On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data. Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014.
On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities. The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs.
Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are getting escalated to decision makers who had never been involved in the technically complex and largely misunderstood world of cookies. The tension is rising and yet, no approach has emerged as the preferred one among all involved. So everyone is getting anxious to find a way to do what they have always done and comply with the law. Is this panic justified?
Please join us for our March 2017 Privacy and Cybersecurity Events.
On 12 April 2016, the European Commission launched a public consultation on the ePrivacy Directive. Interested parties who wish to participate have until 5 July 2016 to submit responses to the Commission’s 33 questions.
In a decision of 16 December, the French data protection authority (the “CNIL”) issued new recommendations with regards to the appropriate fashion in which businesses should implement the so-called “cookie consent law”.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers […]
The European Union’s Article 29 Data Protection Working Party (“WP29”), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with […]
The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“). Applicability of EU laws According to WP29, the 1995 Data Protection Directive applies to all […]
Following the recent implementation of the EU e-Privacy Directive, the Italian Data Protection Authority (the “Garante”) has issued a set of guidelines based upon which telecom operators and access providers are required to notify the Garante and data subjects of data breaches.
On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).
On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.
The Article 29 Working Party in the EU has thrown cold water on proposals by the OBA industry to avoid the literal application of the so-called Cookie Directive for specific opt-in consent to the placement of tracking cookies, whether personal data is tracked or not. In a letter sent in advance of a September meeting between the parties, the Working Party rejects a range of proposals from the OBA industry.