European Data Protection Board

2023 was the year of artificial intelligence — and 2024 is already shaping up to be more (much more) of the same.  The European Union’s legislative bodies passed the AI Act earlier this month, and although the text has yet to be finalised on the world’s first comprehensive AI law, the hype around it already feels unstoppable.  That hype will turn into hard work over the next 12 months, as organisations grapple with understanding their obligations under the Act and putting in a governance framework that meets those obligations.  Needless to say, it will not be an easy task.Continue Reading The Three European Union Laws That Need Your Attention in 2024

Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.

Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security

Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.Continue Reading Transatlantic Data Flows – Where Are We Now?

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions

Cyber SecurityIn addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published.
Continue Reading COVID-19 Contact Tracing Apps Essential Requirements and Best Practices

On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes.
Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak

Article29Recognizing the increasing prevalence of data-driven solutions in combatting COVID-19 and the numerous related privacy concerns, on April 21, the EDPB adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines clarify the conditions and principles for proportionate use of location data and contact tracing tools for two particular purposes: (i) the use of location data to support the response to the pandemic by modelling COVID-19’s spread to calculate the overall effectiveness of confinement measures; and (ii) contact tracing, which aims to notify individuals that they have been in close proximity to an infected individual, to break the contamination links quickly and combat the virus’ spread.
Continue Reading European Guidelines Adopted on Contact Tracing Tools and the Use of Location Data in the Context of the COVID-19 Outbreak

lockThe European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.

Updated Guidelines

“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
Continue Reading European Data Protection Board Updates Guidelines on GDPR Consent