Europe

Image

Europe Topic Page

Navigate by Topic

Below, you can find the IAPP’s collection of coverage, analysis and resources related to the privacy industry in the European region.

The IAPP Resource Center includes additional European-focused topic pages for the EU General Data Protection Regulation, the EU ePrivacy Regulation and the United Kingdom.

Featured Resources

BOOK

European Data Protection, Third Edition

This textbook examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement.
Read More

CHART

EU AI Act: 101

This chart provides an overview of the EU AI Act, which lays down down a comprehensive legal framework for the development, marketing and use of AI in the EU in conformity with EU values.
Read More

RESOURCE ARTICLE

EU elections explainer: A transition year

The first article in this two-part series provides analysis on the 2024 transition year of EU leadership overhaul.
Read More

CHART

European Strategy for Data

This is a multipart series intended to provide privacy professionals with an overview of new EU legislation adopted since May 2022 under the European Union’s Strategy for Data.
Read More

INFOGRAPHIC

Navigating Government Access to Private Data in the EU

This infographic aims to highlight some important instruments related to law enforcement and government access to private data, particularly in the EU.
Read More

TOOL

Key dates for EU initiatives

The IAPP created this timeline of key dates for the primary EU regulations and initiatives affecting privacy.
Read More


Europe Data Protection Digest newsletter

Be in-the-know on EU privacy news by subscribing to the Europe Data Protection Digest newsletter.

Additional News and Resources

GDPR Genius

This interactive tool provides IAPP members ready access to critical GDPR resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location. Read More

GDPR at Five

As privacy pros look toward the future, the GDPR’s influence looms large. For privacy pros looking back over the past five years, it is clear that policymakers, companies, and regulators have zeroed in on the importance of privacy to businesses, citizens, and societies. These statistics point to the GDPR’s tangible impact. Read More

The EU AI Act: A major moment in the digital world

IAPP President and CEO J. Trevor Hughes, CIPP, moderated a discussion with IBM's Christina Montgomery and OpenAI's Emma Redmond on what this moment means for the deployment of artificial intelligence systems globally and the teams that will steer their development. Tune in to learn what it could mean for you and your organization. Read More

Breaking down the EU AI Act

On Monday, 22 Jan., the text of the EU Artificial Intelligence Act was leaked to the public. In this LinkedIn Live, IAPP AI Governance Center Managing Director Ashley Casovan moderates a discussion with Considerati Managing Director Cornelia Kutterer, IAPP Managing Director, Europe, Isabelle Roccia, CIPP/E, and MEP Axel Voss's Digital Policy Advisor Kai Zenner to discuss the text. What is in the act? What changes are there between this version and previous versions? What major requirements do you need to know about, and how should organizations prepare? Read More

EU Data Act: 101

This chart provides an overview of the EU Data Act. The Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. Read More

The EU AI Act: 'We have a deal!' Now what?

Over the weekend, EU co-legislators reached a political agreement on the Artificial Intelligence Act more than two and a half years after it was initially proposed. During this #LinkedInLive, the IAPP's Caitlin Fennessy, CIPP/US, will moderate a conversation between Ashley Casovan (Managing Director, AI Governance Center, IAPP) and Isabelle Roccia, CIPP/E, (Managing Director, Europe, IAPP). They will discuss the significance of the announcement, how we got there, what was agreed upon and what the next steps are. Read More

Luca Bertuzzi on the EU AI Act's political deal and what's next

After a grueling trilogue process that featured two marathon negotiating sessions, the European Union finally came to a political agreement 8 Dec. on what will be the world's first comprehensive regulation of artificial intelligence. The EU AI Act will be a risk-based, horizontal regulation with far-reaching provisions for companies and organizations using, designing or deploying AI systems. Though the so-called trilogue process is a fairly opaque one, where the European Parliament, European Co... Read More

EU reaches deal on world's first comprehensive AI regulation

After three days of intense negotiations, the European Union reached a political agreement 8 Dec. on the Artificial Intelligence Act, which would be the world's first comprehensive regulation of AI.  The trilogue process between the European Commission, Council of the European Union and European Parliament stretched on for more than 32 hours over the course of a three-day period last week, with negotiators announcing the deal late Friday night.  European Commission President Ursula von der Ley... Read More

Empowering users: A universal interface for digital ad preferences

A study published earlier this year by the European Commission, and conducted on its behalf by AWO, found numerous negative impacts of the digital advertising market on advertisers, publishers, users and society. For example, disinformation websites are funded through digital ads, harming democracy and diverting revenues from legitimate publishers. Furthermore, the market's complexity and lack of transparency prevent advertisers from ensuring their ads aren't placed next to content that may hur... Read More

Reynders announces European Commission's latest international data transfer plans

Since taking on the role of European Commissioner for Justice in 2019, Didier Reynders said a top priority was developing a new trans-Atlantic framework for data transfers following the invalidation of the EU-U.S. Privacy Shield. With the EU-U.S. Data Privacy Framework now in place, Reynders is widening the scale of the EU's efforts on data flows. On the keynote stage at the IAPP Europe Data Protection Congress 2023 in Brussels, Reynders highlighted a conference being planned for next year that... Read More

CJEU rules individuals have right to free copy of their personal data

The Court of Justice of the European Union's judgment in FT v. DW (Case C‑307/22) has been released, illustrating some key provisions on data subject access requests. The case involved a patient, DW, who requested a free initial copy of their medical records from a dentist, FT. This request triggered a legal dispute that raised important questions about data access and the rights of individuals. The patient had received dental treatment from the dentist and suspected malpractice in the treatmen... Read More

Survey finds many EU companies not yet compliant with NIS2

A Sailpoint survey of 1,500 IT leaders found only one-third of organizations are prepared for when the EU's updated Network and Information Security Directive takes effect October 2024, Infosecurity Magazine reports. The law encompasses companies within the energy, transport, banking and health care sectors. The survey found 80% of respondents need to secure their supply chains under the law's requirements.Full story... Read More

EDPB issues binding decision banning Meta's targeted advertising practices

An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising. The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection author... Read More

Data without borders: EU e-Evidence package facilitates access to private data across jurisdictions

On 27 June 2023, the EU formally adopted a novel set of rules regarding cross-border access to data by law enforcement during criminal investigations. The electronic evidence package, Regulation (EU) 2023/1543, includes a regulation with internal EU rules on law enforcement data access and a directive with compliance requirements for service providers receiving production and preservation requests.   The package represents a notable advancement in criminal justice in cyberspace because it allow... Read More

Key points of the DPC's GDPR decision on TikTok and children's data

Following the European Data Protection Board's dispute resolution decision, Ireland's Data Protection Commission in September adopted its final decision against TikTok Technology Limited related to the company's processing of children's personal data.  The findings build on many positions established in the DPC's September 2022 decision concerning Instagram's processing of children's personal data. For example, regarding transparency information for child users, the DPC found that stating "peop... Read More

European Commission releases DMA compliance report template

The European Commission published the compliance report template for gatekeepers defined under the Digital Markets Act. The report must include required information in a "detailed and transparent manner" and be submitted within six months after designation with annual updates thereafter. The initial round of gatekeepers designated 6 Sept. have until 7 March 2024 to file.Full story... Read More

Ireland's DPC publishes case study handbook

Ireland's Data Protection Commission released a case study handbook documenting notable actions from the first five years of EU General Data Protection Regulation enforcement. The booklet contains 126 case studies showing relevant examples of the DPC's focus and approach to various types of complaints.Full story... Read More

Ireland's DPC issues 345M euro TikTok children's privacy fine

Ireland's Data Protection Commission continues to demonstrate the repercussions companies will face if they fail to meet the core principles of the EU General Data Protection Regulation. The latest example comes with the DPC's adoption of a 345 million euro fine and corrective measures against TikTok over alleged GDPR violations concerning children's data protection. The enforcement action concerns claims against TikTok's platform settings for kids that it had in place over a five-month span 31... Read More

Contentious areas in the EU AI Act trilogues

The European Union's Artificial Intelligence Act is on track to become the world's first comprehensive regulation of this emerging technology. As a first mover, and by virtue of the "Brussels Effect," the AI Act may be talked up as one of the global standards for the regulation of AI — much as the EU General Data Protection Regulation has been for the regulation of data protection. Following a series of amendments adopted by the European Parliament in June, the final legislative deliberations of... Read More

Switzerland DPA releases data protection impact assessment guide

Switzerland's Federal Data Protection and Information Commissioner, published an information sheet for conducting data protection impact assessments. Following the passage of the revised Data Protection Act, the document instructs federal bodies and citizens to "prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or the fundamental rights of the persons concerned."Full story... Read More

Ireland's DPC discusses back-to-school photo safety

Ireland's Data Protection Commission marked the beginning of the new school year with a blog directed at parents posting back-to-school photos on the web. The DPC pointed to potential unintended oversharing of children's personal data, recommending attention be paid to sharing school details and physical location of photos while informing kids of privacy risks.Full story... Read More

The Atlantic Declaration: Data bridges, privacy and AI

On 8 June, U.K. Prime Minister Rishi Sunak and U.S. President Joe Biden announced the Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership. It is the latest, most high level (it doesn’t get higher) and most conclusive development in the development of a comprehensive U.S.-U.K. partnership on data and artificial intelligence. Data Sharing data across borders is a fact of life for all organizations doing businesses or operating internationally. Yet, doing so ... Read More

Unpacking the DPC's data transfers decision

Ireland’s Data Protection Commission released its final and long-anticipated decision in the Meta data transfers case. What does the decision mean for Meta’s data transfers to the United States? What does it mean for other companies relying on standard contracts to transfer data? Read More

Ready for the new Swiss data protection law? Implications for organizations outside Switzerland

The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland's data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to... Read More

Beyond GDPR: Unauthorized reidentification and the Mosaic Effect in the EU AI Act

A key concern in today's digital era is the amplified risk of unauthorized reidentification brought on by artificial intelligence, specifically by the large and diverse data sets used to train generative AI models, such as large language models. However, these risks can be effectively mitigated. By adopting technology solutions that uphold legal mandates, organizations can harness the power of AI to realize commercial and societal objectives without compromising data security and privacy. This ... Read More

Is this the end of consent-less tracking by online platforms in the EU?

