On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.

Scope of the recommendations

The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.

The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.

Why are these recommendations needed?

As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.Continue Reading Storing credit card details for future purchases – EDPB recommends online retailers do so only with consent

The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that

On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read the judgment here.

The CJEU held that a printed contract for mobile telecommunication services containing a clause stating that the customer has consented to the collection and storage of their identity documents does not constitute valid consent where the box referring to that clause has been pre-ticked by the data controller before the contract was signed.

The case follows up on the previous ruling in Planet49 (Case C-673/17) on which we commented last year here and here.Continue Reading CJEU delivers judgment on conditions for valid consent in an offline context

On 4 May 2020, the European Data Protection Board (EDPB) adopted an updated set of guidelines on consent (Guidelines) under the General Data Protection Regulation (GDPR). These updates were made to the original guidelines published by the Article 29 Working Party on 10 April 2018, which the EDPB endorsed at its first plenary meeting on 25 May 2018.

As a reminder, when a controller relies on consent as its lawful basis for processing personal data, or is required to obtain consent prior to the use of cookies, such consent must be freely given, specific, informed and an unambiguous indication of an individual’s wishes, in order to be valid. Although the original guidelines provided an in-depth analysis of each of these concepts, the EDPB felt that two specific areas required further clarification:

  • The validity of an individual’s consent to the use of cookies when access to a website’s service or functionality is conditioned on that individual giving such consent (i.e., the use of a ‘cookie wall’)
  • The validity of an individual’s consent to the use of cookies when such consent is given by the individual by scrolling through a website

Consequently, the Guidelines now include updates to the sections entitled “Conditionality” and “Unambiguous indication of wishes”, which clarify these areas.Continue Reading EDPB updates consent guidance to clarify its position on consent to the use of cookies

A Dutch court has held that a grandmother was in breach of the General Data Protection Regulation (GDPR) for posting pictures of her grandchildren on social media platforms without their parents’ consent and refusing to delete them after multiple requests.

The GDPR does not apply to the processing of personal data by an individual “in the course of a purely personal or household activity”.

However, the court said that it was not sufficiently established what security settings the grandmother had on her social media accounts, and it was not clear whether the photos could have been found via search engines. As a result, the court was not convinced that posting the photos on social media sites constitutes a “purely personal or household activity”, as this places them in the public domain, and they could then be further distributed and used by third parties.
Continue Reading Dutch court holds that a grandmother is in breach of the GDPR for failing to remove photos of her grandchildren from social media platforms

In a world where we have been ordered to stay home and shelter in place to combat the spread of COVID-10 our children are now learning remotely. While it is fortunate that technology allows students to continue the school year at home, remote learning presents an obstacle where children’s privacy is concerned.

In the United States, the Children’s Online Privacy Protection Act (COPPA) governs the collection of personal information from children under the age of 13. It generally requires the provider of a website or online service directed at children to obtain “verifiable parental consent” before collecting any personal information from children. “Verifiable parental consent” can be obtained in a number of ways—for example, through a signed consent form that is returned via mail or electronic scan, or the use of a credit card or other online payment system that provides notification of each separate transaction to the account holder—but whatever method is used must be reasonably designed to ensure that the person giving the consent is the child’s parent or legal guardian.
Continue Reading Remember to consent in the time of COVID-19

The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. ECJ and GDPR: Another decision hitting social media activities by companies
  2. EDPB does not opt for changes to EU standard contractual clauses
  3. EU

The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements.

The ICO compiled responses from over 2,300 participants in an online survey, and conducted fieldwork with more than a hundred stakeholders (publishers, advertisers, start-ups, adtech firms, lawyers and citizens). The ICO highlighted three key challenges of adtech: (i) transparency, (ii) lawful basis and (iii) security.Continue Reading ICO investigates adtech awareness through fact finding forum

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.Continue Reading Planet49: Advocate General’s opinion on cookies and consent bundling

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent. Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant