The European Data Protection Board issued draft guidelines last month that outline when processing can be considered done for “legitimate interest.” The public has until November 20 to provide comments to the draft.Continue Reading How Legitimate Is Your Business Interest? The EDPB Has Some Thoughts
EU Privacy
EDPB Provides Insight for Use of Tracking Tools
The EDPB released guidance last month to help companies understand their obligations when using newer tracking tools. These include pixels, URL tracking, IP-tracking, and the like. First, some background: an EU law that predates GDPR (Directive 2002/58/EC or the Cookie Directive), impacted how companies could interact with users on their computers. That directive was updated in 2009 (Directive 2009/136/EC or the ePrivacy Directive). Under the ePrivacy Directive, among other things, companies cannot “store” or “access” someone’s “terminal equipment” without consent. (There are some exceptions to the consent requirement.) In this recent guidance, the EDPB provided direction on when and whether passive tracking technologies were storing or accessing information on a users’ computer (or other device) such that the ePrivacy Directive requirements would apply.Continue Reading EDPB Provides Insight for Use of Tracking Tools
EU Cybersecurity Regulation Adopted, Impacts Connected Products
The EU Regulation on horizontal cybersecurity requirements for products with digital elements, the so-called Cyber Resilience Act, has been officially adopted on 10 October 2024 and will be published in the EU’s official journal in the coming weeks. This law will impose important obligations on manufacturers of connected products and those placing them onto the EU market. Implementation will begin in 2026 for certain portions of the law, and continue until 2027/2028 for some provisions. There are several elements for a company to keep in mind, which we have outlined below.Continue Reading EU Cybersecurity Regulation Adopted, Impacts Connected Products
AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation
As we enter the end of the summer, the AI regulatory steam is not slowing down. Colorado is now the first US state to have a comprehensive AI law (going into effect February 1, 2026), and the EU published its sweeping AI law in July (with rolling applicability between February 2025 and August 2026).Continue Reading AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation
DPA 101: Do You Know Where Your Data Is?
As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?Continue Reading DPA 101: Do You Know Where Your Data Is?
EDPB Provides Guidance on Determining Primary Supervisory Authority
This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.Continue Reading EDPB Provides Guidance on Determining Primary Supervisory Authority
CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR
The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).Continue Reading CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR
Connected Devices: Eyes on EU Data Act
The European Council recently approved a final version of the EU Data Act. The Act applies to manufacturers of connected devices. Among other things, it gives consumers certain rights about the information those devices collect. The Act is viewed as part of an overall data strategy by the EU, and complements both GDPR and the Data Governance Act.Continue Reading Connected Devices: Eyes on EU Data Act
CNIL Fines Canal+ Over Marketing and Data Security Concerns
The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company’s direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+’s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.Continue Reading CNIL Fines Canal+ Over Marketing and Data Security Concerns
Considerations for Participation in the EU-US Data Privacy Framework
Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other words, for BCRs or SCCs.Continue Reading Considerations for Participation in the EU-US Data Privacy Framework
EU Adopts Adequacy Decision for EU-US Data Privacy Framework
The EU Commission adopted today an adequacy decision for the EU-US Data Privacy Framework. As we indicated last month, this has been an area closely watched by those transferring data from the EU to the US. The issue has been a contentious one. Concerns in particular have been raised on the EU side regarding US surveillance agencies’ ability to access non-US individuals’ personal information. These concerns led to the downfall of both of the Framework’s predecessors: Safe Harbor and Privacy Shield. Continue Reading EU Adopts Adequacy Decision for EU-US Data Privacy Framework