On 12 January 2023, the European Court of Justice (“CJEU”) delivered its judgment regarding the right of access to personal data under Article 15 GDPR. The CJEU held that when exercising their right of access under the GDPR, data subjects must be provided with the individual data recipients of their personal data.

Background…
Continue Reading Europe: CJEU decision – Right of access to individual recipients of personal data

New decisions narrow ‘contractual necessity’ as a ground for processing data—and highlight divisions among EU privacy regulators

Authors: James Sullivan, John Magee & David Brazil

Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram…
Continue Reading EU & Ireland: Meta’s legal basis for targeted ads found to breach GDPR

On 2 November 2022, the Portuguese Data Protection Authority (“CNPD”) issued a Decision imposing a fine of € 4,300,000 (four million three hundred euros) to the National Institute of Statistics (“INE”) for multiple violations in the processing of data subjects’ sensitive data during the Census 2021 operation.

Background

On the 27…
Continue Reading Portuguese Data Protection Authority fines the National Institute of Statistics € 4.3 million

1  New development and timing

On 13^th December, the European Commission published a draft adequacy decision to enhance and replace its 2016 adequacy decision for the EU-U.S. Privacy Shield framework (“Privacy Shield”), which was invalidated by the Schrems II decision of the Court of Justice of the European Union (“CJEU”). The Commission has submitted…
Continue Reading EU – US adequacy decision: State of play

Authors: James Clark and David Cook

The UK government has published its plans to amend the Network and Information Systems Regulations 2018.  The reforms will lead to many more IT companies falling within the scope of the Regulations as ‘Digital Service Providers’ and will expand incident reporting obligations.  A two-tiered regime for Digital Service Providers…
Continue Reading UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws

Authors: Ewa Kurowska-Tober, Andrew Serwin,  John N Gevertz and Piotr Czulak

The CJEU recently ruled that a Luxembourg law adopted in 2019 in accordance with the amended anti-money-laundering directive[1] (“AML Directive”), which required the disclosure and publication of certain information on the beneficial owners of entities registered in the Register of Beneficial…
Continue Reading CJEU rules that Privacy Rights Outweigh AML Requirements

Authors: David Cook, Benjamin Fellows and Heba Khalid

On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG (Case C‑300/21) on the interpretation of Article 82 of the General Data Protection Regulation, holding that:

• A “mere breach” of the GDPR is not sufficient to warrant

…
Continue Reading Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion)

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA…
Continue Reading The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach