BakerHostetler (JD Supra European Union)

This quarterly update highlights some of the international data protection issues that have caught our attention, and the attention of our clients, in the past three months.

In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory authorities —...

Last week, both the European Data Protection Board (EDPB) and the European Commission released highly anticipated draft documents offering guidance to organizations that engage in cross-border data transfers involving EU personal data.

Quick Links - CJEU Press Release - CJEU Decision - Press Releases from the Parties - Irish Data Protection Commission - Max Schrems - U.S. Department of Commerce - Electronic Privacy Information Center (EPIC) - BSA The Software Alliance - DIGITALEUROPE - 1. Is the EU-U.S. Privacy Shield framework dead?

Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing a DPO who holds another senior role in...

The United Kingdom withdraws from the European Union today. The implementation period runs for the next 11 months, through Dec. 31. During this time, European Union trademark filings (“EUTMs”) will continue in full force in the U.K.

In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following release of the draft guidelines in November 2018 and a lengthy public consultation period.

Have you heard of the theory of “trademark neutralization?” It was developed by the European Union (EU) General Court and the European Union Court of Justice (“CJEU”) in 2006 (Case No. C-361/04 (ECJ Jan. 12, 2005)) holding PICASSO/PICARO not confusingly similar and was followed in Case C-206/04 (ECJ Mar. 23 2006) holding SIR/ZIRH not confusingly similar.

Adoption of the ePrivacy Regulation - Introduced in 2017, and originally slated to go into effect with the GDPR (on May 25, 2018), it now appears the ePrivacy Regulation will not be implemented before late 2021.

In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures.

Companies face substantial challenges in complying with breach notification requirements under Article 33 of the General Data Protection Regulation (GDPR). Article 33 requires a data controller to report a personal data breach to European Union (EU) supervisory authorities within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of individuals.

On January 10, Advocate General Maciej Szpunar released an opinion recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU.

As we previously reported, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework.

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations.

California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the measure on the November...

On Feb. 6, 2018, the Article 29 Working Party (Working Party 29) published Working Paper 261 (WP 261), which provided guidance on the provisions of Article 49 of the European Union’s (EU) General Data Protection Regulation (GDPR).

With only four months remaining until the EU General Data Protection Regulation takes effect on May 25, 2018, the European Commission has launched a new website offering guidance on requirements and implementation targeted at an array of stakeholders including Member State governments, businesses, data subjects, and other entities whose operations or data processing activities will bring them...

The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Barbulescu v Romania (Barbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Barbulescu decision held that a Romanian employee’s legally protected right to privacy was violated when his employer monitored personal messages he sent from a company account.

On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the first annual joint

The DESI VII Workshop titled “Using Advanced Data Analysis in eDiscovery & Related Disciplines to Identify and Protect Sensitive Information in Large Collections” was held on the Strand Campus of King’s College in London on June 12, 2017. DESI VII was particularly focused on privacy, and presented numerous papers that examined emerging protocols and novel techniques for identifying and protecting

As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and includes provisions relating to fair, lawful, and...

While the dust was still settling on the United Kingdom’s June referendum to leave the European Union, the “Remain” campaign scored a major win in the English High Court of Justice on Thursday, Nov. 3, 2016. This decision casts even more uncertainty over an already uncertain time in global politics. Though the results of the June 23 referendum immediately sent the pound spiraling, withdrawal

Digital Rights Ireland, an Irish privacy advocacy group, has filed the first legal challenge to the EU-U.S. Privacy Shield, the Trans-Atlantic agreement reached earlier this year to permit the lawful transfer of personal data from the European Union to the United States. The Privacy Shield was formally adopted on July 12, 2016, by the European Commission, which released an Adequacy Decision...

New unified patent grant and patent court systems, which were to have taken effect in early 2017, will likely be stalled because of Britain’s June vote to leave the EU, commentators and member nations fear. BACKGROUND – THE CURRENT EUROPEAN PATENT AND COURT SYSTEMS - The current EU patent grant system requires separate filings in each member state. Under the current system, an...

With the UK’s Brexit referendum dominating the news out of Europe over the past week, it may have been easy to miss a key development in the continuing Privacy Shield negotiations. On Friday, June 24, news outlets reported that U.S. regulators and the European Commission had agreed on a finalized version from the Privacy Shield, a proposed “replacement” of the Safe Harbor framework that was...

As of March 23, 2016, the “Community Trade Mark” (CTM) is going by a new name: the “European Union Trade Mark” (EUTM), reflecting the evolution of the European Community into the European Union. By force of Regulation No. 2015/2424, the Office for Harmonization in the Internal Market (OHIM), the body responsible for administering the European trademark regime, will now be called the European...

On April 13, 2016, the Article 29 Working Party (WP29), an influential group of European data protection authorities, issued a non-binding opinion that criticized certain elements of the fledgling Privacy Shield framework. Although the Privacy Shield remains in limbo at this time, a flurry of speculation and Shield-adjacent legal maneuvers have colored the landscape and heightened concerns about...

Facebook is yet again being tagged in a breach of data protection laws, but this time it’s ‘checking-in’ to a European court in Brussels, Belgium. A recent slew of cases, in which Facebook is the leader, hints at stricter and broader privacy laws to protect users’ private data.

As U.S. and European regulators and businesses work toward solutions in the wake of last month’s decision by the Court of Justice of the European Union that invalidated the EU-U.S. Safe Harbor framework for cross-border data transfers, the Trans-Pacific Partnership (TPP) trade agreement seeks to facilitate cross-border data sharing and would restrict the ability of member countries to demand...

For the past 15 years, the EU-U.S. Safe Harbor Framework has been one of the most popular data transfer mechanisms for organizations that engage in cross-border transfers of EU personal data to the United States. In the aftermath of the recent invalidation of the Safe Harbor Framework by the Court of Justice of the European Union (CJEU), many companies are contemplating alternative data transfer...