EU privacy

EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests

By Richard van Schaik, Francesca Pole & Demi Rietveld on October 7, 2024

Posted in CJEU, EU privacy, Lawful basis, Legitimate Interests, Privacy Law

Introduction

The subject of “legitimate interests” and in particular whether they can be “purely commercial” has been a topic of front and center stage debate in the Netherlands for some time. The Dutch data protection authority (AP) has historically interpreted the concept of legitimate interest narrowly, taking the position that organisations…

UK: The UK Cybersecurity and Resilience Bill – a different approach to NIS2 or a British sister act?

By Nicholas De Lacy-Brown, Henry Kilding, James McGachie & Rachel de Souza on October 1, 2024

Posted in Cyber security, Digital Decade, EU data governance, EU privacy, New laws, Privacy Law, UK

In the much anticipated first King’s Speech of the new Labour Government on 17 July 2024, the monarch announced that the long anticipated Cybersecurity and Resilience Bill (CS&R Bill) would be amongst those new laws making their way onto Parliament’s schedule for the next year. Six years on from the implementation of the …

EU: Data Act Frequently Asked Questions answered by the EU Commission

By Heidi Waem, Simon Verschaeve, James Clark, Sebastian Georgescu & Florentien Maes on September 23, 2024

Posted in Digital Decade, EU Commission, EU data governance, EU privacy

The EU Data Act is one of the cornerstones of the EU’s Data Strategy and introduces a new and horizontal set of rules on data access and use to boost the EU’s data economy. Most of the provisions of the Data Act will become applicable as of 12 September 2025. To assist stakeholders in the…

Europe/Germany: Right to bring collective action for violations of information obligations under GDPR

By Andreas Ruediger on August 29, 2024

Posted in Class actions, ECJ; Article 29 Working Party;, EU privacy, General Data Protection Regulation, Privacy Law, Transparency

Summary

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“…

Requirements of EHR systems under the European Health Data Space

By Andreas Ruediger on July 16, 2024

Posted in EU privacy, Health Data

This is Part 2 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here.

Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements…

The European Health Data Space – What lies ahead?

By Andreas Ruediger on June 10, 2024

Posted in EU privacy, Health Data

In March 2024, the Council of the European Union and the European Parliament reached a deal on a provisional agreement for the European Health Data Space (“EHDS”) regulation as part of the broader EU data strategy. The Council of the European Union published the compromise text of this agreement as a work-in-progress, providing…

Ireland: DPC Issues Record 87% of EU GDPR Fines in 2023; Breach Reports Increase by 20%

By John Magee, Eilis McDonald, Lorcan Moylan Burke, Sarah Dunne, David Brazil & Emer McEntaggart on June 6, 2024

Posted in Data security and breaches, Enforcement, EU privacy, General Data Protection Regulation

The Data Protection Commission (DPC) has published its 2023 Annual Report, highlighting a record year with DPC fines accounting for 87% of all GDPR fines issued across the EU. A busy year for the DPC also saw a 20% increase in reported personal data breaches as Helen Dixon steps down after 10 years in…

EU/UK: Data-Sharing Frameworks – A State of Play in the EU and the UK

By Heidi Waem, Simon Verschaeve, Muhammed Demircan, James Clark & Laura Dobson on June 6, 2024

Posted in Data Sharing, Digital transformation, EU Commission, EU data governance, EU privacy, New laws, UK

Disclaimer: This article first appeared in the June 2024 issue of PLC Magazine, and is available at http://uk.practicallaw.com/resources/uk-publications/plc-magazine.

In order to capture the benefits of data-driven innovation, the EU and the UK are taking action to facilitate data sharing across various industries.

In the EU, the European Commission is investing €2…

Europe: EDPS finds that the European Commission has infringed data protection rules

By Rachel de Souza & Anna Rivera on March 21, 2024

Posted in EU Commission, EU privacy

On 11 March 2024, following an investigation, the European Data Protection Supervisor (EDPS) announced that the European Commission’s (Commission) use of a major software company infringes the data protection law for EU institutions, bodies, offices and agencies (Regulation (EU) 2018/1725). In particular, the EDPS found that the Commission had…

CJEU ruling clarifies data protection and e-privacy issues in the ad-tech space

By Verena Grentzenberg, Heidi Waem, David Sanchio Schele, Lorcan Moylan Burke & Caroline Mazza on March 13, 2024

Posted in Enforcement, ePrivacy, EU privacy

Introduction

Identifiability; what can amount to personal data; and joint controllership are some of the issues addressed by the Court of Justice of the European Union (CJEU) in its recent judgment in the IAB Europe case (C-604/22). This case concerned the use of personal data for online advertising purposes and the use…