Schrems II heard in Europe: potential huge impact on global data transfers

  • The Court of Justice of the European Union (“CJEU“) has heard oral submissions in the latest case questioning the legal validity of international data transfer mechanisms under the GDPR, such as Standard Contractual Clauses and the EU-US Privacy Shield;
  • The Irish Data Protection Commissioner (“DPC“) is seeking a ruling that would find the so-called Standard Contractual Clauses, which are used to legitimise the transfer of personal data from Europe all around the world, as invalid because they do not provide adequate protection for individuals’ data;
  • The CJEU heard yesterday from the DPC, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the US government, several EU Member States and representatives of the original complainant Mr Schrems;
  • The Advocate General will give his non-binding opinion on the case on 12 December this year, with a full decision expected from the CJEU by early 2020;
  • If the Standard Contractual Clauses are declared invalid, this will have a huge impact on global trade, effectively putting the brakes on the international transfer of data.

Continue reading

Cookie consent walls crumble: ICO publishes guidance on cookie consent

Following its recent admission that its own cookie consent mechanism was non-compliant (see previous blog post here), the UK privacy regulator (the ICO) updated its cookie notice last week (see our previous blog post here) and has now published guidance on cookies and similar technologies. Key messages are:

  • No implied consent for non-essential cookies allowed, including consent obtained via sliders/toggles which are defaulted to ‘on’
  • Analytics cookies are not ‘strictly necessary’ and so require consent
  • The position regarding the use of ‘cookie walls’ to restrict website access remains unclear, although is likely to be inappropriate in many circumstances

Continue reading

Cookie Compliance: How can companies get it right when the regulator does not?

  • The UK privacy regulator has admitted that its own cookie consent process does not comply with the current GDPR and ePrivacy rules.
  • According to the regulator, a new process will be implemented during the week beginning 24th June 2019, which could give organisations a valuable insight into how to navigate the complex interaction between the GDPR and ePrivacy rules in a compliant manner.
  • The regulator has also promised detailed guidance on cookies “soon“.

Continue reading

EU Council publishes Progress Report on draft EU ePrivacy Regulation

On 15 May 2017, the Council of the European Union published its progress report (the “Report“) on the first draft of the ePrivacy Regulation (the “Draft Regulation“).

The Draft Regulation focuses on the processing of personal data and protection of privacy in electronic communications. Among other areas, it covers direct marketing, cookies and other forms of online tracking; principally seeking to bring e-privacy law up to date with the “evolution of technological and market reality” and align the law with the incoming EU General Data Protection Regulation (“GDPR“). It was published by the European Commission in January of this year and is expected to replace the existing Privacy and Electronic Communications Directive (the “ePrivacy Directive“).

Continue reading