Introduction

The draft ePrivacy Regulation has been trundling through the EU legislative bodies for the past couple of years, and is making some progress. On 4 October 2019 the European Council issued a revised draft of the Regulation, which is still subject to change.

The Regulation was initially due to come into force at the same time as the GDPR, and is intended to complement the GDPR and relate to electronic communications specifically. However inconsistencies with the GDPR and unanswered questions around parts of the draft have created uncertainty.

We consider some of the key differences between the revised draft and the current legislation below.
Continue Reading

Europe’s highest court has decided that Internet intermediaries can be ordered to remove illegal content on a global basis.

What’s the background?

The Court of Justice of the European Union (CJEU) held in Glawischnig-Piesczek, C-18/18 that online platforms, such as Facebook, can be ordered to remove “identical and, in certain circumstances, equivalent” comments that have been previously declared by national courts to be illegal and that such orders can be effected on a worldwide basis.


Continue Reading

In a landmark ruling last week, the Court of Justice of the European Union (CJEU) has held that Google is not required to carry out a de-referencing (effectively, the “right to be forgotten”) on non-EU versions of its search engine.

The case was brought by Google on appeal, having received an initial fine of €100,000 from the French data protection regulator, CNIL, back in 2016 after it had ruled that Google’s self-imposed restriction to only de-reference on European versions of its search engine (as opposed to its global platforms) was unlawful.


Continue Reading

Thousands of European and US companies will have been relieved by the recent announcement that the EU-US Privacy Shield (the framework for regulating transatlantic exchanges of personal data) is secure for another year.

However, it may be premature to rejoice: the EU Commission’s review highlighted two key issues:

  1. the continued reluctance by the US to institute fundamental safeguards for individuals’ personal data; and
  2. the imminent need to appoint an independent ombudsman.

Coupled with the impending European court ruling in Schrems II – is the Privacy Shield’s demise only a matter of time?


Continue Reading

Data-driven technologies, particularly artificial intelligence and other complex algorithms, have the potential to enhance patient care and catalyse medical breakthroughs. However, these technologies are heavily reliant on data, which poses challenges in ensuring that patient information is handled in a safe, secure and legally compliant way.
Continue Reading

A recent judgment of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others.
Continue Reading

On 13 September 2017, the Commission issued a proposal for a Regulation to strengthen the role of the EU Agency for Network and Information Security (ENISA) by:

  • granting it a permanent mandate;
  • clarifying its role as the information hub of the EU for cybersecurity; and
  • tasking it with the responsibility of proactively contributing to policy in the area of network information and security.

The proposal also introduces EU-wide cybersecurity certification schemes for ICT products and services, which will be prepared by ENISA. This aims to address current market fragmentation and provide a comprehensive set of cybersecurity rules, technical requirements, standards and procedures.
Continue Reading

The UK Government has released a “Future Partnership” paper setting out its vision for UK-EU data flows post-Brexit. In particular, the paper anticipates seeking an early UK-EU agreement that each area’s data protection laws provide equivalent protection, which would allow data to continue to flow between the EU, the UK and other third countries post-Brexit. 
Continue Reading

With holiday season upon us, earlier this week Matt Hancock, the UK Government’s Digital Minister, announced proposals for a new UK data protection law. Previously covered on this blog here and here, little new of substance was announced, but in a slow news week, the announcement garnered significant UK media coverage and attention. 
Continue Reading

Following the Government’s decision to include a revised data protection law in the Queen’s Speech last month, the House of Lords EU Home Affairs Sub-Committee reviewed the potential implications on national security, stability and public safety of the UK exiting the European Union without an agreement to ensure there is unhindered data flow between the two sides. The Committee issued a stark warning that it was “struck by the lack of detail” on how the Government would ensure that the UK data protection regime continues to allow data transfer with the European Union in a post-Brexit world.

Continue Reading