Like most of the "free" internet, online social media is funded through online advertising tailored to individual users' behavior and interests. The Court of Justice in the European Union decision in Case C-252/21 relates to one such platform, Meta, regarding its online social network, Facebook. The case is noteworthy for the advertising industry because it involves a competition authority determining data protection issues and calls into question whether platforms can carry out personalized adv... Read More

European Commission adopts EU-US adequacy decision

The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More

The definition of 'anonymization' is changing in the EU: Here’s what that means

The concept of anonymization — a concept that is, despite its ambiguities, critical for data science programs around the world — can be confusing across jurisdictions. Data that meets the standards for "anonymization," for example, are generally not subject to privacy or data protection laws. With the rapid adoption of artificial intelligence, which is typically trained on vast amounts of data, the need for clarification has only become stronger, as has the push toward standardization. Nowhere ... Read More

In scope or not? An EU AI Act decision tree and obligations

As with a colorblindness hue test, if you stare at the new version of the EU Artificial Intelligence Act for long enough, some patterns form (or maybe you are just losing your vision or your mind). Below is a decision tree to help assess whether you fall in scope. Is it an AI system? Per the pending legislation, an AI system is "a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predicti... Read More

The EU Artificial Intelligence Act: A look into the EU negotiations

Original broadcast date: 31 May 2023 The IAPP presents an update on the EU Artificial Intelligence Act. Proposed by the European Commission in April 2021, the AI Act has been fiercely debated ever since. The European Parliament will formalize its version in June, opening the way for trilogue negotiations with member states and the European Commission to finalize the law.During this LinkedIn Live broadcast, the IAPP's Isabelle Roccia will moderate a discussion between Laura Caroli, Rocco Panetta... Read More

Europe's rulebook for artificial intelligence takes shape

The European Union has been working on the world's first comprehensive law to regulate artificial intelligence. The file is approaching the finish line two years after the legislative proposal was presented. The EU AI Act has the potential to become the international benchmark for regulating the fast-paced AI field, much like the General Data Protection Regulation inspired data protection regimes in countries worldwide, from Brazil to Japan to India. "We are on the verge of building a real lan... Read More

Ireland DPC's data transfers decision: Pragmatic punch or knockout blow?

On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months. Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a... Read More

The EDPB Coordinated Enforcement Action on the role of DPOs

What does the European Data Protection Board’s coordinated enforcement action on the role of data protection officers (DPOs) entail, and how will it affect practitioners and their organizations? First, IAPP’s Isabelle Roccia will be joined by the Deputy Head of the EDPB Secretariat, Gwendal Le Grand. Le Grand will present an overview of the coordinated enforcement action from an EDPB perspective and discuss how DPAs will implement the action via questionnaires and investigations. Following this explanation, Isabelle Roccia will host a conversation with Natalija Bitiukova (IKEA) and Kate Colleary (Pembroke Privacy) on their experience as internal and external DPOs, respectively. This discussion will address the role and requirements of the DPO, both in theory and in practice, and how the EDPB’s coordinated enforcement action will play into it. Read More

UK data protection reform: An overview

On 8 March 2023, the U.K. government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament. Its objective is to “update and simplify” the U.K.’s data protection laws and certain other legislation. This article sets out a comprehensive summary of the changes in comparison to the GDPR. Read More

Irish DPC publishes Article 30 guidance

Ireland's Data Protection Commission published a guidance note to assist data controllers in compliance with Article 30 of the EU General Data Protection Regulation, which requires a maintained record of processing activities. The DPC drafted the guidance following a "sweep" of processing activity records of 30 public and private sector organizations and said it includes "particular emphasis" on the "positive practices identified" through the process, as well as identified shortcomings "to assis... Read More

Irish DPC publishes guides for children's data protection, rights under EU GDPR

The Irish Data Protection Commission published three guides for children to explain data protection and their rights under the EU General Data Protection Regulation. The guides are intended for children ages 13 and older because that is the minimum age required to sign up for many social media platforms. The subject matter of the DPC’s guides are data protection, which would introduce children to the concept of what data is, a guide for educating children about their rights under the EU GDPR, an... Read More

NGO seeks more Ukrainian privacy awareness amid Russian invasion

When the Russian military invaded neighboring Ukraine 24 Feb. 2022, western defense analysts were in near-consensus that Ukraine would collapse in a matter of weeks, if not days. Though questions remain about how the conflict will ultimately conclude, a year into the invasion, the need to secure Ukrainian citizens' personal data has often taken on a life-and-death importance. Teaching the teachers in privacy  PrivatBank senior data privacy specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, and ... Read More

EDPS to join EDPB's coordinated enforcement against DPOs

The Office of the European Data Protection Supervisor announced its intentions to join the European Data Protection Board in its coordinated enforcement of data protection officers. While data protection authorities will cover private and public DPOs at a national level, the EDPS will focus its attention on "the role, responsibilities and tasks of data protection officers in the (EU institutions)." Editor's note: The IAPP's Jennifer Bryant reported on the EDPB's coordinated enforcement launch.Fu... Read More

CNIL’s Secretary General rolls out plans for 2023 at DPI France

Mobile apps, artificial intelligence and cybersecurity will be the main focus areas of France's data protection authority, the Commission nationale de l'informatique et des libertés, in coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator's focus areas, as well as the projects it has or will soon launch in those key areas.According to Dutheillet de Lamothe, the EU General Data Protection Regu... Read More

ICO releases new UK GDPR certification scheme

The U.K. Information Commissioner’s Office approved the fourth set of U.K. General Data Protection Regulation certification scheme criteria for training and qualifying service providers. The scheme's intention will "enable … candidates to make informed choices when applying for training" programs so they can maintain confidence their personal data is being processed in accordance with the law. Other certification schemes released so far cover secure disposal and reuse of IT equipment, age assura... Read More

UK introduces draft data protection reform

The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.  The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.  "Co-designed with business from the st... Read More

Top ten takeaways from the draft UK GDPR reform

At the time of last year’s IAPP Data Protection Intensive: U.K., no legislative proposals to reform the U.K. General Data Protection Regulation had been made public. This year, on the first day of the conference in London, the U.K. government published the Data Protection and Digital Information (No.2) Bill. As the title suggests, this is the second iteration of a set of proposals to reform the U.K. GDPR. The first iteration — the Data Protection and Digital Information Bill — was published Jul... Read More

Irish DPC Annual Report 2022

The Irish DPC released its annual report for 2022, which highlights its workload and regulatory accomplishments over the last year, including the finalization of 17 large-scale investigations that yielded fines totaling more than 1 billion euros. Read More

A look at what's behind the EDPB’s coordinated enforcement framework

The first annual coordinated action under the European Data Protection Board's Coordinated Enforcement Framework, on the use of cloud-based services by the public sector, concluded in January. Starting mid-March, European data protection authorities will prioritize joint actions focusing on the position of data protection officers. IAPP Managing Director, Europe, Isabelle Roccia describes the process behind the CEF, the role of DPAs in coordinated enforcement actions and possible outcomes, sayin... Read More

EU policymakers have adtech in sight for future regulation

With the EU elections in May 2024 fast approaching, policymakers in Brussels are scrambling to close open files, plan their next move and set the groundwork for the upcoming mandate. At this stage of the legislative cycle, the European Commission assigns external studies that provide significant indicators of its future areas of interest. Online advertising seems to have caught the regulators’ attention in the digital domain. The appetite to regulate this sector became evident during negotiatio... Read More

MEPs urge European Commission to reject EU-US adequacy

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

CJEU issues ruling on DPOs and conflict of interest

Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and metho... Read More

UK PM overhauls government departments, including focus on innovation and tech 

U.K. Prime Minister Rishi Sunak announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology focused on technical innovations. The changes remove digital and data policy responsibility from the Department for Culture, Media and Sport and create the DSIT. The department will “drive the innovation that will deliver improved public services, create new and better-paid jobs and grow the economy,” a press release stated. “Having ... Read More

Privacy Around the Globe: United Kingdom

Original broadcast date: Feb. 2, 2023 This LinkedIn Live is part of the IAPP Privacy Around the Globe series which takes a close look at the changing privacy landscape in different countries around the world. In this session, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, connects with IAPP Research and Insights Director Joe Jones to take a close look at the changing privacy landscape in the United Kingdom. Watch the full recording on LinkedIn. Access the IAPP's L... Read More

European Commission publishes guidelines for Digital Services Act user reporting

The European Commission released guidance to assist companies in complying with the Digital Services Act's user reporting requirements. The reporting will help determine whether increased DSA obligations for "very large" online platforms and search engines are to be applied. Under the law, additional obligations are triggered for companies that "show that they reach more than 10% of the EU's population." Companies are required to report initial user numbers by Feb. 17 and offer updates at least ... Read More

What the EU has in store for 2023

With the European elections in spring 2024 fast approaching, in the next 12 months, EU policymakers will focus on closing the most important legislative files. Artificial Intelligence Act The EU's Artificial Intelligence Act is the first attempt to establish a regulatory framework for artificial intelligence. As Brussels doesn't want to lose its first-mover advantage and set up the international standard in the field, there will be a rush to close the negotiations before the end of the year. ... Read More

A practical guide to anonymization standards across the EU and UK

Data anonymization is an important tool for organizations to protect the personal data of individuals, while averting the onerous requirements of the EU and U.K. General Data Protection Regulations. Unfortunately, guidance on this subject is often unclear, with standards for anonymization differing among jurisdictions. This article provides privacy practitioners with a concise guide to understanding these divergent approaches. It further discusses ways in which the European Data Protection Board... Read More

EDPB’s Meta decisions explained: Resolving the adtech dispute

Original broadcast date: Jan. 19, 2023 In this LinkedIn Live event, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, joins EDPB Head of the Secretariat Isabelle Vereecken and EDPB Head of Activity for Legal Coordination Carolina Foglia for a discussion on what the EDPB's Meta decisions mean from the regulators’ perspective and what is now expected of those engaged in behavioral advertising across the EU. Watch the full recording on LinkedIn. Access the IAPP's Linked... Read More

10 takeaways from the Irish DPC decisions on Meta

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

Irish DPC, EDPB Meta decisions raise complex, fundamental questions

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

Irish DPC fines Meta 390M euros over legal basis for personalized ads

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

EU-US draft adequacy decision arrives, EU process begins in earnest

The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy ackno... Read More

The EU AI Act: A discussion with MEP and co-rapporteur Dragoș Tudorache

Nearly five years after the implementation of the EU General Data Protection Regulation, Europe is immersed in a digital market strategy that is giving rise to a host of new, interconnected regulation. Among this complexity resides the proposed Artificial Intelligence Act. Originally presented by the European Commission April 2021, the AI Act is now in the hands of the Council of the European Union and European Parliament. If passed, this would be the world’s first comprehensive, horizontal reg... Read More

A look at European Parliament’s AI Act negotiations

The proposed Artificial Intelligence Act would be the first horizontal regulation of AI in the world, but, as always, the devil is in the details. Though the Council of the European Union has nearly completed its version, the European Parliament is still negotiating its version. IAPP Editorial Director Jedidiah Bracy, CIPP, looks at how other EU lawmakers and stakeholders are crafting this massive, precedent-setting legislation.Full Story The Privacy Advisor Podcast: MEP Tudorache unpacks think... Read More

Europe seeks a way out of the data retention pickle

Data retention has long been a blind spot of Europe's otherwise strict data protection regime. But a possible practical solution might be in sight. The European Union has a long history of asking the same question several times until the answer is the desired one. For example, in the 2000s, Ireland rejected the treaties of Nice and Lisbon before a second referendum approved them. For some, the same is happening in the data protection sphere. In a recent interview, privacy activist and Austrian... Read More

The EU's temptation to break end-to-end encryption

Last May, the European Commission presented a proposal to fight Child Sexual Abuse Materials. The proposed legislation has spurred controversy as it touches upon the delicate issue of private interpersonal communications and might affect end-to-end encryption. The issue of child pornography has exploded recently, as abusive online content has increased by 60 times in the last 10 years. While content production mainly takes place in the "global south," groups of countries in Africa, Latin Americ... Read More

The EU-US Data Privacy Framework and next steps for data transfers

Original broadcast date: Oct. 7, 2022 In this LinkedIn Live event, IAPP's Caitlin Fennessy, CIPP/US, Alton & Bird's Peter Swire, CIPP/US, American University Washington College of Law's Alex Joel, CIPP/G, CIPP/US, and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss U.S. President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

IAPP country leaders weigh in: What’s next for data protection in Europe?

