On October 7, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on obligations following from the use of processors and sub-processors (the “Opinion”). The EDPB is the body that seeks to ensure harmonised...more
On 4 October 2024, the Court of Justice of the European Union (CJEU) published its long-awaited judgement in case C-621/22 (KNLTB), which clarifies that purely commercial interests may not be categorically excluded from...more
Effective information security is no longer just dependent on an organisation’s own internal cybersecurity controls. The UK Information Commissioner’s Office (ICO) highlights that third-party service providers are processing...more
Once again, a Dutch district court has recalled a decision of the Dutch Data Protection Authority (Dutch DPA) for its too strict interpretation that purely commercial interests cannot be legitimate interests under Article...more
The Italian Data Protection Authority (“Garante per la Protezione dei Dati Personali”) published a provision in which it established that some services for e-mail management are configured to collect and store metadata...more
On July 16, 2024, the National Data Protection Authority (ANPD) published Resolution No. 18/2024 (Resolution 18) outlining rules on the appointment, definition, duties and activities of a Data Protection Officer (DPO) in...more
In a recent case, Pacini & Anor v Dow Jones & Company Inc., the publisher of the Wall Street Journal unsuccessfully applied to strike out a data protection claim concerning two historic articles....more
On May 16, 2024, the CNIL announced a critical public consultation and three significant updates to adapt health research regulations in France. These updates, focusing on remote quality control, home monitoring, and...more
On 1 May 2024, the Dutch Data Protection Authority (DPA) issued guidelines on data scraping used by private organisations in relation to GDPR principles including ‘lawfulness’. The guidelines could affect the way GenAI...more
On 6 May 2024, the German data protection authorities (“DPAs”) issued an extensive guidance paper on the GDPR compliant deployment of artificial intelligence (“AI”) applications. This article summarizes the key findings of...more
Il n’y a pas de question plus difficile en matière contentieuse que celle de l’anticipation des risques de faire l’objet d’un contrôle ou d’une sanction. C’est la raison pour laquelle il est utile de se nourrir des évolutions...more
The opinion was issued in response to a request by the French Data Protection Authority and provides guidance on the conditions for determining a controller's main establishment where that controller has establishments in...more
On January 29, 2024, the Italian Data Protection Authority (Garante) notified OpenAI of breaches of data protection laws involving its ChatGPT platform....more
On October 3, the Brazilian National Data Protection Authority (“ANPD”) announced the commencement of a public consultation process regarding its pilot regulatory sandbox program ("Consultation"). All interested parties can...more
The French supervisory authority (CNIL) asked for public comments on its draft recommendation on data security in relation to processing that presents particularly high risks to individuals or to the public interest (the...more
The Spanish Data Protection Authority has opened a public consultation process to obtain comments for an incoming decision establishing the rules for commercial communications via telephone. This decision will be binding upon...more
Les derniers mois ont vu une activité bouillonnante de la CNIL avec l’adoption de nombreuses délibérations. Nous avons analysé ces décisions pour comprendre les principales orientations prises par l’autorité française....more
While the French Data Protection Authority (the "CNIL") has consistently emphasized the importance of protecting health data, there will be even more focus for 2023 with more investigations and sanctions in this sector. The...more
The German Data Protection Conference of supervisory authorities (DSK) issued a decision on how to evaluate the risk of personal data being accessed by non-EEA public authorities, or by a parent company, when processed by a...more
Ever since the White House issued its Executive Order to pave a path for the new EU-U.S. Data Privacy Framework, stakeholders have provided both praise and criticism about whether the Executive Order sufficiently addresses...more
In a joint letter this summer, the UK’s data protection regulator (the ICO) and the UK’s National Cyber Security Centre (the NCSC) sought to convey some key messages to the legal profession relevant to advising clients...more
On 26 July 2022, the Lower Saxony data protection authority ("Lower Saxony DPA") announced that it has imposed a fine of 1.1 million euros on Volkswagen ("VW") due to GDPR violations. It found that VW has violated data...more
Google Analytics remains a hot topic for businesses and apparently also for data protection authorities (DPAs). With the advent of these new decisions and the new CNIL guidance, businesses have an even harder time justifying...more
Recent reports from several European Data Protection Authorities (DPAs), the bodies empowered to regulate consumer privacy under the General Data Protection Regulation (GDPR), have ruled that Google Analytics violates the...more
The European Commission (EC) has proactively reached out to the Dutch Data Protection Authority (DPA) to criticize its interpretation of legitimate interest under the GDPR. The criticism is in response to enforcement actions...more