With close to one billion active users on social media, platforms and businesses are constantly rolling out new features, upgrading their ad tools and creating new ways to engage with users, moving away from traditional marketing strategies. Those emerging practices are also extensively relying on data analyses to gain insights and enhance more targeted opportunities, therefore shifting platforms and businesses’ focus on revenue.

The evolution towards increasingly personalized marketing practices occurs in parallel with end-users’ awareness of data protection frameworks, which may lead to a rift between transparency expectations towards complex advertising solutions based not only on personal data provided by the users themselves, but also in conjunction with other data collected by social media providers or third parties. Recent headlines about the roles played by social media targeting on democratic decision-making and electoral processes reinforce such perceptions.

(more…)

Version 1.0 dated 02 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.

The European Data Protection Board

Having regard to Article 70(1)(e) of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

HAS ADOPTED THE FOLLOWING GUIDELINES

(more…)

Version 1.0 dated 06 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.

EXECUTIVE SUMMARY

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA).

The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.

(more…)

The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.

(more…)

With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.

While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union

Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.

(more…)

In a highly anticipated Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the legal framework allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, mainly citing US surveillance practices and inadequate recourse to EU individuals. On the other hand, the CJEU upheld the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries (see out alert here). 

(more…)

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

(more…)

Interview in the Washington Internet Daily Vol. 21, no. 100 dated 22 May 2020 available here.

(more…)

As the COVID-19 pandemic continues to spread around the world and cause unprecedented health and economic challenges, technological measures, once thought extreme, are now being deployed for the purposes of contact tracing, infection tracking, and quarantine compliance. While the search for the right tracking app and software development kits continues, the European Union (EU) is still far from finding a consensus on harmonized model and functionalities. Nevertheless, it is already clear that while app design may be the end result, a complex process of regulatory compliance, risk management and ethics checks, and balances lie ahead.

(more…)

Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.

In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018 (available here, which itself built upon the WP29 pre-GDPR interpretation of consent under Opinion 15/2011, dated 13 July 2011), taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).

(more…)