Wilson Sonsini Goodrich & Rosati (JD Supra European Union)

New Set of SCCs for Data Transfers to Third Countries On June 4, 2021, the European Commission (EC) published its long awaited new set of Standard Contractual Clauses (New SCCs). This new data transfer mechanism allows for the transfers of personal data outside of the European Economic Area (EEA) and replaces the current Standard Contractual Clauses (current SCCs). The New SCCs take into account...

The European Commission (EC) has published new guidance on the application of Article 22 of the European Merger Regulation (EUMR) which will allow for the EC and Member States to refer transactions that do not meet existing EC or national jurisdictional thresholds for EC review.

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online marketplaces, and

On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high...

On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).

The Vertical Block Exemption Regulation (VBER)—the antitrust legislation governing most vertical arrangements in Europe—entered into force on June 1, 2010. Among other things, it creates a safe harbor for vertical agreements which meet certain conditions, shielding them practically from the application of Article 101 of the Treaty on the Functioning of the European Union (TFEU). Guided by the...

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the "Draft Guidelines"). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules

Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions.

On April 21, 2020, the European Data Protection Board (EDPB) published two sets of guidelines addressing data processing in the context of the COVID-19 pandemic. These guidelines address the use of location data and contact tracing tools to combat the spread of COVID-19 and the use of health data for the purposes of scientific research into COVID-19 (together, the guidelines).

On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission's call for consultation (the letter) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

This slide deck lists the advice and statements of the Supervisory Authorities (“SAs”) in the European Economic Area on the collection and processing of personal information for purposes of fighting the COVID-19 outbreak. Since the matter is in flux, Wilson Sonsini monitors any changes to SAs’ advice and updates the overview at regular times. Please see full Table below for more information.

This is the third part of our three-part series on the impact of the COVID-19 on patent offices around the world (Part 1 was on the USPTO and Part 2 was on the Chinese Patent Office). We focus today on the European Patent Office (EPO), which is the regional patent organization for filing and prosecuting European patent applications. While the COVID-19 pandemic continues to affect Europe, the EPO...

The COVID-19 virus outbreak poses serious challenges to businesses operating globally, including in Europe. In response to the outbreak, governments worldwide are taking increasingly severe measures to fight the pandemic, and companies are implementing measures to ensure business continuity and protect their workforce. As a consequence, companies are contemplating steps which may impact privacy,...

On March 16, 2020, the European retail and wholesale lobby, EuroCommerce, announced that in the wake of the COVID-19 crisis certain retailers have been cooperating to share information, and that governments and competition authorities had indicated that they might waive normal competition rules to allow such exchanges while the crisis continues.1 Within 48 hours, newswires were reporting that the

On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations...

On February 10, 2020, the European Patent Office Opposition Division announced the results of an opposition filed against patent EP2800811, owned by the Regents of University of California, University of Vienna, and Emanuelle Charpentier (collectively, UC/UV/Charpentier), with claims directed to methods and compositions of Cas9 and a single-guide RNA. The decision, which comes after three days of

On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member...

On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification). The Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act

On July 8, 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways GBP 183.39 million over a data breach in which the personal data of approximately 500,000 customers was compromised. If made final, the fine—equivalent to approximately U.S. $230 million—would be the biggest fine ever issued by the ICO as well as any Supervisory Authority (SA) in the...

As application of the European Union’s (EU’s) General Data Protection Regulation (GDPR) quickly approaches, the enforcement authority of the European data protection authorities (DPAs) is rightfully on everyone’s mind. The power to issue monetary fines against non-compliant entities of up to four percent of the entity’s past year worldwide turnover is one of the GDPR’s most striking provisions....

In yet another round of Schrems versus Facebook, on January 25, 2018, the Court of Justice of the European Union (CJEU) ruled that privacy activist Max Schrems is a consumer with regard to his Facebook profile despite his advocacy activities. Schrems may therefore benefit from the EU consumer forum rule, which allows him to bring a privacy action as an individual against Facebook Ireland (Facebook

As merger reviews become more thorough and document-intensive, companies planning to engage in global M&A deals in 2018 should factor potentially lengthier merger reviews by the European Commission (EC) into their deal timelines. The increasing use of the EC’s stop-the-clock powers when requesting additional information from the notifying parties can significantly delay merger investigations,...

On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems1 concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union.

On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) relating to privacy rules for the electronic communications sector. The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet. It will address a host of important issues including the processing of communications content...

The EU Parliament Committee in charge of reviewing the EU Commission's Proposal for an e-Privacy Regulation (Proposal) released a Draft Report proposing amendments this week.

On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the "Article 29 Working Party" (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool

On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the "Directive on the Security of Network and Information Systems" (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services.

The decision by the United Kingdom (UK) to leave the European Union (EU) will have far-reaching consequences for companies doing business in the UK and elsewhere in Europe. Specific details of the UK's withdrawal agreement with the EU will be the subject of intense negotiation over the next two years or longer, but the current key takeaways for businesses as they relate to antitrust concerns are..

On April 14, 2016, the European Parliament formally adopted the General Data Protection Regulation (GDPR). With this vote, the new EU data protection legal framework will become legally effective in two years and 20 days from its publication in the EU Official Journal (expected in May 2016). By May 2018, companies will have to comply with its new stringent requirements.