Debevoise Data Blog

APRIL 8, 2021

million for vendor oversight failings, unlawful cross-border transfers What happened : The AEPD, the Spanish data protection authority (“DPA”), fined Vodafone Spain €8.15 4 million was for allegedly deficient oversight of Vodafone’s data processors. See our blog post here for further tips on managing the latest landscape.

Data protection 52

Data protection Court Compliance Law 52

Debevoise Data Blog

SEPTEMBER 23, 2024

Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., without sufficient safeguards.

Data protection 52

Data protection Court Software Compliance 52

Debevoise Data Blog

DECEMBER 10, 2020

The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post- Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here ). million fine by over 90%.

Data protection 52

Data protection Dispute resolution Court Compliance 52

Debevoise Data Blog

NOVEMBER 1, 2021

Subject access requests : The possibility that companies responding to data subject access requests from individuals will have to provide copies of entire documents containing their personal data, rather than only extracts. The court concluded that the legitimate interest could have been furthered through less intrusive means.

Data protection 52

Data protection Court Defendant Law 52

Debevoise Data Blog

OCTOBER 12, 2021

million fine against Austrian Post for channelling electronic data protection-related inquiries to a web form and not offering an additional email address, irrespective of the data subject option to also use non-electronic postal mail or customer service.

Data protection 52

Data protection Failure-to-appear Compliance e-records 52

Debevoise Data Blog

MARCH 11, 2021

There were a few European data protection developments in February that companies may want to have on their radar. We will continue to report on progress through the Blog. What to do: As we reported previously there is increasing convergence between European data protection and competition law enforcement.

Data protection 52

Data protection Compliance Analytics Court 52

Debevoise Data Blog

JULY 20, 2021

Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened : As reported in our blog post , the European Commission adopted its new Standard Contractual Clauses (“SCCs”) for the cross-border transfer of personal data from the EEA to “third countries”.

Data protection 52

Data protection e-filing e-records Compliance 52

Debevoise Data Blog

MAY 28, 2024

EDPB “Consent or pay” models: Businesses operating large online platforms should consider the European Data Protection Board’s recent opinion indicating that “consent or pay” models are unlikely to be GDPR-compliant.

Data protection 52

Data protection Compliance Law Law 52

Debevoise Data Blog

SEPTEMBER 27, 2023

The AEPD held that a DPO cannot hold a position that leads them to determine the purposes and means of data processing. These developments, and more, covered below.

Data protection 52

Data protection Compliance e-filing Court 52

Eric Goldman

FEBRUARY 15, 2024

Marketa Trimble [Eric’s introductory note: I briefly addressed the DSA in this blog post , along with the attached meme. The DSA will require much agency and court interpretation to give legal certainty to intermediaries and the recipients of their services. by guest blogger Prof.

Due diligence 105

Due diligence Data protection Compliance Court 105

Debevoise Data Blog

MAY 7, 2021

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK.

Data protection 52

Data protection Court Compliance Hearing 52

Debevoise Data Blog

MAY 12, 2023

Key takeaways this April include: UK children’s data protection focus continues: Businesses may wish to review policies and procedures for dealing with children’s data in light of recent UK ICO fines and guidance, especially to ensure that terms of use are adequately enforced. 22, as set out by the court.

Data protection 52

Data protection Software design Machine learning Software 52

Debevoise Data Blog

JULY 30, 2024

Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection Time-tracking Mediator Analytics 52

Debevoise Data Blog

AUGUST 5, 2021

European Data Protection Roundup – July Key takeaways from developments this July include: a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth; the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5

Data protection 52

Data protection Dispute resolution Court Case law 52

Debevoise Data Blog

JANUARY 21, 2021

In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed. million against Marriott for its 2018 data breach When you dig deeper though, two key points emerge.

Data protection 52

Data protection Litigation Litigator Failure-to-appear 52

Debevoise Data Blog

NOVEMBER 10, 2020

ICO targets the data broking industry : On 27 October, the ICO demanded that Experian make sweeping changes to data protection practices within its direct marketing business within three months or face further enforcement action. We will continue to report on developments as Experian’s appeal progresses.

Data protection 52

Data protection Intellectual Property e-records Machine learning 52

Debevoise Data Blog

FEBRUARY 10, 2021

As covered in our Annual Review , 2020 was a blockbuster year for European data protection. The guidelines will be a new “go to” resource for those preparing for, and responding to, data breaches. Deliveroo algorithm ruled discriminatory by Italian court. English court rules GDPR does not apply to U.S. website.

Data protection 52

Data protection Time-tracking Defendant Court 52

Debevoise Data Blog

NOVEMBER 21, 2023

Data protection & AI: In particular: (i) the French CNIL published its first set of guidance on GDPR compliance when developing AI tools; and (ii) the UK ICO issued a preliminary enforcement notice against Snap over its AI chatbot, alleging that Snap had not adequately assessed the privacy risks posed to child users of the tool.

Data protection 52

Data protection Compliance Failure-to-appear e-records 52

Debevoise Data Blog

JUNE 8, 2023

As we covered here , last October, the CNIL fined Clearview AI €20 million for various data protection violations, including “intrusive and massive” data processing without consent or a valid legitimate interest. 82 (see our May 2021 , August 2021 , and October 2022 blog posts for previous developments).

Data protection 52

Data protection Compliance e-records Dispute resolution 52

Debevoise Data Blog

FEBRUARY 27, 2024

GDPR one-stop-shop: Businesses wishing to take advantage of the GDPR one-stop-shop system should take note of a new digest, published by the European Data Protection Board, which analyses the decisions made by so-called Lead Supervisory Authorities in this context.

