On April 21, 2021, a draft proposed European regulation on artificial intelligence (AI) (Regulation) was released following the European Commission’s white paper “On Artificial Intelligence – A European approach to excellence and trust”, published in February 2020. The regulation shows that the European Union is seeking to establish a legal framework for AI by laying … Continue Reading
In its 2020 session, the Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. The Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), has published a document outlining the important amendments, which is available here. The revised FADP (revFADP) covers … Continue Reading
On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host. In the present case, the servers of Doctolib – whose platform had been … Continue Reading
The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests … Continue Reading
The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: Strengthening fair competition – changes to the law against unfair competition Cologne Regional Court on the broad concept of the right to access … Continue Reading
On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR). Background Firms regulated by the … Continue Reading
The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that … Continue Reading
With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear. As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the … Continue Reading
On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here). The current SCCs were adopted by the Commission before the GDPR came into force. The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will … Continue Reading
On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here). Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between … Continue Reading
On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read … Continue Reading
On 11 November 2020, the European Data Protection Board (EDPB) released recommendations on supplementary measures for international transfers (here) and recommendations on the European Essential Guarantees for surveillance measures (here), following the Schrems II decision (see our previous blog here). As a result of the Schrems II decision, data exporters who use certain transfer mechanisms as an appropriate … Continue Reading
On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance). In a previous post available here, we covered what DSARs are and the principles areas of focus of … Continue Reading
On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here. As a quick reminder, the obligation to … Continue Reading
On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each … Continue Reading
In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation. Background The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived … Continue Reading
The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case … Continue Reading
Class actions are widely known for their popularity in the United States. These types of actions are now developing in the UK because of recent data breach litigations. In the UK, group litigation can arise in two different scenarios: Group Litigation Order (“GLO”) or representative actions. GLOs are orders given by the Courts to manage … Continue Reading
On 2 September 2020, the European Data Protection Board (‘EDPB’) published new guidelines on the concepts of controller and processor in the General Data Protection Regulation (‘GDPR’). These guidelines are open for public consultation until 19 October 2020. The new guidelines will replace the previous guidelines on the same concepts, which were issued by the … Continue Reading
The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations. The Accountability Framework consists of ten categories where the … Continue Reading
On 11 August 2020, the Court of Appeal published its decision challenging the High Court’s approval of South Wales Police’s (‘SWP’) use of CCTV facial recognition. We wrote about the High Court’s judgment in September last year, which can be viewed here. As a quick recap of the case, SWP used CCTV automated facial recognition … Continue Reading
Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable … Continue Reading
On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) … Continue Reading
On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in: Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation … Continue Reading
