Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which we are making available with this post.
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]
The European Data Protection Board has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.
On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”. The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order to facilitate data sharing and innovation.
To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.
The legislative process for the European Commission’s (EC’s) proposed Data Protection Regulation is heating up. The European Parliament’s lead committee on the EU’s draft Data Protection Regulation has received more than 3,000 proposed amendments to the reform measure. As a result, the committee has moved its vote on the Regulation from April to the end of May. Some of the 3,000 amendments were submitted last week by Parliament’s Legal Affairs Committee (JURI), which has adopted an opinion generally supporting the proposed Regulation. Viviane Reding, Vice-President of the EC and EU Justice Commissioner, said that JURI’s adoption of the proposed Regulation brings the EU “another step towards the swift adoption of modern data protection reform in Europe.” In an unrelated announcement, the French Minister of Justice stated that France “actively supports” the proposed Regulation, including its provision on the right to be forgotten. The Minister said that France will be vigilant that the Regulation will “not introduce a step backwards” from current French law.
Nicolas Colin, one of the authors of the report proposing a “privacy tax” in France that we blogged about on January 22nd, just explained his report in more detail in this Forbes blog entry. Readers interested in this issue may find the Forbes blog post of interest.
Prominent European government officials provided up-to-the-minute perspectives on the proposed European data privacy regulation at this week’s IAPP Europe Data Protection Congress in Brussels. The officials’ comments — summarized below –indicate how the proposal might evolve for the next steps in the policy process, which include the issuance of the European Parliament’s formal report on […]
The European Court of Justice held on October 16, 2012 that Austria’s data protection authority is not sufficiently independent, and therefore fails to comply with the requirements of the European data protection directive. The Court found that Austria’s DPA has too many links to the Austrian Federal Chancellery and that the EU Data Protection Directive’s requirement of “complete independence” is violated.
The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller under French data protection law. The CNIL’s guidelines contain seven recommendations for cloud customers, and a list of recommended contractual clauses. The CNIL points out that when the cloud provider is located in a non-European country “local government authorities can send requests to the provider to have access to the data.”
Commissioner Reding says right to be forgotten must be balanced with other rights. European Parliament Committee says regulation should be a minimum, calling for class actions and expanded extra-territoriality.
Europe’s Article 29 Working Party writes to Hogan Lovells partner Quentin Archer to comment on the Sedona Conference International Principles on Discovery, Disclosure and Data Protection. Working party supports of initiative, citing areas for further progress.
Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.
On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.
The advocate general of the European Court of Justice issued his long awaited opinion in the SABAM case, a case that discusses the ability of ISPs to filter Internet content in order to detect illegal copyright infringements. The advocate general highlights the tension between privacy rights and copyright, and the criteria that must be satisfied in order for a filtering measure to be constitutionally valid in Europe. In the SABAM case, the advocate general found that one of the constitutional criteria was lacking, because Belgium had not enacted a specific law that would permit the kind of filtering that had been ordered by the court in the SABAM case.
In a recent article Christopher Wolf looks back at the e-G8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.
Hogan Lovells privacy lawyers from five European jurisdictions have published an overview of privacy rules applicable to Internet cookies in Europe . The new rules, which flow from a recent amendment to the European E-Privacy Directive, are not yet settled in all European Member States. This overview provides practical guidance on how to comply with the new prior consent rules that will apply in the United Kingdom, France, Germany, Italy and Spain.
Europe’s group of data protection authorities, the Article 29 Working Party, issued an opinion on smart meters, which goes into surprising detail on points such as the size of the display for the user interface, the need for a ‘push button’ consent module for consumers, the need to keep load graph data stored locally whenever possible. The Art 29 WP stresses the need for energy suppliers and third party energy service companies to develop detailed data retention policies to ensure smart meter data are deleted as soon as no longer needed.
On December 13, 2010 a Federal District Court in Montana dismissed many of the claims brought against an ISP in connection with the ISP’s use of NebuAd monitoring technology. The court held that users had validly consented to the monitoring technology. The NebuAd case usefully focuses on the issue of user consent, rather than on technological distinctions between ISPs and service providers at the edge.