Data protection 52

Data protection Compliance e-records Court 52

Debevoise Data Blog

MARCH 26, 2023

As multi-jurisdiction data protection concerns expand and opportunities to rely on a lead supervisory authority may narrow , the EDPB is emphasising consistency of decisions between national supervisory authorities through, among other measures, the development of approval procedures that require a cooperation phase and the creation of task forces.

Data protection 52

Data protection Compliance Court Law 52

Debevoise Data Blog

DECEMBER 13, 2022

What to do : Read our blog post for detailed guidance on scope, applicability and penalties under NIS2, including how to prepare for the revised incident reporting, security and management oversight obligations. Despite this, there remain public interest exemptions for court proceedings and law enforcement purposes.

Data protection 52

Data protection Due diligence Compliance Hearing 52

Debevoise Data Blog

DECEMBER 22, 2023

Businesses may want to consider how the courts reasoning may apply to other circumstances when dealing with disclosure requests. For further discussion on the principle of “security by design”, see our previous blog post. The intersection between GDPR compliance and AI has been the subject of detailed analysis in a previous blog post.

Data protection 52

Data protection Time-tracking Compliance Machine learning 52

Eric Goldman

MARCH 17, 2025

I don’t normally start my blog posts with a meme, but this one tells you everything you need to know: * * * This blog post concerns the California Age-Appropriate Design Code (AADC), passed by the California legislature in 2022. Unsurprisingly, on remand, the district court declared the rest unconstitutional.

Court 52

Court Data protection Judge Law 52

Debevoise Data Blog

FEBRUARY 20, 2023

Relatedly, a Swedish Court upheld the Swedish IMY’s 2022 reprimand of Klarna Bank AB for failing to disclose information regarding the specific recipients of personal data to a requesting data subject; providing the categories of recipients only was insufficient.

Data protection 52

Data protection Compliance e-records Court 52

Debevoise Data Blog

APRIL 26, 2024

Key takeaways from March include: CNIL data security practice guide: The French DPA published an update of its data security practice guide for data protection officers, chief information security officers, computer scientists and legal experts. To subscribe to the Data Blog, please click here.

Data protection 52

Data protection e-records Compliance Court 52

Debevoise Data Blog

JANUARY 25, 2024

Nevertheless, when considering the appropriateness of protective measures, the obligation rests on the data controller to prove that they met the required standard. The rulings arose at the request of both the German and Lithuanian courts, following local administrative fines. The Court ruled that: “Scoring” (i.e.,

Data protection 40

Data protection Court e-records Compliance 40

Debevoise Data Blog

AUGUST 16, 2023

. : Business may want to revisit their cross-border data transfer arrangements following the new adequacy decision for the EU-U.S. Data Privacy Framework, assess whether they are eligible to self-certify and, if they are, whether it makes sense to. Data Privacy Framework (the “DPF”).

Data protection 40

Data protection Analytics Compliance Time-tracking 40

Debevoise Data Blog

JUNE 16, 2021

We also saw developments in the courts on when companies will be liable to pay individuals damages for GDPR violations and the German anti-trust regulator using its new enforcement powers. These decisions follow the CNIL’s October 2020 updated cookies guidelines (see our blog post ).

Data protection 40

Data protection Compliance Court Time-tracking 40

Inside Privacy

JANUARY 17, 2024

In its review, the Commission considered the development of data protection frameworks in the concerned countries and territories, as well as the evolving interpretation of the adequacy standard under EU law, particularly in light of the EU Court of Justice’s Schrems II judgment. Our team is happy to assist with any inquiries.

Data protection 72

Data protection Court Law Law 72

Inside Privacy

MAY 5, 2023

On March 4, 2023, the European Court of Justice (”CJEU”) issued its judgment on case C-300/21, UI v Österreichische Post AG. In the Court’s view, Article 82 requires establishing: (i) “damage”, either material or non-material; (ii) an actual infringement of the GDPR; and (iii) a causal link between the two.

Data protection 79

Data protection Court Law Law 79

Inside Privacy

MAY 4, 2023

On May 4, 2023, the Court of Justice of the European Union (‘CJEU’) decided, in case C-487/21 , that the right to obtain a ‘copy’ of personal data means that the data subject must provide with a faithful and intelligible reproduction of all personal data. Fulfilling the right of access.

Intellectual Property 74

Intellectual Property Data protection Court Law 74

Technology Law Dispatch

JULY 31, 2023

Please click here to access the source post from our Global Regulatory Enforcement Law Blog. In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR).

Data protection 52

Data protection Court Law Law 52

Eric Goldman

OCTOBER 16, 2023

[Sorry it’s take me this long to get this blog post off my desk. The AADC would require many businesses to sort their online visitors into adults and children–necessarily requiring age authentication–so that children can receive heightened statutory protections. I hope it was worth the wait.] It’s not a close call.

Court 109

Court Failure-to-appear Data protection Judge 109

Inside Privacy

NOVEMBER 13, 2023

On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge ( case C-307/22, FT v DW ). The scope of GDPR’s right of access (see our blog posts here and here ) has been heavily litigated both at EU and national level.

Data protection 69

Data protection Law Law Court 69

Inside Privacy

FEBRUARY 27, 2023

As reported in our previous blog post , the RAD aims to harmonize member state frameworks on collective actions ( i.e. , whereby multiple claimants may lodge a claim or claims as a group) across the EU. National courts dismissal of certain claims. The main takeaways of the RAD are as follows: The role of qualified entities.

Data protection 52

Data protection Court Litigator Litigation 52

Debevoise Data Blog

SEPTEMBER 25, 2024

However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance with data protection laws. The ICO must obtain a court warrant to conduct a dawn raid. unlawfully obtaining personal data).

Data protection 52

Data protection Failure-to-appear Court Judge 52