General Data Protection Regulation

With the festive season now firmly upon us, there are indications that European Union institutions could soon be delivering an early Christmas present to businesses: the conclusion of trilogue negotiations on the General Data Protection Regulation (‘GDPR’).

The GDPR, according to the latest document to come out of Brussels, aims to “reinforce data protection rights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.” The EU Commission, Parliament and Council are currently locked in closed-door negotiations to agree to the final text of the GDPR, and while some uncertainty remains over the exact provisions that will be included, the latest available text from the European Presidency indicates that the key changes will be that:
Continue Reading Countdown to the General Data Protection Regulation…

Plans for a single market have been delivered yet another blow, this time as a result of an ECJ preliminary ruling against a relatively unknown Slovakian company. The court ruled in Weltimmo SRO v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, that national data protection authorities (DPAs) may take action against businesses that target residents in their Member State, even if the businesses are not registered in that state.

The ruling is significant for the ‘one stop-shop’ provisions currently being negotiated as part of the General Data Protection Regulation (‘GDPR’). In an earlier blog, we explained that the European Council endorsed the ‘one-stop-shop’ approach, so that in the future, organisations will only need to deal with the DPA having jurisdiction over the location of its EU headquarters, or EU location with delegated data protection responsibility.  The decision in Weltimmo says otherwise: an organisation will be subject to the authority of the DPA if it has an ‘establishment’ within the jurisdiction of the DPA. With the GDPR expected to be finalised later this year, it will be interesting to see how this ruling will be reconciled with the GDPR.
Continue Reading Another day…another set-back for Europe’s plans for a single market

Following adoption by the EU Council of the draft General Data Protection Regulation (the ‘draft Regulation’) in June, the Article 29 Working Party has published an opinion based on draft proposals set out by the various EU institutions, and which is likely to be referred to during the trilogue negotiations currently underway.

The opinion follows publication of the Council’s general approach and sets out a common position taken by the Working Party on the various key topics within the draft Regulation, including the definitions, scope of application, main principles, data subjects’ rights, power of authorities and governance model.

The Working Party are keen to ensure that this new regulatory framework does not lower the existing levels of data protection currently, nor undermine the existing data protection principles provided for within the Data Protection Directive.Continue Reading Article 29 Working Party publishes opinion on draft Data Protection Regulation

The EU data protection watchdog, Article 29 Working Party (Art. 29 WP), has issued the Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation. The document underlines the significance of creating profiles based on interlinked personal data, especially given the latest developments in

This post was written by Cynthia O’Donoghue.

The landslide of proposed amendments and the recent debates over the PRISM scandal have pushed back the Civil Liberties, Justice and Home Affairs Committee (LIBE) vote on the proposed General Data Protection Regulation (Regulation). The vote, initially planned for May 2013, has already been postponed twice (see

In April, the U.S. Department of Commerce’s International Trade Administration (ITA) issued a document clarifying the application of the U.S.-EU Safe Harbor Framework to cloud computing (the clarification). The ITA believes the Safe Harbor framework is “comprehensive and flexible enough” to cover cloud computing in the same way as other data transfers.

ITA reminded those

This post was written by Cynthia O’Donoghue.

The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time. During the meeting on May 6, LIBE decided