention 108." According to the DPA, "The amending protocol strengthens the rights of data subjects, especially... Read More

The opening session of the 41st annual International Conference for Data Protection and Privacy Commissioners kicked off here in Tirana, Albania, Wednesday. Threads woven throughout the event have included the need for convergence and cooperation, not only among global regulatory authorities, but also among industry, government and civil society as dramatic advances in digital technology continue to challenge laws and regulations, business models, and democracies around the world. ICDPPC Presid... Read More

On Aug. 27, the Greek Parliament passed national legislation supplementing the EU General Data Protection Regulation. The long-awaited bill was enacted nearly 15 months after the GDPR went into force and after the European Commission's referral of Greece to the Court of Justice of the European Union for failing to transpose the Law Enforcement Directive before May 6, 2018. Under Law 4624/2019, the Greek Supervisory Authority has been reestablished, provisions of the GDPR are supplemented by addi... Read More

The Spanish Agency for Data Protection published guidance for education and wellness applications that process personal data. The guidance is not only intended for the organizations that are responsible for processing the data, but also for the developers of the apps. The DPA’s document identifies practices that may negatively impact user privacy and solutions and alternatives to avoid such behavior. The AEPD and Polytechnic University of Madrid analyzed the 10 most-popular wellness and educatio... Read More

On Aug. 8, the long-awaited data protection law for Portugal was published. The Execution Law of the General Data Protection Regulation was first approved in June but did not go into force until it was sanctioned and published in early August. Portugal has followed the guidance offered to member states by the EU General Data Protection Regulation regarding the age of consent, criminal sanctions and limits to penalties, data protection officers, accreditation and certification, data subjects’ rig... Read More

The Swedish data protection authority, Datainspektionen, initiated an audit of the public school board of Skellefteå municipality earlier this year after having received media reports that the school board, in a trial project at Anderstorps upper secondary school, had used facial-recognition technology to register student presence during a few weeks. The school board used facial-recognition software via camera to capture and register 22 students’ participation in class. The board was contemplat... Read More

In July 2018, Lithuania adopted the new Law on Legal Protection of Personal Data. Two supervisory authorities — the State Data Protection Inspectorate and the Office of the Inspector of Journalist Ethics — were tasked with monitoring and application of the regulation. In 2018, their efforts focused mostly on exercising their advisory and investigatory powers, as well as the promotion of public awareness around the EU General Data Protection Regulation. During the last year, Lithuania's data pro... Read More

On March 12, the Czech Chamber of Deputies approved two bills adapting Czech law to the EU General Data Protection Regulation — the Data Protection Act and the Accompanying Act. This comes more than nine months after the GDPR came into effect. The bills will now be presented to President Miloš Zeman for his signature. The Data Protection Act fully replaces the current Czech Data Protection Act and includes several local derogations and exceptions (primarily for the public authorities). The act ... Read More

In November, Spain approved a controversial data protection law to facilitate compliance with Spanish law to the EU General Data Protection Regulation. Although the Spanish law aimed to provide clarity to the implementation of GDPR principles, its text and potential real-world application have caused concern that it is deviating from the GDPR’s intended effect. Citizens of Spain have a right to data protection both under the Constitution of Spain in Article 18(4) and under Article 8 of the Char... Read More

The new amendments for Finland’s Data Protection Act went into effect 1 Jan., the Helsinki Times reports. The revamped law states companies cannot use the information of children under the age of 13 and gives regulators more powers to penalize companies for noncompliance. Public authorities have been granted increased abilities to obtain citizens’ data for matters of “public interest,” while certain agencies have been granted immunity from fines under the EU General Data Protection Regulation.Fu... Read More

Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation. The country's supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. For those, the fine was 150,000 ... Read More

Hunton Andrews Kurth's Privacy & Information Security Law Blog reports on Serbia’s new data protection law, which was enacted Nov. 9 and takes effect Aug. 21, 2019. Modeled after the EU General Data Protection Regulation, the Personal Data Protection Law addresses scope, database registration, data subject rights, consent, data security, privacy by design, data transfers and data breaches, according to Karanovic & Partners. The law also sets penalties for noncompliance, with a maximum se... Read More

Amnesty International has submitted a report to the United Nations Human Rights Committee detailing the ways authorities in Belarus have violated several fundamental human rights, Belsat.eu reports. The group highlights the surveillance practices conducted by the Belarusian government, focusing on the System of Operative Investigative Measures, which allows authorities to access communication data. “The possible surveillance restricted human rights defenders, other civil society and political ac... Read More

Sept. 5, 2018, Belgium published the law implementing the EU General Data Protection Regulation’s substantive aspects in Belgium. In particular, the law addresses the various areas of national divergence allowed by the GDPR. As a result, the Belgian legal framework for data protection is now complete and is essentially composed of the following: The “Institutional Law” (Law of 3 December 2017 establishing the Data Protection Authority); The “Substantive Law” (Law of 30 July 2018 on the prote... Read More

In the lengthy list of the Hungarian government's sins that led the European Parliament to launch disciplinary proceedings earlier this month — an unprecedented step — lurked multiple offenses on the privacy and data protection fronts. On Sept. 12, the European Parliament for the first time invoked Article 7 — intended to deal with member states that seriously and persistently breach EU values of the Treaty on European Union. What does that mean for data protection? It's technically possible, fo... Read More

The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline. The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15. The law, whi... Read More

This is the second part of two-article series, “When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine." Find the first part of this article here. Before a deep dive into the issues of employee data processing and transfer, it is worth examining the requirements for employment documentation in Russia, Belarus, and Ukraine. Generally, paper files remain the prevailing form of such documentation, and they are extensively used by local companies to demon... Read More

Many Americans would not be able to point out Estonia on a map, yet the tiny country has become a technological powerhouse and is the headquarters for NATO’s Cyber Defense Centre. Estonia was also the first country to vote online (in 2005), and almost all Estonians can now file taxes online within minutes. Now the Estonian government is heavily turning to blockchain technology to further advance its digital government services and provide citizens with greater control over their personal data. ... Read More

Software developers from Russia, Belarus, and Ukraine have become well known outside their countries for delivering high-quality IT products and services. The strong education system, wide pool of tech graduates, and moderate pay rates in these countries produced attractive destinations for the technology industry. Despite the proximity to Western Europe, the business and legal environment in Russia, Belarus, and Ukraine is very different from the one established in the EU and is often perceive... Read More