Original broadcast date: Oct. 6, 2022 In this LinkedIn Live event, IAPP Managing Director, Europe, Isabelle Roccia spoke with IAPP European country and regional leaders: Ulrich Baumgartner, CIPP/E, in the DACH region, Kate Colleary, CIPP/E, CIPM, in Ireland, Yann Padova in France, Rocco Panetta, CIPP/E, in Italy, and Jeroen Terstegge, CIPP/E, CIPP/US, in the Netherlands. Each panelist discussed what they foresee for data privacy in their respective region, as well as what privacy and data prote... Read More

A view from Brussels: The latest on the DSA, DMA and Privacy Shield

I leave the pen to my colleagues for a couple of weeks, and I come back with a whole shopping list of things I want to share with you all. DSA and DMA update The Digital Services Act was approved by the Council of Member States, marking the end of a legislative process that started with the commission's proposal in December 2020. The final text, as approved by the EU co-legislators, is expected to be published in the EU Official Journal in November for an entry into force 20 days following. It... Read More

The value of a UK representative: A response to the DPDI Bill

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

Is data localization coming to Europe?

Two years ago, the Court of Justice of the European Union invalidated Privacy Shield, the legal framework for EU-U.S. data flows. The consequences of that ruling reinforce the EU's digital sovereignty agenda, which increasingly sees data localization as one of its core elements. Since the "Schrems II" judgment by the CJEU, the U.S. presidential administration and European Commission have been working on replacing the trans-Atlantic agreement with a new one that could stand judicial review befor... Read More

EU Artificial Intelligence Act Proposal: What could it change?

Original broadcast date: July 12, 2022 In this LinkedIn Live, IAPP Europe Managing Director Isabelle Roccia, IAPP Senior Westin Research Fellow Jetty Tielemans, Criteo Vice President of Government Affairs and Public Policy Nathalie Laneret, CIPP/E, CIPM, and Kai Zenner, Head of Office and Digital Policy Adviser to Member of European Parliament Axel Voss, discuss proposed changes to the EU Artificial Intelligence Act, similarities with existing regulatory structures, what it could mean for the U... Read More

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

UK unveils data reform bill, proposes AI regulation

The U.K. government Monday introduced a pair of post-Brexit data reform initiatives aimed at guiding responsible use of data while promoting innovation in the economy, according to two government releases.  In the House of Commons, the government released the Data Protection and Digital Information Bill. In a separate statement, Minister for Media, Data and Digital Infrastructure Matt Warman said the data protection reform bill will help "transform the UK's independent data laws."  In parallel... Read More

Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

A view from Brussels: GDPR & DGA, DSA, DMA: When the rubber meets the road

Original broadcast date: June 1, 2022 In this LinkedIn Live event, IAPP Managing Director, Europe Isabelle Roccia and European Commission Deputy Head of Unit for Data Protection, Directorate-General for Justice Karolina Mojzesowicz discuss the state-of-play of the EU General Data Protection Regulation implementation, and the interplay between the GDPR and new data legislation. Four years in, how is the GDPR implementation going? Where do the Data Governance Act, the Data Services Act and the Di... Read More

EU plans to improve health data access

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Consent as legal basis for EU and UK employment

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

CJEU ruling on GDPR litigation builds 'jurisprudence on data protection'

A ruling by the Court of Justice of the European Union confirming consumer groups have a right to file representative actions over alleged EU General Data Protection Regulation violations, when permitted under national law, unblocks dozens of cases and puts an end to a lingering enforcement question. The court’s April 28 judgment allows consumer protection organizations to autonomously bring forward lawsuits on behalf of consumers against an individual or entity claimed to be responsible for “a... Read More

The UK data policy and possible divergences with the European Union

In December 2020, the British government presented its national data strategy, outlining its ambition to unlock data value and promote responsible growth by reducing the administrative burden on technology innovators and digital entrepreneurs. The strategy prompted concerns in Brussels that the new U.K. data policy might strive away from the EU General Data Protection Regulation. In early 2020, Prime Minister Boris Johnson announced that the U.K. would establish its own "sovereign" rules in the... Read More

European Parliament issues report on AI Act

European Parliament's Committee on the Internal Market and Consumer Protection, and Committee on Civil Liberties, Justice and Home Affairs released a joint report with their recommendations for the proposed Artificial Intelligence Act. Proposed amendments from the committee include a ban on predictive policing, a public AI technology registration requirement and further alignment with the EU General Data Protection Regulation. Advocacy group Access Now was among the first on-lookers to examine a... Read More

EDPS, EDPB chair talk privacy policy in the EU, beyond

There’s a lot happening in privacy in the EU — from a new trans-Atlantic data flow agreement reached in principle with the U.S. to a suite of proposed data laws as part of the EU digital strategy, enforcement activity and more. European Data Protection Supervisor Wojciech Wiewiórowski and European Data Protection Board Chair and Head of the Austrian Data Protection Authority Andrea Jelinek shared their insights on the latest in a session moderated by Microsoft Corporate Vice President and CPO J... Read More

EU, US agree 'in principle' to new trans-Atlantic data agreement

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement. Importantly, the agreement is in principle only at this point, and details about the deal are not yet known.  In a press conference from Brussels, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, prom... Read More

EU Parliament, Council reach deal on Digital Markets Act

The European Parliament and Council reached a provisional agreement on the Digital Markets Act, regulation targeting online advertising, messaging services and other practices of large technology platforms. “I think we have created something with an original architecture that’s effective, with more challenging obligations,” European Commissioner for Competition Margrethe Vestager said. IAPP Staff Writer Jennifer Bryant has the details. Following the provisional agreement, journalist Luca Bert... Read More

The data provisions in the EU's upcoming Big Tech law

The EU's Digital Markets Act is a legislative proposal meant to define a list of do's and don'ts for online platforms so large that they are deemed to play a "gatekeeper" role. The rationale is that these platforms enjoy such an entrenched and durable position that they prevent competition in the European single market. A gatekeeper has a dominant position in a critical digital market and acts as a gateway for businesses that want to reach their customers. These digital markets include cloud se... Read More

Data portability in the EU: An obscure data subject right

The EU General Data Protection Regulation aims to empower individuals and give them "control" over their personal data. To do this, data subjects have been granted various rights, including the right to data portability, which did not exist under the Data Protection Directive. Contrary to the well-known access right, data portability allows data subjects to obtain and reuse their personal data, at least in theory. In January 2022, we asked data protection expert lawyers in our Lex Mundi Network... Read More

Commission proposal for a regulation on the European health data space

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

A conversation with Ukrainian Dmytro Korchynskyi

In the past month, PrivatBank Senior Data Protection Specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, has seen his entire world thrown into chaos by the Russian invasion of his country. Korchynskyi, co-founder of the non-governmental organization Privacy Hub, spoke with IAPP Staff Writer Alex LaCasse about his experiences. Korchynskyi said he was forced to flee to Lviv, Ukraine, in the western part of the country, due to military strikes on civilian infrastructure in Irpin. He has also been inv... Read More

The EU’s anti-money laundering regulation and data protection: Part II

Editor's note: This is the second article in a two-part series on the European Union's anti-money laundering regulation. Part One of this article explained how the European Union’s 2015 fourth anti-money laundering directive (2015/849 or 4AMLD) required financial institutions to apply data protection safeguards to their anti-money laundering/countering the financial terrorism compliance programs, but the guidance never materialized. In 2021, the Commission introduced 2021/0240 (COD) to establis... Read More

EU Data Governance Act: What privacy professionals need to know

On Dec. 10, 2021, political agreement was reached on the Data Governance Act. The remaining (largely) procedural steps are likely to be completed by March 2022 and the Act will become applicable 15 months after the date of its entry into force — i.e., summer 2023. The Data Governance Act applies to “data” — “any digital representation of acts, facts or information …” — in general, not just to personal data. It is the first of the European Union’s new initiatives on “data” to get to the legislati... Read More

Inside the EU's rocky path to regulate artificial intelligence

In April last year, the European Commission published its ambitious proposal to regulate Artificial Intelligence. The regulation was meant to be the first of its kind, but the progress has been slow so far due to the file's technical, political and juridical complexity. Meanwhile, the EU lost its first-mover advantage as other jurisdictions like China and Brazil have managed to pass their legislation first. As the proposal is entering a crucial year, it is high time to take stock of the state o... Read More

Austrian DPA’s Google Analytics decision could have 'far-reaching implications'

The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications." The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The "Schrems II" decision invalidated ... Read More

EU Standard Contractual Clauses (Word documents)

On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP’s Research Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document. Read More

CNIL sets parameters for processors' reuse of data for product improvement

On January 12, 2022, the French data protection authority, Commission nationale de l'informatique et des libertés, issued guidance on the reuse of personal data by processors for their own purposes under the EU General Data Protection Regulation. The guidance addresses one of the most common — and hotly contested — aspects of privacy negotiations between commercial parties: Namely, when can a processor use personal data it obtains from a controller for purposes broader than just strictly providi... Read More

The EU’s digital strategy and what it means for privacy

Organizations have been “struggling” with the EU General Data Protection Regulation since its implementation in 2018, while awaiting the ePrivacy Regulation, originally intended to take effect alongside the regulation three years ago. “And we thought that’s the only thing we would need to be struggling with,” IAPP Senior Westin Research Fellow Jetty Tielemans said. But this past year, the European Commission announced its digital strategy, including the proposed Data Governance Act, Digital Se... Read More

