Privacy Law Blog

Category Archives: European Union

Subscribe to European Union RSS Feed

Article 29 Working Party has “Strong Concerns” About Privacy Shield

On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released … Continue Reading

Safe Harbor 2.0 Agreement Reached; New Program to be Named “Privacy Shield”

Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield.  Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October.  The announcement brings some relief to the many … Continue Reading

New Safe Harbor Deal Possible by February 1

Companies anxiously watching their calendars to see if a new Safe Harbor program will be introduced before the end of January may get their wish: yesterday, a European Commission official announced that the Commission will inform the European Parliament of the outcome of negotiations for a new Safe Harbor program by Monday, February 1.  This … Continue Reading

A Primer on the GDPR: What You Need to Know

Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law.  Although it won’t officially become law until it receives the approval of … Continue Reading

GDPR Text Approved

Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR.  The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month.  However, the … Continue Reading

EU Officials (Finally) Agree on New Data Protection Regulation

After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”). In many ways, the announcement is welcome news as it will harmonize what had become … Continue Reading

The European Commission Issues Guidance on Alternative Cross-Border Data Transfer Tools

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with … Continue Reading

German DPAs Announce Policy Severely Limiting Mechanisms for Lawful Germany-to-U.S. Data Transfers

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations. News out of Germany, however, indicates that a one-size-fits all approach … Continue Reading

A German DPA Questions the Validity of the Use of Consent and Model Contractual Clauses to Transfer Personal Data to the U.S.

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued a position paper where it states that, … Continue Reading

Uncertainty for the U.S.-EU Safe Harbor Intensified by Non-Binding Recommendation for EU High Court

In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did … Continue Reading

Google Declares “Non!” to French Privacy Regulator’s Demands that Google Apply the “Right to be Forgotten” Worldwide

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide. We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that … Continue Reading

In the E.U., Where to Bring Suit When the Subject is Data and the Defendant is a U.S. Company? Hint: It’s About More Than Just Location

When are U.S. social media companies subject to European data privacy laws? As we reported in 2013, the answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was … Continue Reading

European Union Cookie Sweep Highlights Need for Improved Compliance

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or … Continue Reading

e-IDs: the Future of Secure Digital Identification?

Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards.  An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically … Continue Reading

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € … Continue Reading

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, … Continue Reading

Article 29 Working Party Provides Guidance on Obtaining Valid Cookie Consent in the EU

This past month, the European Union’s Article 29 Data Protection Working Party (the “Working Party”) issued the Working Document 02/2013 providing new guidance on obtaining consent for cookies (“Working Document”). The Working Document sets forth various mechanisms which can be utilized by websites to obtain consent for the use of cookies in compliance with all … Continue Reading

European Union Parliament Makes Progress on Adopting Proposed EU Data Protection Regulation

On October 21, a key European parliamentary committee (the Committee on Civil Liberties, Justice and Home Affairs (“Committee”) approved an amended version of the draft EU Data Protection Regulation, paving the way for further negotiations with EU governmental bodies.  The goal, according to a press release by the Committee, is to reach compromise on the … Continue Reading
LexBlog