Category Archives: EU

New Privacy Shield Framework in the Works, Favoring Continuity Over Change for Businesses

President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).

Background

The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism,… More

French Data Protection Authority Rules on Transfers of Health Data

The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.

A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research.… More

Lessons Learned From The Greek Supervisory Authority’s PwC Decision on Employee Data Under GDPR

On 26 July 2019, the Greek Supervisory Authority (SA) found Pricewaterhouse Coopers (“PwC”) not compliant with General Data Protection Regulation (GDPR) in relation to the processing of its Greek employees’ personal data. The SA issued a €150,000 fine and an injunction requiring PwC to take measures to comply within three months (which is has apparently done). A summary of the decision in English is available on the Greek SA’s website.… More

Data Scraping, at Home and Abroad

Data scraping is a technique where information on one platform is exported onto another.  The practice is widespread and is used for all sort of reasons, like market analysis or advertising.  The kind of information located and extracted is as varied as the kind of information that exists on the internet–which is to say, anything and everything–but where it becomes particularly interesting is when personal information is being scraped.… More

The Paris District Court Invalidates 38 Clauses of Google+ Terms of Use and Privacy Policy

It has been rough weather for Google in France. Three weeks after the French ‎Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google.  This decision was rendered on February 12,… More

EDPB Issues Opinion on the Interplay between the Clinical Trials Regulation and the GDPR

‎On January 23, 2019, the European Data Protection Board (“EDPB”) issued an interesting opinion about personal data processed in relation to clinical trials.

The main role of the EDPB – which succeeded the Article 29 Working Party – is to contribute to the consistent application of the GDPR throughout the European Union. Its tasks include providing general guidance to clarify the law and advising the European Commission on data protection issues and new legislations.… More

GDPR Alert: Google Gets Biggest Fine Ever Issued by a European Data Protection Authority

On 21 January 2019, the French Data Protection Authority (the “French DPA”) fined Google LLC 50 million euros for breach of the GDPR.

As we reported on this blog, just after GDPR became applicable, noyb.eu (None of Your Business), the non-profit privacy organization set up by Max Schrems, the Austrian lawyer who initiated the action against Facebook that led to the invalidation of the Safe Harbor,… More

Is the Right to be Forgotten National, European or Worldwide? The Advocate General Issues an Opinion in the Google Case

On January 10, 2019, Advocate General Szpunar issued his much awaited opinion in the Google case that was referred to the European Court of Justice by the French “Conseil d’Etat”, the highest administrative court of the country.  The Conseil d’Etat basically asked the European Court of Justice to follow-up on its Google Spain decision: is the right to be forgotten –… More

Three Things Not to be Forgotten about the GDPR’s “Right to be Forgotten”

Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.

  • The “right to be forgotten” was not created by the GDPR

The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…),… More

GDPR: Q&A for Investment Advisers and Private Fund Managers

As many of you may already be aware, the European GDPR goes into effect during May 2018. Below are some frequently asked questions and answers about GDPR as a short guide to assist investment advisers and private fund managers with initial GDPR analysis.

What is GDPR?

It is the new General Data Protection Regulation (GDPR) adopted by the European Union that is intended to protect the “personal data” of natural persons in the European Union.… More

Quiz: Are You a GDPR Expert?

A lot of information has been circulating about GDPR in the last months from all kinds of sources, some more reliable than others, and you may have the feeling that you are quite knowledgeable about it. We have designed this quiz to enable you to check how knowledgeable you really are.

If you get all the answers right except for one or two, you are a true expert!… More

What IP Practitioners Should Know About GDPR And Personal Data Protection In Europe

In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures,… More

Partners Colin Zick and Catherine Muyl to Participate in MassTLC Event Focused on GDPR

Partners Colin Zick and Catherine Muyl will join MassTLC’s CISO and CTO Peer Group Meeting on Tuesday, February 6 to discuss the General Data Protection Regulation.

The fast approaching deadline to comply with GDPR is only months away. There are checklists and guidelines to help companies meet these new regulations, but realistically what must companies prioritize, how do you create these new protocols in your company,… More

Watch: Privacy and Data Security for the Generalist In-House Counsel

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.

As in-house counsel,… More

General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part Two)

This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three

New General Features of the GDPR

Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.… More

General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part One)

This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)

The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).… More

How the French Fought the Election Hackers

Emmanuel Macron won France’s presidential election in a landslide. He defeated his opponent, Marine Le Pen, by more than thirty percentage points. Such a high margin might lead one to think that his victory was inevitable. But on the eve of the election, it did not seem that way.

On the Friday before the Sunday election, hackers released a trove of documents they had stolen from the Macron campaign.… More

A Privacy Shield Replaces a Safe Harbor for the Swiss, Too

US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.

Although Switzerland is not a member of the European Union, its data protection law (Federal law of ‎19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat,… More

How Can Yahoo E-Mail Scanning Impact the EU-U.S. Privacy Shield?

Reuters reported earlier this month that, according to three former employees, Yahoo Inc. had “complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo mail accounts at the behest of the NSA or FBI.” Yahoo responded that the article was misleading, but did not deny the scanning had occurred.

The New York Times reported further details about this scanning:  Yahoo had modified a system intended to scan emails for child pornography and spam in order to satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization.… More

What to Expect from the EU’s New Network and Information Security Directive

On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so.  This differs from a regulation, which is immediately binding on all member states.)  Pursuant to this Directive,… More

Which U.S. Businesses Must Comply with EU Data Protection laws?

What the recent Amazon decision tells us

On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI (Verein für Konsumenteninformation) and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg. The main issue in this case is whether Amazon General Conditions were enforceable under Consumer Law; however; one of the questions referred to the European Court was about the territorial scope (Article 4) of the 95/46/EC Directive on Data Protection.… More

Article 29 Working Party on the EU-US Privacy Shield: A Number of Concerns Remain But Let’s See How It Works

Article 29 Working Party on the EU-US Privacy Shield:

The EU’s Article 29 Working Party analyzed the final version of the Privacy Shield and issued a statement on July 26, 2016.  What does this mean?

  • Recap: Where are we and how did we get here?

On February 29, 2016, the European Commission issued a draft adequacy decision reflecting the outcome of its negotiations with US authorities in relation to the Privacy Shield,… More

Guest Podcast: Europe’s New General Data Protection Regulation–What Is It and Are You Ready for It?

Are you looking for an introduction to the European Union’s General Data Protection Regulation (GDPR)?  To find out when and how it’s going to impact you and your organization, listen to this quick 10 minute podcast with, Deborah Hurley. Deborah is an adjunct professor of the practice of computer science at Brown University, fellow at the Institute for Quantitative Social Science at Harvard University, and principal at Hurley Consulting.… More

At Long Last, US-EU Privacy Shield Adopted By EU Member States

Key takeaways:

  • The Privacy Shield will now go into effect.
  • The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
  • Expect more challenges to the Privacy Shield before all is said and done.

The Details:

Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More

New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)

The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.

Application of the GDPR

The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union,… More

Join Us on May 25: The End of the “Safe Harbor” for E.U./U.S. Data Transfer

How Can Companies Transfer Personal Data and Remain Compliant?

The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.

Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More

EU General Data Protection Regulation Adopted

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

  • data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
  • More

EU-US Privacy Shield: Working Party Urges European Commission to Improve Current Scheme

After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield.  However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More