From the AI Act to the DSA: Catching up on the EU's digital agenda

Though many privacy pros are still grappling with the EU General Data Protection Regulation, the EU is now busy leading a new generation of data regulations. As part of its Digital Single Market strategy, the EU is looking to not only protect data but also to create frameworks that allow for data flows, while aiming to mitigate hate speech and misinformation. Through an ambitious line of proposed laws — including the Data Act, Data Governance Act, Digital Markets Act, Digital Services Act and th... Read More

New EU data blockage as German court would ban many cookie management providers

On Dec. 1, the Wiesbaden Administrative Court issued a first-of-its-kind decision holding that companies cannot use a cookie management provider that relies on a U.S.-based service to collect data, irrespective of whether the data actually ever leaves the EU. Because cookie management requirements apply for EU websites generally, EU-wide adoption of this case’s theories would affect a broad range of companies that do business both within and outside the EU. Although the decision was made at the ... Read More

The way the third-party cookie crumbles: Part 1 – EU and UK developments

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn. Part one of this two-part series ... Read More

The EU's DMA and DSA: Why this should be of interest to privacy pros

At the recent IAPP Data Protection Congress 2021 in Brussels, Editorial Director Jedidiah Bracy, CIPP, reported on pending data-related legislation. He noted the EU General Data Protection Regulation is not the only statute privacy professionals dealing with the EU need to be familiar with. Many of us are aware of the ePrivacy Directive, currently updated to become the ePrivacy Regulation, the draft Data Governance Act, the draft Act on Artificial Intelligence and the (postponed) Data Act, but f... Read More

Germany's telecom privacy law takes effect

Hamburg's Commissioner for Data Protection and Freedom of Information announced Germany's Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia took force Dec. 1. The HmbBfDI said the law pairs with the EU General Data Protection Regulation and covers "undesired access to information stored on computers, tablets or mobile phones." Additionally, the regulator highlighted user consent provisions for cookies, browser fingerprinting and other tracking. Lowe... Read More

EDPB discusses data transfer guidance considerations, key points

With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR's original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others. EDPB Secretariat Head Isabelle Vereecken said during a Lin... Read More

New EDPB Guidelines: What is a data transfer under the GDPR?

Original Broadcast Date: November 2021 On Nov. 19, the EDPB answered the long-standing question — what is an international data transfer under the GDPR? — by issuing new guidelines on the interplay between Article 3 and Chapter V. Was this truly an open question? If so, why? Is this a wonky theoretical debate or will the new guidelines have real-world impacts? What are the practical implications for organizations collecting data directly from EU individuals, already subject to the GDPR from abr... Read More

Irish DPC WhatsApp decision: What do you need to know?

On Sept. 2, the Irish Data Protection Commission announced a decision to fine WhatsApp 225 million euros. The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users, as required by EU General Data Protection Regulation Article 13; provide privacy information relevant to contacts of WhatsApp users — "non-users" — whose personal data was processed in order to show users which of their contacts were also WhatsApp users, as required by GDPR Article 14; make privacy ... Read More

The state of Serbia's Personal Data Protection Law after two years

On Nov. 9, 2018, Serbia adopted the Personal Data Protection Law. The law went into effect the following summer, Aug. 21, 2019. In general, the LPDP is harmonized with the EU General Data Protection Regulation, as this was the obligation of Serbia as an EU member candidate in the process of EU integration. Provisions of the LPDP mirror the normative provisions of the GDPR in almost all aspects, including provisions regulating the territorial application of the LPDP, legal basis for data process... Read More

What can we learn from the Garante’s recent 2.5M euro fine?

Italy’s data protection authority, the Garante, issued a 2.5 million euro fine against food delivery company Deliveroo for inappropriately processing driver's personal data. The company held personal and contract data, payment data, data relating to the driver's rides and data relating to vehicles used for deliveries for insurance coverage. The detailed opinion raises points that delivery companies, ride sharing companies and even vehicle original equipment manufacturers with proprietary applic... Read More

European Health Data Space: Repairing the trans-Atlantic data relationship through biotech R & D

That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More

Exploring the Dutch DPA’s fine for not appointing an EU representative

The fine for not appointing an EU General Data Protection Regulation representative imposed by the Netherlands' data protection authority, Autoriteit Persoonsgegevens, and a recent high court decision in the U.K. put the spotlight on the obligation of the GDPR's Article 27 and brought some clarity to the role of representative. Prighter Founder Andreas Mätzler, CIPP/E, and Associate Clara Sator take a look at the Dutch case, saying it “shows supervisory authorities are willing to fine instances ... Read More

Talks for DPOs by Dutch DPOs

Original broadcast date: 28 June 2021  In this fast-paced, 45-minute session, delegates will hear animated and informative discussions from Dutch DPOs about their experiences navigating an ever-changing regulatory landscape during a year of pandemic-induced global uncertainty. What were their greatest challenges and successes? How do they prepare for an environment consistently in flux? How has the pandemic affected getting work done at their organization? Read More

EDPB’s data transfer recommendations adopt a risk-based approach with teeth

On June 21, the European Data Protection Board issued its highly anticipated final recommendations on supplementary measures for data transfers. The recommendations outline a process organizations can follow to transfer personal data outside the European Economic Area to ensure compliance with the "Schrems II" judgment. The initial draft of the recommendations, released in November 2020, took the data protection world by surprise by preventing organizations from considering the “subjective” lik... Read More

Top-10 do’s and don’ts for service providers implementing the new SCCs with EU customers

The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the Official Journal. The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. Given the timing requirements in the commission's decision, the U.S. and other service providers located in third countries should expe... Read More

EDPS Factsheet — Data protection audits explained

The Office of the European Data Protection Supervisor published a factsheet outlining its auditing procedures for EU institutions' data protection practices. The document breaks down the three stages involved in audits while also explaining which institutions are audited, why they are audited and when the audits take place.  Click To View (PDF) ... Read More

What’s behind the EU’s new Cloud Code of Conduct?

It has been nearly a decade since former European Commission Vice President Neelie Kroes pitched plans for an EU Code of Conduct for cloud services. In 2012, data protection was very much a nascent field on European soil: There was no EU General Data Protection Regulation and privacy had hardly reached the priority files of European regulators and was far from an issue at the forefront of public minds. Nevertheless, public and private stakeholders recently gathered to announce the finalization ... Read More

New urgency about data localization with Portuguese decision

On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States. According to the order, Statistics Portugal had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards in use of standard contractual clauses. Statistics... Read More

How to know you are a 'data intermediary' under the Data Governance Act

The free flow of data could make or break a business. This needs no explanation, especially to privacy pros and data specialists with a clear view of both sides of the spectrum. On the one hand, data is the fuel needed to run the business engine, thereby driving the total value and growth of modern businesses; on the other hand are the commercial and reputational risks attached to hefty fines prescribed by data protection and other laws for noncompliance. This makes access to data by creating tr... Read More

EDPB adopts data transfer statement, publishes GDPR guidance

The European Data Protection Board adopted a statement on data transfer agreements between EU member states and third countries. The EDPB tells member states all data transfer agreements made before May 2016 should remain intact as stated within the provisions of the EU General Data Protection Regulation and the Law Enforcement Directive, but the EDPB invites member states to assess and, where necessary, review those agreements. The EDPB also published its guidelines on the application of Art... Read More

 Why the EDPB should avoid torpedoing BCRs for processors

Many global service providers and their customers rely on binding corporate rules for processors to transfer European Economic Area customer data to processors outside the EEA. There are strong indicators that the European Data Protection Board is about to restrict the application of BCRs for processors to internal transfers within the processor group of companies. This would mean that BCRs for processors can no longer be used as a mechanism for transfers from an EEA customer directly to a proce... Read More

GDPR representatives in EU and UK after Brexit

With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint ... Read More

Comparing EU regulatory norms with incident reporting obligations

As data breaches and other security incidents are the dominating cause of regulatory fines in areas like security and data protection, prevention and proper management are becoming a priority for many organizations. Proper technical and security measures are essential in preventing security incidents. Nevertheless, when managing incidents, it can be challenging to identify and properly follow all the applicable rules and mandatory notifications of different regulators. To flesh this out, let's ... Read More

How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs

While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them. In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authori... Read More

CJEU's advocate general: One-stop shop means one-stop shop

On Jan. 13, 2021, Court of Justice of the European Union Advocate General Michal Bobek issued his Opinion in case 645/19 opposing Facebook to Belgium's Data Protection Authority. The opinion has been widely covered in the media, with reports that the advocate general will allow “any EU country to take legal action against Facebook or any other tech firm,” therefore undermining the one-stop-shop enforcement mechanism of the EU General Data Protection Regulation. Contrary to media reports, the ad... Read More

CJEU opinion clarifies cross-border enforcement scenarios

The EU General Data Protection Regulation's one-stop-shop mechanism received a boost amid ongoing questions about the best way to approach cross-border enforcement. Court of Justice of the European Union Advocate General Michal Bobek issued a non-binding opinion supporting the future application of OSS while bringing clarity to the limited exceptions that would allow data protection authorities besides a lead supervisory authority to act on a cross-border action. "It is clear that one-stop shop... Read More

Proposal for an EU Data Governance Act — a first analysis

On Nov. 25, 2020, the European Commission published its draft Data Governance Act. The act is one of the deliverables included in the commission’s 2020 European Strategy for Data, which sets out policy measures and investments designed to give the EU a competitive advantage by enabling it to capitalize on its vast quantity of data. Other deliverables that will follow before the end of the year are the Digital Services Act and the Digital Markets Act. The act aims to create a framework that enco... Read More

White Paper – DPAs on the Ground

This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the questionnaire provide an illustrative snapshot into DPAs’ work “on the ground.” Read More

Regional Resources

CNIL publishes FAQ for French entities EU-US DPF implementation

France's data protection authority, the Commission nationale de l'informatique et des libertés, published an FAQ document on the European Commission's adequacy decision regarding the EU-U.S. Data Privacy Framework. The FAQ features key provisions of the DPF and details the process by which French entities can transfer data to U.S. organizations if the given organization has not adopted the DPF agreement.Full story... Read More

Italy's DPA releases guide for privacy in schools

Italy's data protection authority, the Garante, released recommendations on how schools can protect the privacy of students, staff and families. The guidelines cover topics including how photos taken on school trips should be managed, regulatory updates and how to protect privacy while using education technology.Full story... Read More

Ready for the new Swiss data protection law? Implications for organizations outside Switzerland

The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland's data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to... Read More

Unpacking the DPC's data transfers decision

Ireland’s Data Protection Commission released its final and long-anticipated decision in the Meta data transfers case. What does the decision mean for Meta’s data transfers to the United States? What does it mean for other companies relying on standard contracts to transfer data? Read More

Ireland DPC's data transfers decision: Pragmatic punch or knockout blow?

