EU

EU: DLA Piper GDPR Fines and Data Breach Survey: January 2025

By Rachel de Souza on January 21, 2025

Posted in Data security and breaches, Enforcement, EU privacy, General Data Protection Regulation, Privacy Law

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines issued across Europe in 2024.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since…

EU: EDPB Opinion on AI Provides Important Guidance though Many Questions Remain

By James Clark, Heidi Waem, John Magee & Rachel de Souza on January 14, 2025

Posted in Artificial Intelligence, EDBP (European Data Protection Board), Privacy Law

A much-anticipated Opinion from the European Data Protection Board (EDPB) on AI models and data protection has not resulted in the clear or definitive guidance that businesses operating in the EU had hoped for. The Opinion emphasises the need for case-by-case assessments to determine GDPR applicability, highlighting the importance of accountability and record-keeping…

EU: Cyber Resilience Act published in EU Official Journal

By Rachel de Souza & Philipp Adelberg on November 21, 2024

Posted in Cyber security, Digital Decade, Digital transformation, EU data governance, EU privacy, New laws

On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats. …

EU: EHDS – Access to health data for secondary use under the European Health Data Space

By Andreas Ruediger & James Clark on November 19, 2024

Posted in EU data governance, EU privacy, Health Data, New laws, Privacy Law

This is Part 3 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here. Part 2, which deals with the requirements on the manufacturers of EHR-Systems under the EHDS, is available here.

This article provides an…

EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management

By Linzi Penman, Eilis McDonald & Megan Ho on November 8, 2024

Posted in EDBP (European Data Protection Board), EU data governance, EU privacy, General Data Protection Regulation

The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:

supply chain mapping;
verifying compliance with flow-down obligations.

For many financial institutions, the emphasis on these obligations should not come as a…

EU: NIS2 Member State implementation deadline has arrived

By Rachel de Souza on October 17, 2024

Posted in Digital Decade, EU data governance, Network and Information Security Directive

Today marks the deadline for EU Member State implementation of the Network and Information Systems Directive II (“NIS2“) into national law.

NIS2 is part of the EU’s Cybersecurity Strategy and repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like…

EU: CJEU Insight

By Rachel de Souza, Philipp Schmechel, Radha Pull ter Gunne & Lorcan Moylan Burke on October 15, 2024

Posted in CJEU, EU privacy, General Data Protection Regulation

October has already been a busy month for the Court of Justice of the European Union (“CJEU”), which has published a number of judgments on the interpretation and application of the GDPR, including five important decisions, all issued by the CJEU on one day – 4 October 2024.

This article provides an overview…

EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.

By Verena Grentzenberg & Andreas Ruediger on October 7, 2024

Posted in CJEU, e-health, ECJ; Article 29 Working Party;, EU privacy, Health Data, Privacy Law

Introduction

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition…

EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests

By Richard van Schaik, Francesca Pole & Demi Rietveld on October 7, 2024

Posted in CJEU, EU privacy, Lawful basis, Legitimate Interests, Privacy Law

Introduction

The subject of “legitimate interests” and in particular whether they can be “purely commercial” has been a topic of front and center stage debate in the Netherlands for some time. The Dutch data protection authority (AP) has historically interpreted the concept of legitimate interest narrowly, taking the position that organisations…

EU: Data Act Frequently Asked Questions answered by the EU Commission

By Heidi Waem, Simon Verschaeve, James Clark, Sebastian Georgescu & Florentien Maes on September 23, 2024

Posted in Digital Decade, EU Commission, EU data governance, EU privacy

The EU Data Act is one of the cornerstones of the EU’s Data Strategy and introduces a new and horizontal set of rules on data access and use to boost the EU’s data economy. Most of the provisions of the Data Act will become applicable as of 12 September 2025. To assist stakeholders in the…