Sheppard Mullin Richter & Hampton LLP (JD Supra European Union)

In May 2018 the United States announced the reinstitution of sanctions against Iran that had previously been lifted pursuant to the Joint Comprehensive Plan Action (“JCPOA”). The U.S. sanctions on Iran that were revived by the U.S. action in 2018 include many that apply extraterritorially. Moreover, U.S. law allows the government to impose sanctions on non-U.S. persons (such as European...

On May 10, 2021, the EU adopted its new, revised version of Regulation (EC) No 428/2009 (the “Regulation”). It is widely acknowledged to be the first major reform to the structure of the EU’s export control regime since 2009...

In August 2020, we wrote a blog post about the adoption by the European Commission (“Commission”) of a White Paper on Foreign Subsidies. On 5 May 2021, the Commission adopted a proposal for a Regulation on foreign subsidies distorting the internal market after an extensive consultation process with stakeholders. This post updates our previous entry and considers the implications of the newly...

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States...

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact,

This 1970 hit by Simon & Garfunkel is a beautiful song about giving a helping hand to someone caught in a situation of distress. And there is also broad consensus around the world that the digital platform markets are caught in troubled waters. A few mighty rivers run so high and so fast that they are drowning smaller creeks around them and carrying away anyone riding them. Different attempts to

Almost a year ago now, the pandemic outbreak disrupted the worldwide entertainment industry – and in particular, film and television production. Similar to the US, European audio-visual productions were halted, movie theaters were closed, events, premieres and entire marketing and distribution campaigns were postponed or cancelled...

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid...

Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are...

As 2020 comes to a close, we take this opportunity to look back at some of the more significant developments that we discussed in the blog this year. The first is the EU Court of Justice’s Schrems II decision, finding that the EU-U.S. Privacy Shield was not a valid mechanism for transferring personal data from the EU to the U.S. Related decisions came out of Switzerland and Israel.

The ever increasing market power and often criticised conduct of data driven platforms is not new, but lately the efforts to tackle these appear to have taken a decisive turn. We are now on the verge of new rules and tools to tackle the competition issues arising with the tech giants...

One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the...

The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US. ...

The National Institute of Standards and Technology has issue a set of draft principles for “explainable” artificial intelligence and is accepting comments until October 15, 2020. The authors of the draft principles outline four ways that those who develop AI systems can ensure that consumers understand the decisions reached by AI systems...

As State aid measures granted by EU Member States continue to surge in the aftermath of the COVID-19 outbreak and ongoing pandemic, the European Commission (“Commission”) has turned to subsidies coming from non-EU countries.

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US),...

Since our last update, a little over a month ago, many major arbitral institutions have updated their guidance regarding COVID-19 in light of the continuing impact of the pandemic on ongoing proceedings. Below we have included updated guidance from major arbitral institutions and expanded the chart to include a number of new institutions. Thirteen major arbitral institutions also issued a joint...

A number of private and government entities have released apps and software development kits (SDKs) relying on location tracking data to help tackle the COVID-19 pandemic. While the use of such technologies are being hotly debated, commentary continues to emerge from the EU about developing such applications in compliance with EU data protection laws...

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19...

The COVID-19 pandemic has triggered worldwide pandemonium and is disrupting business throughout all sectors. It is undeniably a major shock for the global economy. While the need for a coordinated response has been recognised at the highest levels in the EU, this does not mean that the application of competition law is suspended during the crisis...

The unique EU State aid control law requires, in principle, prior notification by Member States and approval by the Commission of all State aid. During a time of crisis, like the COVID-19 pandemic, EU law allows for a flexible approach for approving urgent State aid. In this post, we discuss the current state of play in the EU and offer some general items to consider for undertakings receiving...

The European Parliament recently issued a resolution directed at the European Commission on its concerns with automated decision-making processes and artificial intelligence. While the EU Parliament addresses several areas of automated decision-making, the underlying theme of this resolution is that the Commission should ensure that there is transparency and human oversight of these processes...

Public awareness regarding air pollution in the European Union is at an all-time high and citizens expect authorities to act. In this vein, the European Commission has recently taken a number of direct and indirect actions, including engagement of the Court of Justice of the EU, enforcement measures against car manufacturers and a Europe-specific “Green Deal,” to stem the tide of rising air...

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according...

The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with...

Europe has come up with a nifty plan to help Iran buy and sell stuff outside the reach of U.S. sanctions. The problem is that the plan is a fraud magnet. How do we know? It’s been tried before, and the fraud was epic. The plan is known as the “Instrument in Support of Trade Exchanges,” or “INSTEX.” Lots of smart people have been involved in creating the program. Let’s hope they’re not too young...

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of...

In a long-awaited ruling of June 18, 2019, the General Court of the EU (GCEU) annulled the European Commission’s State aid 2015 decision in the Micula case (joined cases T-624/15, T-694/15 and T-704/15). The factual background - Romania was in a very difficult economic, financial and social situation following the collapse of the communist regime in 1989. In its efforts to boost regional...

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example)...

The European Commission has informed various game companies (platforms and publishers) of its preliminary view that the companies prevented consumers from purchasing video games cross-border from other Member States, in breach of EU competition rules. According to the Commissioner in charge of competition policy...