On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months. Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a... Read More

Ireland's DPC issues employee data protection guidance

Ireland's Data Protection Commission announced fresh employer guidance on handling the data of current, former and prospective employees. The DPC said the guidance is aimed at standard data collection, including employees' names and contact information, but added employers need to also consider nontraditional data like "information on occupational health, sick leave, performance reviews or disciplinary actions." The guidance also includes guidelines for employee monitoring and tracking.Full Stor... Read More

AEPD Annual Reports

The Spanish data protection agency, the Agencia Española de Protección de Datos, published its "2022 Report." According to the report, the agency received 15,128 claims in 2022, the largest number of claims in its existence Read More

AEPD publishes guidance on public-sector legislation DPIAs

Spain's data protection authority, the Agencia Española de Protección de Datos, issued guidelines to aid public administrations' data protection impact assessments on proposed legislation. The AEPD stated DPIAs in the public sector need to occur "from the design of the standards," while outlining the criteria for execution of assessments and analysis of results.Full Story... Read More

AEPD publishes guidance to help public administrations manage data risks 

Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance to help public administrations manage risks around data exchanges. "The document addresses the need to effectively manage risks that, due to the high volume of personal data and the interconnection of infrastructures, can give rise to massive, high-impact breaches," the AEPD said, noting the guidance includes a list of preventive measures. Full Story   ... Read More

NGO seeks more Ukrainian privacy awareness amid Russian invasion

When the Russian military invaded neighboring Ukraine 24 Feb. 2022, western defense analysts were in near-consensus that Ukraine would collapse in a matter of weeks, if not days. Though questions remain about how the conflict will ultimately conclude, a year into the invasion, the need to secure Ukrainian citizens' personal data has often taken on a life-and-death importance. Teaching the teachers in privacy  PrivatBank senior data privacy specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, and ... Read More

CNIL’s Secretary General rolls out plans for 2023 at DPI France

Mobile apps, artificial intelligence and cybersecurity will be the main focus areas of France's data protection authority, the Commission nationale de l'informatique et des libertés, in coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator's focus areas, as well as the projects it has or will soon launch in those key areas.According to Dutheillet de Lamothe, the EU General Data Protection Regu... Read More

Irish DPC Annual Report 2022

The Irish DPC released its annual report for 2022, which highlights its workload and regulatory accomplishments over the last year, including the finalization of 17 large-scale investigations that yielded fines totaling more than 1 billion euros. Read More

Denmark's Datatilsynet outlines 2023 priorities

Denmark’s data protection authority, Datatilsynet, published an overview of its primary topics of focus for 2023. Major priorities include protecting children online, upholding personal data protections for website visitors, supervising television surveillance and processing of personal data in “pan-European information systems.”Full Story... Read More

CNIL releases report on sanctions, corrective measures

France's data protection authority, the Commission nationale de l'informatique et des libertés, released a report on sanctions and corrective measures taken in 2022. The CNIL said a record 147 formal notices and 21 sanctions were adopted and fines exceeded 100 million euros. Penalty decisions and formal notices concerned various sectors and issues, including 22 decisions against municipalities that failed to appoint data protection officers. The CNIL said it is "continuing the substantial increa... Read More

Sweden's DPA publishes DPO survey

Sweden's data protection authority, the Integritetsskyddsmyndigheten, released "Data Protection in Practice," a privacy operations management survey of more than 800 Swedish data protection officers. Four in 10 respondents said their companies work "continually and systematically with data protection" and half of all respondents said company management is receptive and understanding of data protection matters. IMY Analyst Andrea Amft said the survey results are "concerning" while noting DPOs req... Read More

10 takeaways from the Irish DPC decisions on Meta

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

Irish DPC, EDPB Meta decisions raise complex, fundamental questions

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

Irish DPC fines Meta 390M euros over legal basis for personalized ads

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

Belarus implements cross-border transfer rules

The director of Belarus' National Center for Personal Data Protection signed an order implementing rules for the cross-border transfer of personal data. The order includes member states of the Eurasian Economic Union and defines allowable cases of cross-border data transfers, including transfers by state bodies and other organizations. The DPA said this will solve "issues related to the cross-border transfer by employers of personal data of their employees in cases necessary for the implementati... Read More

German state DPA releases processor code of conduct

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information released a code of conduct for processors, offering standardized rules to support companies in applying the EU General Data Protection Regulation. Processors following the code submit to regular monitoring by a body accredited by the LfDI, Commissioner Stefan Brink said. "Self-regulation is an excellent opportunity to tailor data processing to the needs of industries — the GDPR provides this opportunity, whic... Read More

Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data

On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece. The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Ho... Read More

A view from Brussels: EU Council's Czech presidency eyes ambitious fall lineup

“Europe as a task.” In 1996, then-Czech Republic President Václav Havel fathered this expression to call on Europeans to take responsibility for global environmental and social and economic challenges and to lead by example. Setting this motto in EU-policy-speak relevant to privacy pros, it means that the Czech Republic — already a third into its Presidency of the EU Council — will seek to accomplish the following by end of December: Continue discussions on the Artificial Intelligence Act and... Read More

Slovenia DPA creates guide for conducting data impact assessments

Slovenia's data protection authority, Informacijski Pooblaščenec, created an infographic to help data controllers conduct impact assessments. The infographic features the common shortcomings missing from impact assessments and offers recommendations to controllers. It also provides a checklist to help determine if an impact assessment is comprehensive enough. The country’s information commissioner said some mistakes are often repeated, such as missing risk assessment methodology.Full Story... Read More

Garante Annual Reports (Italian DPA)

Italy's data protection authority, the Garante, published its 2020 Activity Report. The report covers how the agency handled the COVID-19 pandemic as well as its case involving TikTok, where it asked the application to implement age verification measures for young users. Read More

A view from Brussels: Reflections on the incoming Czech Republic presidency

Today, 1 July, the Czech Republic takes over the presidency of the EU Council of Member States for the next six months. It will have the challenging task of bringing major EU initiatives such as the Data Act and the Artificial Intelligence Act closer to the finish line, meaning at least reaching a common approach among Member States. You can visit its official website to keep up with the Czech Republic presidency program and events. The Czech Republic inherits a presidency that has, in the last... Read More

Ukraine's human rights commissioner releases martial law data protection guidance

The Ukraine Parliamentary Commissioner for Human Rights issued guidance for the protection of personal data under martial law, amid the Russian invasion. The guidance included potential restrictions on the human right to privacy and legal grounds for the processing of personal data by government agencies, updated responsibilities to protect personal data for owners and managers, legal grounds for organizations involved in charitable aid to citizens, how to protect data from cybercriminals and ho... Read More

CNIL publishes cookie wall evaluation scheme

France's data protection authority, the Commission nationale de l'informatique et des libertés, released its criteria for evaluating the legal use of third-party cookie walls. The criteria features four considerations based on informed consent, including alternative access to content, the price of that access, paid access without cookie placement and potential embedded consent overrides. The CNIL said the criteria hones in on "the most commonly observed practices" and the criteria is to be appli... Read More

Berlin DPA offers cross-border data transfer guidance

The Berlin Commissioner for Data Protection and Freedom of Information published guidance for international data transfers according to the Court of Justice of the European Union's "Schrems II" ruling. The state regulator outlined transfer requirements under the EU General Data Protection Regulation while explaining the current legal landscape around global transfers, with particular focus on transfers to the U.S. and the lack of legal bases for transfers. Additionally, the guidance detailed the... Read More

CNIL Activity Report (2021)

The French data protection authority, Commission nationale de l'informatique et des libertés, published its "2021 Activity Report." The report highlighted the creation of a personal data “sandbox” for health. Read More

HDPA releases guidelines on website-tracking compliance

The Hellenic Data Protection Authority in Greece released compliance guidelines for informational websites using trackers. The authority observed several websites whose methods for obtaining consent to use trackers — specifically, cookie banner pop-ups — did not comply with several points of the EU General Data Protection Regulation. The HDPA said it conducted an audit of 30 informative websites, giving them 15 days to achieve compliance. All websites, with one exception, did so by the deadline.... Read More

AEPD launches health data guidance hub

Spain's data protection authority, the Agencia Española de Protección de Datos, announced the creation of a new section on its website dedicated to health data processing. The new page offers "a compendium of legislation, criteria, doctrine and precedents" that will help professionals and various stakeholders address data protection in the health space. The seven sub-sections within the page aim to provide "general information on the treatment of health data and how to exercise the right of acce... Read More

Norwegian DPA issues guidance on minors’ consent

Norway’s data protection authority, Datatilsynet, issued guidance around the sharing and processing of children’s personal data and consent, noting the rules “are slightly different than for adults.” The authority discusses the potential for informed and voluntary consent by a minor under age 18 — such as in cases related to social media, health care and education — and areas where parental consent is necessary. “The greater the privacy consequences the processing of information may have, the hi... Read More

UK, German DPAs talk regulatory priorities, privacy complexities

Addressing a room full of privacy professionals at the IAPP Global Privacy Summit 2022, U.K. Information Commissioner John Edwards envisioned many would be looking to regulators to “just tell us what we need to do” to minimize risks, reach compliance and reduce associated costs. “That’s fine,” Edwards said. But he was quick to point out, the most “important thing” about privacy and data protection is “the human story.” “You’re going to see your drug counselor later today. You made that insuran... Read More

Ukraine uses Clearview AI to identify Russian soldiers killed in invasion

Ukraine Vice Prime Minister Mykhailo Fedorov said the military has been using Clearview AI software to identify Russian soldiers killed in combat so officials can track down and inform their families, Reuters reports. Fedorov, who is also the head of the ministry of digital transformation, said Ukraine has used Clearview AI facial recognition to find the social media accounts of killed Russian soldiers. Civil rights groups have criticized the use of the technology by Ukraine due to possible misi... Read More

Norwegian DPA issues employee monitoring guidance

Norway's data protection authority, Datatilsynet, published guidance for employers using video surveillance on employees in the workplace. The regulator stressed that requirements for employee monitoring under the EU General Data Protection Regulation and the Working Environment Act need to be met before cameras are installed and run. The guidance outlines purpose limitation as well as standards for disclosing, storing and securing recordings.Full Story... Read More

Key takeaways from CNIL's draft recommendation on smart cameras

Smart cameras are not a simple extension of existing video surveillance techniques, but they raise new ethical and legal questions. Simply put, the main difference between smart cameras and a traditional video surveillance system is that smart cameras are coupled with software, allowing a real-time and continuous analysis of the captured images. Algorithms analyze those images and extract information such as pattern recognition, movement analysis and object detection, all without human analysis ... Read More

