Data Protection

Subscribe to Data Protection

In May 2022, the European Commission published a proposal to establish a European Health Data Space (“EHDS”). The Commission’s EHDS proposal aims to improve access by individuals to their health data (primary use) and facilitate the re-use of health data for societal good across the European Union (secondary use). The European Commission’s aim is to adopt the EHDS by the end of its current mandate (October 31, 2024). The European Commission expressed its hope that the provisions of the regulation will enter into force across all EU member states in 2025. Businesses operating in the health and pharma sectors should therefore carefully consider how the EHDS might affect them.

Continue Reading Health Data: European Commission Proposes new Rules on Access and Use

On 13 April 2021, the European Data Protection Board (“EDPB“) adopted two opinions  (“Opinions“) concerning draft UK adequacy decisions published by the European Commission which would permit the free flow of personal data from the European Economic Area (“EEA“) to the UK in the post-Brexit world. The Opinions largely support the draft UK adequacy decisions and represent a positive step towards adoption of formal UK adequacy decisions. Nonetheless, organisations which transfer personal data from the EEA to the UK should continue to monitor the developments and keep planning for the possibility that the adequacy decisions, if adopted, could
Continue Reading European Data Protection Board Issues Opinions on European Commission’s Draft UK Adequacy Decisions

In an increasingly interconnected world, preserving the free flow of data across borders is crucial to the prosperity of businesses operating in every industry. But over the last year, there have been a number of important data protection developments in Europe that have a direct impact on the supply chain and distribution arrangements operated by organizations. These developments are restricting the ways in which businesses can share personal data within their organizations and with counterparties internationally. They include:
Continue Reading Data Protection Developments in Europe – Supply Chain and Distribution

A decision issued on 15 March 2021 by the Bavarian Data Protection Authority (“BayLDA”, publication pending) is the first German enforcement action in connection with last year’s decision of the Court of Justice of the European Union (“CJEU”, “CJEU’s Decision”) on the validity of the European Commission’s Standard Contractual Clauses (“SCCs”) and the EU-US Privacy Shield (C-311/18, more information available in our client alert). In the CJEU Decision, the court held that a transfer of personal data from the EU to third countries outside the European Economic Area (“EEA”) under the EU Standard Contractual Clauses will be permissible
Continue Reading German Data Protection Authority Decides on Supplementary Measures for International Data Transfers

The Spanish Data Protection Authority (“Agencia Espanola Proteccion Datos – AEPD”) has recently issued its highest fine to date, totaling €8.15 million for several breaches of GDPR and national legislation by a multinational telecommunication company and its service providers. Notably, €2 million of this fine was attributable to its service provider conducting an international transfer of personal data to a country that did not comply with the European data protection requirements.
Continue Reading Spanish Data Protection Authority Issues Highest GDPR Fine to Date

Since enacted in August 2018, the entry into force of the Brazilian Data Protection Law (No. 13,709 – “LGPD”) has been subject to several changes. First it was supposed to be effective as of February 2020; then August 2020; and more recently 3 May 2021 (Provisional Measure No. 959/2020 dated 29 April 2020). The future of the LGPD remains uncertain, since this Provisional Measure needs to be rejected, approved or changed by the National Congress, or else it will expire on 27 August 2020.
Continue Reading Sanction Provisions in Brazil’s Data Protection Law Will Take Effect on 1 August 2021

There is a lot of uncertainty as to when the Brazilian Data Protection Law (No. 13,709 – “LGPD”) will come into force. Such uncertainly has been significantly increased due to the current scenario of Covid-19. However, data protection compliance projects should not be postponed or implemented superficially, especially considering (i) their direct impact in a company’s reputation towards its employees, suppliers, partners and customers and (ii) their relevance in business relations outside of Brazil, since several countries
Continue Reading The Impact of Covid-19 on Data Protection in Brazil

Brexit is finally here. The United Kingdom leaves the European Union on 31 January 2020. The EU and the UK will now enter a transition period which is scheduled to last until 31 December 2020. During this time, the UK will continue to abide by the EU laws, be subject to the rulings of EU courts, and contribute to the EU budget. Hence, the status quo will essentially remain unchanged during the transition period. The aim of the transition period is to provide enough time for the final wave of negotiations between the UK and EU to
Continue Reading Brexit – What Does it Mean for Businesses from an IP, Tech and Privacy Perspective?

On 1 October 2019, the Court of Justice of the European Union (CJEU) ruled on a number of questions which, inter alia, relate to the validity of consent to cookies “by way of a pre-checked checkbox” (Case C 673/17). Although the questions referred to the CJEU primarily related to provisions of the Privacy and Electronic Communications Directive (2002/58/EG), the CJEU stated that the questions  must be answered also in regard to the EU General Data Protection Regulation (GDPR).
Continue Reading Court of Justice of the EU: A “Pre-Checked Checkbox” Is Not Valid Consent to Cookies under the GDPR

According to recent press reports, the German data protection authorities have agreed on a new way to calculate administrative fines under the General Data Protection Regulation (“GDPR”). The new scoring model, which has not yet been officially published, could make fines of tens of millions of euros a reality in Germany. In contrast to their French and UK counterparts, Germany’s data protection authorities have so far been more restrictive in imposing GDPR fines.
Continue Reading German Data Protection Authorities Agree on New GDPR Fining Model