Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law. Although it won’t officially become law until it receives the approval of … Continue Reading
Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR. The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month. However, the … Continue Reading
After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”). In many ways, the announcement is welcome news as it will harmonize what had become … Continue Reading
Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US. The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European … Continue Reading
Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States. The Commission also stated its objective to conclude negotiations with … Continue Reading
Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations. News out of Germany, however, indicates that a one-size-fits all approach … Continue Reading
Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued a position paper where it states that, … Continue Reading
Today, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor framework, effective immediately. This momentous decision jeopardizes the continued flow of data from Europe to the US. As the Safe Harbor framework has been in place for 15 years and counts more than 4500 companies among its participants, today’s ruling is poised to … Continue Reading
In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens. In light of its non-binding nature, the opinion did … Continue Reading
In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16. If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974. In effect, … Continue Reading
In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide. We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that … Continue Reading
When are U.S. social media companies subject to European data privacy laws? As we reported in 2013, the answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was … Continue Reading
A brief rundown of developments in recent weeks in the area of EU data protection law: EU Data Protection Regulation On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking … Continue Reading
The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe … Continue Reading
On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or … Continue Reading
The European Court of Justice, in a decision rendered on May 13, 2014, held that search engines are considered data controllers under the Directive of October 24, 1995 on data protection, and as such they must provide data subjects with a “right to be forgotten.”… Continue Reading
Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards. An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically … Continue Reading
After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € … Continue Reading
The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, … Continue Reading
This past month, the European Union’s Article 29 Data Protection Working Party (the “Working Party”) issued the Working Document 02/2013 providing new guidance on obtaining consent for cookies (“Working Document”). The Working Document sets forth various mechanisms which can be utilized by websites to obtain consent for the use of cookies in compliance with all … Continue Reading
On October 21, a key European parliamentary committee (the Committee on Civil Liberties, Justice and Home Affairs (“Committee”) approved an amended version of the draft EU Data Protection Regulation, paving the way for further negotiations with EU governmental bodies. The goal, according to a press release by the Committee, is to reach compromise on the … Continue Reading
In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued. The CNIL also sanctioned the company because it failed … Continue Reading
Are social media companies based in the United States subject to European data privacy laws? Two recent judicial decisions – one in France and the other in Germany – arrived at different answers. The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal … Continue Reading
The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).… Continue Reading