A conversation with Ukrainian Dmytro Korchynskyi

Last month, PrivatBank Senior Data Protection Specialist Dmytro Korchynskyi, CIPP/E, CIPM, FIP, was focused on protecting the personal data of their Ukrainian customers. On Feb. 24, the Russian military launched a full-scale invasion of his homeland and upended all aspects of daily life as he and his fellow citizens have been bombarded on a scale that hasn’t been seen on the European Continent since World War II. A co-founder of Privacy Hub, a non-governmental organization that connects privacy... Read More

Disclosing information on behavioral profiles: the Polish cookie case

In October 2021, Poland’s data protection authority, the Urząd Ochrony Danych Osobowych, issued its first-ever view related to cookies in a decision (reference number ZSPR.440.331.2019. PR PAM) following a complaint from a data subject. Before this, neither rulings nor guidelines were published on the matter. Thus, every decision concerning this issue is eagerly anticipated in Poland. The UODO stated the use of cookies involves the processing of personal data and ordered online media company In... Read More

Irish DPC fines Meta 17M euros over 2018 data breaches

The Irish Data Protection Commission fined Meta Platforms 17 million euros over a series of 12 data breaches from June to December 2018. A DPC investigation determined Meta violated Articles 5 and 24 of the EU General Data Protection Regulation related to processing of data tied to the breach notifications. While two European supervisory authorities raised objections, the DPC said, “consensus was achieved through further engagement.” The DPC published a report with statistics on its handling ... Read More

CNIL publishes its 2022 to 2024 strategic plan

France's data protection authority, the Commission nationale de l'informatique et des libertés, published its 2022 to 2024 strategic plan. Despite the CNIL’s efforts, digitization of daily life has increased the deployment of regulators’ technological expertise. In the strategic plan, the CNIL would focus on controlling and respecting the rights of citizens online, promoting the EU General Data Protection Regulation as a tool organizations can use to build trust with consumers, and prioritizing ... Read More

CNIL is latest authority to rule Google Analytics violates GDPR

Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision. The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to ... Read More

Why US-based companies should care about the Norway DPA's interpretation of GDPR consent

U.S.-based companies and regulators should fully understand the impact of a decision from Norway’s data protection authority, Datatilyset, regarding how consent is “done,” what constitutes special category data and what “manifestly made public” means. With the new U.S. privacy laws in California, Virginia and Colorado borrowing the definitions of “consent” and “sensitive data” verbatim from EU General Data Protection Regulation, as well as adopting a consumer intent-based standard for determinin... Read More

Belgian DPA fines IAB Europe 250K euros over consent framework GDPR violations

The Belgian Data Protection Authority fined IAB Europe 250,000 euros Wednesday, ruling its Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions. Through data processing under the TCF, which “facilitates the management of users’ preferences for online personalised advertising,” the DPA found IAB Europe acts as a data controller and can be held responsible for potential GDP... Read More

Austrian DPA’s Google Analytics decision could have 'far-reaching implications'

The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications." The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The "Schrems II" decision invalidated ... Read More

CNIL sets parameters for processors' reuse of data for product improvement

On January 12, 2022, the French data protection authority, Commission nationale de l'informatique et des libertés, issued guidance on the reuse of personal data by processors for their own purposes under the EU General Data Protection Regulation. The guidance addresses one of the most common — and hotly contested — aspects of privacy negotiations between commercial parties: Namely, when can a processor use personal data it obtains from a controller for purposes broader than just strictly providi... Read More

CNIL's ePrivacy fines reveal potential enforcement trend

The new year for EU data protection enforcement has rung in with an early bang courtesy of the France's data protection authority, the Commission nationale de l'informatique et des libertés. The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive. Allegations against the companies focus on French users' inability to easily decline tracking via cookies. Google's U.S. and Irish operations received penalties of up to 90 and 6... Read More

Irish DPC releases 2022-2027 regulatory strategy

Ireland's Data Protection Commission published its 2022-2027 regulatory strategy with an "ambitious vision" for "five crucial years in the evolution of data protection law, regulation and culture." The DPC notes its plan reflects "the wider context in which it regulates," realizing the ongoing change with the sectors and technologies it oversees. The regulator also mentions its regulatory ambitions will require "new partnerships and new ways of engaging" as it seeks to ultimately reach "one over... Read More

Irish DPC finalizes children's privacy guidelines

Ireland's Data Protection Commission published its Fundamentals for a Child-Oriented Approach to Data Processing. The guidance introduce principles and recommended best practices for children's data protection during processing activities. The DPC said children "cannot be expected to manage this process themselves" and expects the guidelines to "create safer, more appropriate and more privacy-respecting online environments." Axios reports the smart toy market is expected to grow to $70 bi... Read More

New EU data blockage as German court would ban many cookie management providers

On Dec. 1, the Wiesbaden Administrative Court issued a first-of-its-kind decision holding that companies cannot use a cookie management provider that relies on a U.S.-based service to collect data, irrespective of whether the data actually ever leaves the EU. Because cookie management requirements apply for EU websites generally, EU-wide adoption of this case’s theories would affect a broad range of companies that do business both within and outside the EU. Although the decision was made at the ... Read More

CNIL releases its own privacy maturity self-assessment model

France’s data protection authority, the Commission nationale de l'informatique et des libertés released its “first reflections” on a privacy maturity self-assessment model Sept. 9, thus becoming the first European DPA to propose a privacy maturity model. This offers an occasion to introduce the concept of a maturity model to those who are not already familiar with it while taking a closer look at the CNIL’s release. What is a maturity model? Maturity models are assessment systems that allow or... Read More

CNIL publishes DPO guidance

France's data protection authority, the Commission nationale de l’informatique et des libertés, published a guide to support data protection officers. The guidance discusses the process and factors to be considered when hiring a DPO as well as what resources should be provided to allow a DPO to do their job effectively. The CNIL noted the guidance was crafted with a focus on ensuring DPOs "can carry out (their) missions in complete independence." Editor's note: The IAPP offers a French DPO certi... Read More

CNIL publishes guide to support organizations in GDPR compliance

France’s data protection authority, the Commission nationale de l’informatique et des libertés, published a guide to support charitable, political and other organizations with EU General Data Protection Regulation compliance. The guide outlines the legal framework for data protection, provides benchmarks for organization and professional practices, and an action plan presenting the main stages of compliance. “In order to comply with the GDPR, these structures may need to review and change their ... Read More

Venice uses cellphone data, surveillance cameras to track tourists

City officials in Venice are collecting tourists' cellphone data and using surveillance cameras to monitor visitors, The New York Times reports. Software can track individuals' speed and path of travel, as well as age, sex and country of origin. Officials say the data is being gathered to prevent crowding and cellphone data is gathered anonymously. A data manager in Venice, Luca Corsato, said the city's "massive and constant" use of data is "dangerous." Full Story... Read More

Irish DPC WhatsApp decision: What do you need to know?

On Sept. 2, the Irish Data Protection Commission announced a decision to fine WhatsApp 225 million euros. The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users, as required by EU General Data Protection Regulation Article 13; provide privacy information relevant to contacts of WhatsApp users — "non-users" — whose personal data was processed in order to show users which of their contacts were also WhatsApp users, as required by GDPR Article 14; make privacy ... Read More

Digital welfare fraud detection and the Dutch SyRI judgment

States worldwide are turning to technology to make the welfare state more efficient and mitigate welfare fraud. In the Netherlands, the state used a digital welfare fraud detection system called Systeem Risico Indicatie. The SyRI was a system that used personal data from different sources and uncovered fraud. In 2020, a Dutch court decided the SyRI legislation was unlawful because it did not comply with the right to privacy under the European Convention of Human Rights. This is among the first t... Read More

CNIL publishes ‘data protection management maturity model’

France’s data protection authority, the Commission nationale de l’informatique et des libertés, published a “data protection management maturity model.” The CNIL said the model “transposes the maturity levels defined in international standards to data protection management” and “allows organizations to assess their own level of maturity and determine how to improve their management of data protection.” Organizations can develop an action plan using the model to evaluate their current practices a... Read More

Norwegian DPA updates data transfer guidance

Norway's data protection authority, Datatilsynet, published revised guidance on international data transfers in the wake of the Court of Justice of the European Union's "Schrems II" decision. The guidance calls on companies to assess the basis for a transfer in advance of execution and apply additional technical, legal or organizational measures to protect data when necessary. Datatilsynet also noted it will not grant companies pre-approval for transfer impact assessments before they are complet... Read More

Malta DPA publishes cookie consent guidance

The Office of the Information and Data Protection Commissioner of Malta published guidance on cookie consent requirements. The guidance lays out how cookies are handled in the ePrivacy Directive and the EU General Data Protection Regulation, and lists practices not compliant with data protection rules, such as cookie walls and pre-ticked boxes.Full Story ... Read More

The state of Serbia's Personal Data Protection Law after two years

On Nov. 9, 2018, Serbia adopted the Personal Data Protection Law. The law went into effect the following summer, Aug. 21, 2019. In general, the LPDP is harmonized with the EU General Data Protection Regulation, as this was the obligation of Serbia as an EU member candidate in the process of EU integration. Provisions of the LPDP mirror the normative provisions of the GDPR in almost all aspects, including provisions regulating the territorial application of the LPDP, legal basis for data process... Read More

What can we learn from the Garante’s recent 2.5M euro fine?

