Privacy Matters

New decisions narrow ‘contractual necessity’ as a ground for processing data—and highlight divisions among EU privacy regulators Authors: James Sullivan, John Magee & David Brazil Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram platforms lacked …

EU & Ireland: Meta’s legal basis for targeted ads found to breach GDPR Read More »

On 2 November 2022, the Portuguese Data Protection Authority (“CNPD”) issued a Decision imposing a fine of € 4,300,000 (four million three hundred euros) to the National Institute of Statistics (“INE”) for multiple violations in the processing of data subjects’ sensitive data during the Census 2021 operation. Background On the 27th of April 2021, after …

Portuguese Data Protection Authority fines the National Institute of Statistics € 4.3 million Read More »

1  New development and timing On 13th December, the European Commission published a draft adequacy decision to enhance and replace its 2016 adequacy decision for the EU-U.S. Privacy Shield framework (“Privacy Shield”), which was invalidated by the Schrems II decision of the Court of Justice of the European Union (“CJEU”). The Commission has submitted the …

EU – US adequacy decision: State of play Read More »

Authors: James Clark and David Cook The UK government has published its plans to amend the Network and Information Systems Regulations 2018.  The reforms will lead to many more IT companies falling within the scope of the Regulations as ‘Digital Service Providers’ and will expand incident reporting obligations.  A two-tiered regime for Digital Service Providers …

UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws Read More »

Authors: Ewa Kurowska-Tober, Andrew Serwin,  John N Gevertz and Piotr Czulak The CJEU recently ruled that a Luxembourg law adopted in 2019 in accordance with the amended anti-money-laundering directive[1] (“AML Directive”), which required the disclosure and publication of certain information on the beneficial owners of entities registered in the Register of Beneficial Ownership, was invalid …

CJEU rules that Privacy Rights Outweigh AML Requirements Read More »

Authors: David Cook, Benjamin Fellows and Heba Khalid On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG (Case C‑300/21) on the interpretation of Article 82 of the General Data Protection Regulation, holding that: A “mere breach” of the GDPR is not sufficient to warrant an award of compensation if the infringement in …

Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion) Read More »

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA has been …

The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach Read More »

Authors: Heidi Waem, Nicolas Becker On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first decision of …

Belgium: First Settlement Decisions by Belgian Data Protection Authority Read More »

A recent decision by the Irish Data Protection Commission (“DPC“) imposing a record €405 million fine provides clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’. On 2 September 2022, the DPC imposed a record €405 million GDPR fine on Instagram (Meta …

Ireland / Europe: DPC’s Record Fine Raises Expectations on Standards Applicable for Processing Children’s Data Read More »

Long-awaited executive order strives to enhance and revive the invalidated Privacy Shield Framework Author: Jim Sullivan On 7 October 2022, President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the EO), aimed at addressing the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the Schrems II decision by …

President Biden orders surveillance reforms two years after Schrems II Read More »

Under the Data Security Law, organisations are required to classify the data they process according to their level of significance. Albeit a draft, the recent Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (“Draft”) highlights the principles and methods for different industries, fields, localities, departments, and data processors to classify and …

CHINA: Clarifications of data classification and grading requirements Read More »