According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform,

TalkTalk, a major UK telecoms company, has been fined £400,000 for a data breach after they were hacked. This is a record fine given by the ICO (the UK’s data protection authority).  Significantly the fine was imposed after a change of leadership this summer when Elizabeth Denham (previously the Information

After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”).

In many ways, the announcement is welcome news as it

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post.

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.