Italy’s data protection authority, the Garante, issued a 2.5 million euro fine against food delivery company Deliveroo for inappropriately processing driver's personal data. The company held personal and contract data, payment data, data relating to the driver's rides and data relating to vehicles used for deliveries for insurance coverage. The detailed opinion raises points that delivery companies, ride sharing companies and even vehicle original equipment manufacturers with proprietary applic... Read More

Exploring the Dutch DPA’s fine for not appointing an EU representative

The fine for not appointing an EU General Data Protection Regulation representative imposed by the Netherlands' data protection authority, Autoriteit Persoonsgegevens, and a recent high court decision in the U.K. put the spotlight on the obligation of the GDPR's Article 27 and brought some clarity to the role of representative. Prighter Founder Andreas Mätzler, CIPP/E, and Associate Clara Sator take a look at the Dutch case, saying it “shows supervisory authorities are willing to fine instances ... Read More

German DPA tells government organizations to shut down Facebook pages

Germany’s Federal Data Protection Commissioner Ulrich Kelber asked government organizations to close their Facebook pages by the end of the year, Reuters reports. Kelber said the pages are not able to operate in a way that does not transmit followers’ data to the U.S., in violation of privacy laws. He also recommended organizations discontinue using Clubhouse, TikTok and Instagram due to similar concerns. "Given the continuing violation of personal data protection, there is no time to waste," Ke... Read More

Talks for DPOs by Dutch DPOs

Original broadcast date: 28 June 2021  In this fast-paced, 45-minute session, delegates will hear animated and informative discussions from Dutch DPOs about their experiences navigating an ever-changing regulatory landscape during a year of pandemic-induced global uncertainty. What were their greatest challenges and successes? How do they prepare for an environment consistently in flux? How has the pandemic affected getting work done at their organization? Read More

Belgian DPA Annual Report

Belgium's Data Protection Authority published its 2020 annual report. In addition to its focus on COVID-19 related matters, the DPA highlighted its continued progress on 2020-2025 priorities, such as comprehensive recommendation on data processed for direct marketing purposes, and its overall enforcement work. Read More

European Commission to take legal action against Belgium over DPA independence

The European Commission plans to take legal action against Belgium after complaints were filed alleging Belgium's Data Protection Authority has not been meeting the independence requirements under the EU General Data Protection Regulation, Politico reports. The infringement procedure will be launched in response to complaints filed last year claiming the DPA has not adhered to the independence requirement, as several of its members are affiliated with the government. The process will start once ... Read More

Garante issues DPO guidance

Italy's data protection authority, the Garante, issued guidelines on the role of the data protection officer. The DPA created the guidelines to help clarify longstanding uncertainties around the position since the EU General Data Protection Regulation went into effect. The guidelines detail the duties the DPO must perform in their role and will be sent to national and territorial administrators to promote "wider dissemination."Full Story ... Read More

Germany passes data protection, privacy law for telecommunications

Germany's Parliament passed a data protection and privacy law for regulating telecommunications and telemedia, Euractiv reports. The Data Protection Act brings the country's rules in line with the EU General Data Protection Regulation. Social Democrat MP Falko Mohrs said the new bill helps make the legal situation in Germany "clearer and more consistent" as requirements were previously split between the Telemedia Act and the Telecommunications Act.Full Story... Read More

The Irish High Court judgment on EU-US data flows

The Irish High Court's May 14 judgment concerning Facebook's EU-U.S. data transfers sheds light on the Irish Data Protection Commission's and the court's initial views on issues with significant global implications. In the judgment, Justice David Barniville dismissed Facebook Ireland's arguments that the process followed by Ireland's Data Protection Commissioner in its own-volition inquiry into Facebook Ireland's EU-U.S. data transfers was flawed. This allows the inquiry to proceed.  As a proc... Read More

Exploring Belarus' data protection law

Pravo.by breaks down Belarus' data protection law. The law regulates personal data processing regardless of whether it was done by automation tools. It defines personal data, addresses transborder data flows and gives citizens new data subject rights. The main provisions of the legislation will go into effect six months after publication.Full Story... Read More

New urgency about data localization with Portuguese decision

On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States. According to the order, Statistics Portugal had not conducted a sufficient data protection impact assessment or provided for adequate additional safeguards in use of standard contractual clauses. Statistics... Read More

Belarus adopts draft personal data protection law

Belarus' House of Representatives adopted a draft personal data protection law, Pravo.by reports. The draft law defines categories of personal data, determines the process for cross-border transfers, establishes the creation of an authorized oversight body and sets responsibilities for violations. “The adoption of this law will ensure an appropriate level of protection of personal data and will contribute to the development of business, trade and economic relations of the Republic of Belarus wit... Read More

Estonia approves bill enabling creation of biometric ID system

A bill enabling the creation of a database for an automated biometric identification system has been approved by the Estonian government, Estonian Public Broadcasting reports. The system would create a central database of several currently under various ministries that contain biometric personal data. “The creation of the database and the resulting capability to compare biometric data will have a positive impact (on) the state's internal security as it will help law enforcement bodies resolve cr... Read More

Privacy self-assessment toolkit for SMEs in Ukraine

On Feb. 23, 2021, Ukraine's Ministry of Digital Transformation, in cooperation with the United Nations Development Program, NGO "Privacy Hub," and other partners, launched a data protection self-assessment tool. Aimed at aligning personal data protection with international and European standards, Ukraine developed a framework to help Ukrainian small- to medium-sized enterprises understand Ukrainian privacy laws and the EU General Data Protection Regulation. Background Currently, Ukrainian priv... Read More

Why this French court decision has far-reaching consequences for many businesses

On March 12, 2021, the Conseil d’Etat — France's highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities. The judge thus rejected a claim filed by professional associations and unions that asked... Read More

Ukraine human rights commissioner unveils recommendations for access to information

The Commissioner for Human Rights of the Verkhovna Rada of Ukraine announced it created recommendations for citizens' right to access information. The recommendations seek to address the best ways to respond toward individuals seeking public information, how to properly obtain information that must be provided within 48 hours and the proper way to follow information request requirements under the Law of Ukraine.Full Story... Read More

Croatian DPA shutters website: Protection of personal data or violation of freedom of speech?

Recently, Croatia’s data protection authority, Personal Data Protection Agency, shut down the website called “rate me” (in Cro: “ocijeni me”), intended for citizens to evaluate public servants employed in 21 city administrations throughout the country. The website, established in 2018 by one association from the city of Dubrovnik, was represented by an attorney who obtained the data about city administration servants based on the constitutional right to access information. Namely, the Croatian ... Read More

Dutch data scandal highlights structural problems around privacy compliance

Perhaps surprisingly, the Dutch are among the worst-performing European countries during the current COVID-19 pandemic. With its vaccination program struggling to gather speed, Minister of Health Hugo de Jonge is increasingly under fire. With public trust being key for any successful governmental policy in battling a pandemic, a recent scandal on the online sale of personal data is most unwelcome. On Jan. 25, RTL News discovered widespread trade in the personal data of COVID-19 test subjects. W... Read More

German data strategy addresses aligning DPAs

Euractiv reports the German government's proposed data strategy will seek to draw a common approach for its 16 state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information to share. The government acknowledged the authorities work together; however, their "legal interpretations may diverge." A spokesperson for Germany's Association of the Internet Industry said the alignment plan is "a fundamentally welcome goal." The strategy also discusses algor... Read More

Authorities release educational kit for digital citizens

France's data protection authority, the Commission nationale de l'informatique et des libertés, Superior Audiovisual Council, Defender of Rights, and Hadopi have partnered to release an educational kit for digital citizens. The kit brings together resources for parents, adults and young adults on topics like internet rights, online privacy protection and the protection of personal data. "The educational kit makes it possible to consult, online and free of charge, all the videos, tutorials, pract... Read More

Irish DPC finalizes 450K euro GDPR fine against Twitter

One way or the other, Ireland's Data Protection Commission was going to set a precedent with its much-anticipated ruling on Twitter's EU General Data Protection Regulation violations related to a 2019 data breach. The decision was finalized Dec. 15, 2020, and amounted to a fine of just 450,000 euros against the social media company, marking the DPC's first GDPR enforcement against a multinational. "This inquiry was opened following the receipt of a breach notification from Twitter in January 20... Read More

Nonprofit group approved for new collective action ability in Belgium

The enhanced private right of action under the EU General Data Protection Regulation has seen a recent uptick, and that trend might continue.  A development in Belgium this week could catalyze increased efforts for civil litigation in that member state. Belgium's Ministry of Employment, Economy and Consumer Affairs granted NOYB, a nonprofit group created by Max Schrems, status as a "qualified entity," allowing it to bring collective-action suits under the Belgian Code of Economic Law. Belgium r... Read More

Political and legal framework of German DPAs: The question of centralization

Germany has a data protection landscape that is far more complex than its sister EU member states. Owing to its constitution and federal construct, several political and policy areas, such as education and culture, are decentralized to the 16 state ("Landes") levels. One such remit is the regulatory oversight and enforcement of data protection and privacy policy. In Bonn, there is also the federal data protection authority that oversees and supervises the federal public sector, as well as priva... Read More

France's Council of State calls on CNIL to assist with Health Data Hub

Despite concerns over data transfers to the U.S., France's Council of State will not call for a suspension of the country's Health Data Hub, which is under contract with Microsoft. Even though there is still a risk of U.S. intelligence services requesting health data, the council's judge determined it does not justify the temporary suspension of the platform. The judge called on France's data protection authority, the Commission nationale de l'informatique et des libertés, to ensure any use of t... Read More

Ukrainian GDPR: The reality and future of privacy legislation in Ukraine

In 2017, the European Union funded a “Twinning Ombudsman” project with a budget of 1.5 million euros to help Ukraine bring its data protection system in line with international and, in particular, European standards. In November 2018, the initiative completed its work. The project’s team prepared more than a dozen recommendations and methodologies for the effective implementation of the reform, but the draft legislative act was never brought to the Ukrainian Parliament. Contrary to the developm... Read More

German state DPA guidance on protected usable data post-'Schrems II'

Recent guidance by Germany’s Baden-Württemberg Commissioner for Data Protection and Freedom of Information instructs EU entities they cannot lawfully transfer data to cloud, software-as-a-service or other technology providers not organized under the laws of the EU, European Economic Area or an equivalent protection country, rendering off-limits providers from the U.S. and U.K. This applies unless the “exporting” EU data controller and technology data “importer” implement safeguards that overcome... Read More

2 years, 2 fines, 2 banks: Croatia DPA advocating for right of access to credit documentation

More than two years have passed since the EU General Data Protection Regulation entered into force, and Croatia's Personal Data Protection Agency, AZOP, has for a long time been (reasonably) criticized as being inactive, not having imposed a single fine up to mid-2020. Now that AZOP is finally active, it seems that it either has a specific agenda — protecting the right of access to credit documentation against banks — or is searching for a breach where it might be easy to find, purporting the am... Read More

Datatilsynet (Norway) – Annual Privacy Survey

According to a 2019-2020 survey conducted by Norway's data protection authority, Datatilsynet, data subjects are uneasy regarding their privacy and protection of their personal data. The survey found two-thirds of respondents feel a lack of control over their data while more than half said they opt against using a service based on data processing concerns. Read More

Switzerland launches contact-tracing app

Switzerland has launched the SwissCovid contact-tracing app, the first app in Europe to use the Apple and Google application programming interface, SWI reports. In the U.S., the House Committee on Oversight and Reform is investigating data broker Venntel's sale of mobile phone location data to law enforcement agencies and mobile analytics company Mobilewalla gathered demographic data from more than 16,000 cellphones belonging to Black Lives Matter protesters in Atlanta, Los Angeles, Minneapolis ... Read More

EDPB concerned over Hungary's GDPR ban

Hungary's decision to pause EU General Data Protection Regulation obligations during COVID-19 is worrying the European Data Protection Board, Euractiv reports. According to EDPB Chair Andrea Jelinek, the board "considers further explanation necessary" as it relates to why Hungary opted for suspension, asking for details on the orders' "necessity and proportionality." Jelinek added that a suspension like Hungary's is "not recommended" by the EDPB.Full Story... Read More

