GDPR/ePrivacy – French Supervisory Authority Publishes Updated Guidance on Cookies and Other Tracing Technologies

October 1st, 2020 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)

Following the French Administrative Supreme Court (Conseil d’État) dated 19 June 2020 (see our Alert here), the French Supervisory (CNIL) published on 01 October 2020 its updated guidelines (the Guidelines), replacing its former guidelines published on 04 July 2019 (July Guidelines), along with practical recommendations (the Recommendation) on cookies and other tracking technologies (together, Cookies).

(more…)

GPDR – European Data Protection Board Publishes Guidelines on the Concepts of Controller and Processor, Brings New Light on the Notion of “Joint-Controllers”

September 29th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)

The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020, the Guidelines) and on the targeting of social media users (Guidelines 08/2020 – see our Alert here). The earlier aims to replace the previous opinion by EDPB’s predecessor, the WP29, on these concepts by clarifying the main concepts of “controller”, “joint-controllers” and “processor” and by specifying the consequences attached to these notions.

(more…)

, , , , , ,

EU Privacy Alert: European Data Protection Board Publishes Guidelines on Targeting of Social Media Users, Emphasizes Joint-Controllership Arrangements

September 29th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy | Social Networks - (0 Comments)

With close to one billion active users on social media, platforms and businesses are constantly rolling out new features, upgrading their ad tools and creating new ways to engage with users, moving away from traditional marketing strategies. Those emerging practices are also extensively relying on data analyses to gain insights and enhance more targeted opportunities, therefore shifting platforms and businesses’ focus on revenue.

The evolution towards increasingly personalized marketing practices occurs in parallel with end-users’ awareness of data protection frameworks, which may lead to a rift between transparency expectations towards complex advertising solutions based not only on personal data provided by the users themselves, but also in conjunction with other data collected by social media providers or third parties. Recent headlines about the roles played by social media targeting on democratic decision-making and electoral processes reinforce such perceptions.

(more…)

, , ,

Guidelines 08/2020 on the targeting of social media users

September 10th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

Version 1.0 dated 02 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.

The European Data Protection Board

Having regard to Article 70(1)(e) of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

HAS ADOPTED THE FOLLOWING GUIDELINES

(more…)

, , , , , ,

Guidelines 07/2020 on the concepts of controller and processor in the GDPR v 1.0

September 10th, 2020 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy - (0 Comments)

Version 1.0 dated 06 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.

EXECUTIVE SUMMARY

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA).

The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.

(more…)

, , , ,

37th EDPB Meeting

September 2nd, 2020 | Posted by Claude-Etienne Armingaud in Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 36th EDPB meeting
    2. Draft agenda of the 37th EDPB meeting
    3. Appointment of Mr. Pasquale Stanzione, new president of the Italian DPA
    4. Exchange of views with the LIBE Committee on the recent CJEU Schrems II judgment
  2. Current Focus of the EDPB Members
    1. 101 lodged complaints in the context of the CJEU Schrems II judgement
    2. Schrems II: next steps and follow-up on guidance on supplementary measures
    3. e-Privacy Regulation and the role of the EDPB
    4. Update by the European Commission
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Key Provision ESG
      Guidelines on the concept of controller and processor in the GDPR
    2. Social Media ESG
      Guidelines on the targeting of social media users
    3. RoP Drafting Team
      Transparency of EDPB minutes
    4. Strategic Advisory ESG
      1. EDPB strategic plan: draft paper and possible seminar
    1. Secretariat
      1. Art. 65 procedure
      2. Legal studies
  4. Any other business

Frequently Asked Questions on the CJEU judgment “Schrems II” – C-311/18

July 28th, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

The judgment C-311/18 can be found here, and the press release of the Court may be found here.

(more…)

French Administrative Supreme Court Endorses Data Protection Authority’s Position on Cookies, Prohibits Prohibition on Cookie Walls

July 25th, 2020 | Posted by Claude-Etienne Armingaud in Case Law | cookies | eCommerce | Press | Privacy - (0 Comments)

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

(more…)

, , ,

36th EDPB Meeting

July 23rd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 35th EDPB meeting
    2. Draft agenda of the 36th EDPB meeting
  2. Current Focus of the EDPB Members
    1. FAQ regarding clarifications of the consequences of the Schrems II judgement
    2. Decision making under art. 65 – Role of the Secretariat 2.3. Update by SA
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Secretariat
      1. September plenary meeting
      2. Legal studies
    2. Coordinators ESG
      1. Focus of the ESG until spring 2021
  4. Any other business

, , , ,

35th EDPB Meeting

July 22nd, 2020 | Posted by Claude-Etienne Armingaud in Data Transfer | Privacy - (0 Comments)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 34th EDPB meeting
    2. Draft agenda of the 35th EDPB meeting
  2. Current Focus of the EDPB Members
    1. Decision-making under Art. 65 GDPR
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. International Transfers ESG
      1. Impact of Brexit on BCRs and management of ICO-led BCRs
    2. RoP drafting team
      1. Transparency of EDPB minutes
    3. Secretariat
      1. Legal studies
  4. Any other business

, , ,