English High Court Examines Extent of GDPR’s Extraterritorial Jurisdiction

March 5th, 2021 | Posted by Claude-Etienne Armingaud in Brexit | Case Law | Europe | Privacy - (0 Comments)

When the General Data Protection Regulation1)Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, … Continue reading came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents2)Art. 3(2)(a) and (b) GDPR..

Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.

A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.

(more…)

References

,

43rd EDPB Meeting

December 17th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 42nd EDPB meeting
    2. Draft agenda of the 43rd EDPB meeting
  2. Consistency mechanism, Guidelines and EDPB
    1. Key Provision ESG
      1. Guidelines on restrictions under Article 23 GDPR
    2. Financial Matters ESG
      1. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (after public consultation)
    3. International Transfer ESG
      1. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (after public consultation)
  3. Current Focus of the EDPB Members
    1. Data Governance Act COM (2020) 767 proposal – presentation by European Commission
    2. Information about the European Commission request for a joint EDPS-EDPB opinion regarding the Data Governance Act
    3. EDPB Strategy
    4. Support Pool of Experts
    5. Request for information from the European Commission regarding Brexit state of play (end of transitional period as well as the impact on EU-UK data flows and further information on possible adequacy decisions)
    6. Information note on data transfers under the GDPR to the United Kingdom after the Brexit transition period
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Cooperation ESG
      1. [BREXIT] Involvement of the UK SA in cooperation and consistency mechanisms
      2. Review of the internal documents on local cases
      3. Handling cross border complaints against public bodies or authorities – request for mandate
      4. Guidelines on handling complaints: revision of the mandate – request for mandate
    2. Compliance, e-Government and Health ESG
      1. Guidelines on certification criteria assessment – request for mandate
    3. Financial Matters ESG
      1. Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing
    4. International Transfers ESG
      1. Art. 64 GDPR Opinion on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix
    5. Compliance, e-Government and Health ESG
      1. Stakeholder event on processing of data for medical and scientific research purposes – request for mandate
    6. Technology ESG
      1. Guidelines on anonymisation / pseudonymisation – request for mandate
    7. EDPB Secretariat
      1. 2021 February plenary
      2. Survey future meetings post COVID
  5. Any other business
20201215plen1.2agenda_publicTélécharger

, ,

42nd EDPB Meeting

November 19th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 41st EDPB meeting
    2. Draft agenda of the 42nd EDPB meeting
    3. Publication of minutes of 40th Plenary meeting
    4. Request to extend the deadline for public consultation re recommendation 01/2020 on sup. measures
  2. Current Focus of the EDPB Members
    1. Presentation by the European Commission of the new (updated) two sets of SCCs
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Technology ESG
      1. Statement on eprivacy regulation
      2. Letter to News Media Europe and others regarding cookie walls
    2. International Transfer ESG
      1. Template for BCR approval decision by a supervisory authority
  4. Any other business

, ,

41st EDPB Meeting

November 17th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations
20201109-10plen1.2_agenda_publicTélécharger

, ,

What Future For UK-EU Data Flows

October 29th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

, , , ,

40th EDPB Meeting

October 20th, 2020 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1.1. Minutes of the 39 th EDPB meeting
    1.2. Draft agenda of the 40th EDPB meeting
  2. Current Focus of the EDPB Members
    2.1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data – state of play
    2.2. Review of the Adequacy Decision of Japan
  3. Consistency mechanism and Guidelines
    3.1. Guidelines 04/2019 on Article 25 Data Protection by Design and by Default (after public consultation)
  4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    4.1. Cooperation ESG Brexit-related matters
    4.2. Enforcement ESG
    Coordinated Enforcement Framework
    4.3. Technology ESG
    Response letter to Mr A. Dix on the copyright directive1
    4.4. Financial Matters ESG
    Statement and possible letter regarding data protection and current framework on anti-money laundering and countering terrorist financing – request for mandate
    4.5. Secretariat
    Implementation of SEC DPO rules
    Consistency procedure for Art. 46.3(b) GDPR administrative     arrangements
  5. Any other business
20201020plen1.2_agenda_public-1Télécharger

, ,

Guidelines 08/2020 on the targeting of social media users

September 10th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

Link to official PDF version.

The European Data Protection Board

Having regard to Article 70(1)(e) of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

HAS ADOPTED THE FOLLOWING GUIDELINES

(more…)

, , , , , ,

French Administrative Supreme Court Endorses Data Protection Authority’s Position on Cookies, Prohibits Prohibition on Cookie Walls

July 25th, 2020 | Posted by Claude-Etienne Armingaud in Case Law | cookies | eCommerce | Press | Privacy - (0 Comments)

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

(more…)

, , ,

36th EDPB Meeting

July 23rd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 35th EDPB meeting
    2. Draft agenda of the 36th EDPB meeting
  2. Current Focus of the EDPB Members
    1. FAQ regarding clarifications of the consequences of the Schrems II judgement
    2. Decision making under art. 65 – Role of the Secretariat 2.3. Update by SA
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Secretariat
      1. September plenary meeting
      2. Legal studies
    2. Coordinators ESG
      1. Focus of the ESG until spring 2021
  4. Any other business

, , , ,

35th EDPB Meeting

July 22nd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 34th EDPB meeting
    2. Draft agenda of the 35th EDPB meeting
  2. Current Focus of the EDPB Members
    1. Decision-making under Art. 65 GDPR
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. International Transfers ESG
      1. Impact of Brexit on BCRs and management of ICO-led BCRs
    2. RoP drafting team
      1. Transparency of EDPB minutes
    3. Secretariat
      1. Legal studies
  4. Any other business

, , ,