Country of Georgia’s voting records published online

Voting records of more than 4.9 million people in the country of Georgia were published in a hacking forum, ZDNet reports. The data included names, addresses, birthdates, ID numbers and mobile phone numbers from an unknown source. Meanwhile, Virgin Media could be liable to pay 4.5 billion GBP in compensation following a data breach that exposed 900,000 customers’ personal details, and Hawaii Pacific Health discovered an employee viewed 3,772 patients’ medical records over a five-year period.Full... Read More

Cookie Guidance from Greece

On 25 February 2020, the Hellenic Data Protection Authority published guidance on the use of cookies (and similar technologies). The guidance reiterates the rules around consent and provides examples of cookies which fall into the consent exemptions. Read More

Pope, tech companies call for 'ethical' regulation on facial recognition

Pope Francis is joining Microsoft and IBM in calling for ethical development of artificial intelligence and regulation on facial-recognition technology, Reuters reports. Francis said regulation should “promote transparency and compliance with ethical principles, especially for advanced technologies that have a higher risk of impacting human rights.” Meanwhile, Vice Features Senior Staff Writer Anna Merlan used the California Consumer Privacy Act to access the information facial-recognition compa... Read More

Critics on Croatia's ePrivacy proposal: Legitimate interest provisions not legitimate

On Feb. 21, the Croatian presidency published its proposals to break the ePrivacy Regulation deadlock. Seven previous EU presidencies (the holder rotates every six months) have tried and failed to find a compromise between member states. In a radical departure from previous drafts, the presidency has suggested changes to Articles 6 and 8 that would see “legitimate interest” as a legal basis to process metadata and collect information from the terminal equipment — potentially replacing user con... Read More

Proposal would make medical data available online in the Netherlands

Under a proposed bill announced by Dutch Minister for Medical Care Bruno Bruins, hospitals and health clinics would receive 75 million euros to enable medical data to be available to patients online, Healthcare IT News reports. The institutions would also digitally share data with each other. “Making patient data available online will save time, prevent medical errors and mean that patients do not have to repeat their stories multiple times when seeing different medical professionals,” the repor... Read More

North Macedonia adopts data protection law

The Directorate for Personal Data Protection announced the Parliament of the Republic of Northern Macedonia has adopted the Law on Personal Data Protection. The law applies to any form of automated data processing done in North Macedonia, regardless of if the data originated from North Macedonia or another country. Standards and principles for data processing, lawful bases and data subject rights are also included in the legislation. (Original article is in Macedonian.)Full Story... Read More

Serbian commissioner issues country's SCCs

The Serbian Commissioner for Information of Public Importance and Personal Data Protection has issued the country's own standard contractual clauses, BDK Advokati reports. The Serbian SCCs are modeled after the data-processing agreement found under Article 28 of the EU General Data Protection Regulation. "Serbian SCCs are not designed as a cross-border transfer instrument first and foremost," the report states. "Rather, the clauses apply to a controller-processor relationship irrespective of whe... Read More

Switzerland joins EU's 'Convention 223' treaty

The Swiss data protection authority, the Federal Data Protection and Information Commission, has announced it entered into the Council of Europe's "Convention 223," which focuses on the protection of individuals with regard to automatic processing of personal data. Convention 223 is an amending treaty that seeks to modernize the provisions of the previous treaty for data processing, "Convention 108." According to the DPA, "The amending protocol strengthens the rights of data subjects, especially... Read More

Dispatch from Albania: ICDPPC calls for increased global cooperation

The opening session of the 41st annual International Conference for Data Protection and Privacy Commissioners kicked off here in Tirana, Albania, Wednesday. Threads woven throughout the event have included the need for convergence and cooperation, not only among global regulatory authorities, but also among industry, government and civil society as dramatic advances in digital technology continue to challenge laws and regulations, business models, and democracies around the world. ICDPPC Presid... Read More

GDPR incorporated into Greek law

On Aug. 27, the Greek Parliament passed national legislation supplementing the EU General Data Protection Regulation. The long-awaited bill was enacted nearly 15 months after the GDPR went into force and after the European Commission's referral of Greece to the Court of Justice of the European Union for failing to transpose the Law Enforcement Directive before May 6, 2018. Under Law 4624/2019, the Greek Supervisory Authority has been reestablished, provisions of the GDPR are supplemented by addi... Read More

Spain's DPA releases guidance on data processing for wellness, education apps

The Spanish Agency for Data Protection published guidance for education and wellness applications that process personal data. The guidance is not only intended for the organizations that are responsible for processing the data, but also for the developers of the apps. The DPA’s document identifies practices that may negatively impact user privacy and solutions and alternatives to avoid such behavior. The AEPD and Polytechnic University of Madrid analyzed the 10 most-popular wellness and educatio... Read More

Portugal’s data protection law went into effect

On Aug. 8, the long-awaited data protection law for Portugal was published. The Execution Law of the General Data Protection Regulation was first approved in June but did not go into force until it was sanctioned and published in early August. Portugal has followed the guidance offered to member states by the EU General Data Protection Regulation regarding the age of consent, criminal sanctions and limits to penalties, data protection officers, accreditation and certification, data subjects’ rig... Read More

How to interpret Sweden's first GDPR fine on facial recognition in school

The Swedish data protection authority, Datainspektionen, initiated an audit of the public school board of Skellefteå municipality earlier this year after having received media reports that the school board, in a trial project at Anderstorps upper secondary school, had used facial-recognition technology to register student presence during a few weeks. The school board used facial-recognition software via camera to capture and register 22 students’ participation in class. The board was contemplat... Read More

GDPR implementation in Lithuania: Almost a year in review

In July 2018, Lithuania adopted the new Law on Legal Protection of Personal Data. Two supervisory authorities — the State Data Protection Inspectorate and the Office of the Inspector of Journalist Ethics — were tasked with monitoring and application of the regulation. In 2018, their efforts focused mostly on exercising their advisory and investigatory powers, as well as the promotion of public awareness around the EU General Data Protection Regulation. During the last year, Lithuania's data pro... Read More

Czech Parliament approves bills implementing GDPR

On March 12, the Czech Chamber of Deputies approved two bills adapting Czech law to the EU General Data Protection Regulation — the Data Protection Act and the Accompanying Act. This comes more than nine months after the GDPR came into effect. The bills will now be presented to President Miloš Zeman for his signature. The Data Protection Act fully replaces the current Czech Data Protection Act and includes several local derogations and exceptions (primarily for the public authorities). The act ... Read More

Spain’s constitutional right to data protection and application of the GDPR

In November, Spain approved a controversial data protection law to facilitate compliance with Spanish law to the EU General Data Protection Regulation. Although the Spanish law aimed to provide clarity to the implementation of GDPR principles, its text and potential real-world application have caused concern that it is deviating from the GDPR’s intended effect. Citizens of Spain have a right to data protection both under the Constitution of Spain in Article 18(4) and under Article 8 of the Char... Read More

Finland's revamped Data Protection Act now in effect

The new amendments for Finland’s Data Protection Act went into effect 1 Jan., the Helsinki Times reports. The revamped law states companies cannot use the information of children under the age of 13 and gives regulators more powers to penalize companies for noncompliance. Public authorities have been granted increased abilities to obtain citizens’ data for matters of “public interest,” while certain agencies have been granted immunity from fines under the EU General Data Protection Regulation.Fu... Read More

First GDPR fine in Portugal issued against hospital for three violations

Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation. The country's supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. For those, the fine was 150,000 ... Read More

Serbia enacts new data protection law

Hunton Andrews Kurth's Privacy & Information Security Law Blog reports on Serbia’s new data protection law, which was enacted Nov. 9 and takes effect Aug. 21, 2019. Modeled after the EU General Data Protection Regulation, the Personal Data Protection Law addresses scope, database registration, data subject rights, consent, data security, privacy by design, data transfers and data breaches, according to Karanovic & Partners. The law also sets penalties for noncompliance, with a maximum se... Read More

Report focuses on Belarus violating human rights via surveillance

Amnesty International has submitted a report to the United Nations Human Rights Committee detailing the ways authorities in Belarus have violated several fundamental human rights, Belsat.eu reports. The group highlights the surveillance practices conducted by the Belarusian government, focusing on the System of Operative Investigative Measures, which allows authorities to access communication data. “The possible surveillance restricted human rights defenders, other civil society and political ac... Read More

Belgium finalizes GDPR implementation: A practitioner’s view

Sept. 5, 2018, Belgium published the law implementing the EU General Data Protection Regulation’s substantive aspects in Belgium. In particular, the law addresses the various areas of national divergence allowed by the GDPR. As a result, the Belgian legal framework for data protection is now complete and is essentially composed of the following: The “Institutional Law” (Law of 3 December 2017 establishing the Data Protection Authority); The “Substantive Law” (Law of 30 July 2018 on the prote... Read More

Privacy’s role in the Article 7 proceedings against Hungary

In the lengthy list of the Hungarian government's sins that led the European Parliament to launch disciplinary proceedings earlier this month — an unprecedented step — lurked multiple offenses on the privacy and data protection fronts. On Sept. 12, the European Parliament for the first time invoked Article 7 — intended to deal with member states that seriously and persistently breach EU values of the Treaty on European Union. What does that mean for data protection? It's technically possible, fo... Read More

Lithuania adopts new Law on Legal Protection of Personal Data

The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline. The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15. The law, whi... Read More

In these three countries, employee consent may be the only way to transfer their data

This is the second part of two-article series, “When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine." Find the first part of this article here. Before a deep dive into the issues of employee data processing and transfer, it is worth examining the requirements for employment documentation in Russia, Belarus, and Ukraine. Generally, paper files remain the prevailing form of such documentation, and they are extensively used by local companies to demon... Read More

Blockchain: Practical use cases for the privacy pro — Learning from Estonia

Many Americans would not be able to point out Estonia on a map, yet the tiny country has become a technological powerhouse and is the headquarters for NATO’s Cyber Defense Centre. Estonia was also the first country to vote online (in 2005), and almost all Estonians can now file taxes online within minutes. Now the Estonian government is heavily turning to blockchain technology to further advance its digital government services and provide citizens with greater control over their personal data. ... Read More

When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine 

Software developers from Russia, Belarus, and Ukraine have become well known outside their countries for delivering high-quality IT products and services. The strong education system, wide pool of tech graduates, and moderate pay rates in these countries produced attractive destinations for the technology industry. Despite the proximity to Western Europe, the business and legal environment in Russia, Belarus, and Ukraine is very different from the one established in the EU and is often perceive... Read More