April 7, 2022
03/22/2022 – European Commission | EU-US Data Transfers | Trans-Atlantic Data Privacy Framework | Agreement in Principle
The Commission announced that it has reached an Agreement in principle with the US to replace the Privacy Shield and allow for the free flow of data between the EU and the US.
The Framework will notably provide binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. It also provides for a new redress system to investigate and resolve complaints of Europeans on access of data by US intelligence authorities which includes a Data Protection Review Court.
For further information: European Commission Website
03/14/2022 – European Data Protection Board | Guidelines | Dark Patterns
The EDPB adopted Guidelines on dark patterns in social media platform interfaces which are subject to a public consultation until 2 May 2022.
Dark patterns are interfaces and user experiences implemented on social media platforms that cause users to make unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. The Guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements.
For further information: EDPB Website
03/14/2022 – European Data Protection Board | Guidelines | One-Stop-Shop
The EDPB adopted Guidelines on Article 60 GDPR to support cooperation between national supervisory authorities.
The Guidelines help supervisory authorities to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism.
For further information: EDPB Website
02/23/2022 – European Commission | Proposed Regulation | Data Act
The European Commission published a Proposal for a Regulation on Harmonized Rules on Fair Access to and Use of Data (Data Act).
This Regulation aims at enabling the sharing of industrial data. The Proposal especially includes provisions to (i) allow users of connected devices to access data generated by them, (ii) prevent abuse of contractual imbalances in data sharing contracts, (iii) enable public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, and (iv) facilitate user data portability between providers.
For further information: Commission Website
02/22/2022 – European Data Protection Board | Guidelines | Codes of Conduct
The European Data Protection Board updated its Guidance on Codes of Conduct as tools for transfers.
These Guidelines aim at clarifying the role of the different actors involved for the setting of a Code that can be used as a tool for transfers.
For further information: EDPB Website
02/03/2022 – CISPE Cloud | Code of Conduct | GDPR Compliance
The association Cloud Infrastructure Services Providers in Europe announced that, following the validation of the CISPE Code of Conduct for Data Protection in Cloud Infrastructure by the European Data Protection Board, companies are starting to declare their services compliant with the Code.
These companies (including Aruba, Amazon Web Services, Elogic, Leaseweb, Outscale and OVHCloud) are the first to declare compliance with the Code which can ensure that their cloud services can be used in compliance with the GDPR. As a reminder, the CISPE Code of Conduct for Data Protection in Cloud Infrastructure is the first European Code of Conduct specifically designed for cloud infrastructure service providers.
For further information: CISPE Website
01/18/2022 – European Data Protection Board | Letter | Cookie Consent Requirements
The European Data Protection Board published a letter highlighting that it aims to ensure the consistent interpretation of cookie consent requirements throughout the European Union.
As a reminder, the EDPB established a taskforce to coordinate the response to complaints concerning cookie banners.
For further information: EDPB Website
01/18/2022 – European Data Protection Board | Guidance | Right of Access
The European Data Protection Board issued its Guidelines 01/2022 on the Right of Access, which were subject to a public consultation until 11 March 2022.
The Guidelines aim to provide guidance on how the right of access has to be implemented in practice.
For further information: EDPB Website
01/05/2022 – European Data Protection Supervisor | Decision | International Data Transfers
The European Data Protection Supervisor issued a decision which found that the European Parliament illegally transferred data to the US in violation of the Schrems II decision.
Among other violations, it was found that the European Parliament did not provide any documentation or measures ensuring an equivalent level of protection to personal data transferred to the US. The Supervisor issued a reprimand and ordered the Parliament to address the non-compliances within one month of this decision.
For further information: EDPS Decision
01/13/2022 – Austrian Supervisory Authority | Decision | International Data Transfers
The Austrian Authority published a decision issued on 12 December 2021, that held that a website provider using Google Analytics was transferring data to the US in violation of the GDPR and the Schrems II decision.
Among other elements, the Authority held that the SCCs concluded between the website provider and the company did not offer an adequate level of protection because (i) the company, as an electronic communication service provider, was subject to US surveillance, and (ii) the additional safeguards provided were insufficient to prevent US intelligence services from accessing the data subjects’ personal data.
For further information: DSB Decision (German)
03/17/2022 – Belgian Supervisory Authority | Warning | Right to be Forgotten
The Belgian Authority issued a decision against an American search engine company for its delayed handling of a request for removal and provided guidance as to which entity of a same group should bear responsibility for GDPR violations.
The company only received a warning regarding information transparency but no fine.
For further information: APD Decision (French)
02/02/2022 – Belgian Supervisory Authority | Sanction | Transparency & Consent Framework
The Belgian Authority issued a €250,000 fine to an advertisement organization because the Transparency & Consent Framework tool it created and that is used by many companies infringes the GDPR.
The advertisement organization filed an appeal against this decision.
For further information: APD Website (French)
03/09/2022 – Danish Supervisory Authority | Guidance | Cloud Service Usage
The Danish Authority released Guidance on Cloud service usage.
The Guidance includes specific recommendations for transferring data to third countries like the US and examples of how data transfers should be implemented.
For further information: Datatilsynet Website (Danish)
03/15/2022 – French Supervisory Authority | Guide | Data Protection Officers
The French Authority published a Guide on Data Protection Officers (DPOs) to help organizations in appointing and supporting DPOs.
The Guide is organized in four parts: (i) the DPO’s role, (ii) the designation of a DPO, (iii) the DPO function, and (iv) the support provided by the CNIL to DPOs.
For further information: CNIL Website
03/03/2022 – French Parliament | Legislation | Cybersecurity Certification
The French Parliament issued a law implementing cybersecurity certification for general public digital platforms.
The legislation imposes electronic communications providers to run cybersecurity audits and to present the results of such evaluations to customers in a clear manner. Auditors must be approved by the French information systems security national agency. Such obligation will be effective on 1 October 2022.
For further information: Legislation (French)
02/23/2022 – French Supervisory Authority | White Paper | Payment Data and Means of Payment
The French Authority issued a White Paper on Payment Data and Means of Payment.
This White Paper aims at raising awareness of the public, support professionals and anticipate future transformations.
For further information: CNIL Website
02/17/2022 – French Supervisory Authority | Standard | Child Protection
The French Authority adopted a standard on the processing of personal data in relation to child protection.
This standard is meant to help public and private organizations involved in the accommodation and support of children (as well as individuals who are less than 21 years old) from a social, medico-social, educational and/or legal perspective.
For further information: CNIL Website (French)
02/10/2022 – French Supervisory Authority | Formal notice | Data Transfers to the US
The French Authority issued a formal notice to a website provider using Google Analytics.
The Authority finds that the transfer of data to the US through Google Analytics is not compliant with chapter V of the GDPR. Therefore, the Authority ordered the website provider to comply with the GDPR and, if needed, stop using Google Analytics within 1 month.
For further information: CNIL Website (French)
02/03/2022 – French Supervisory Authority | Standard | Business Relationship Management
The French Authority issued a standard on data processing for business relationship management purposes.
This standard replaces the “Norme simplifiée 48” (which was not applicable since the entry into force of the GDPR) and especially deals with contract management, loyalty programs, satisfaction surveys, marketing activities and customer relationship monitoring.
For further information: CNIL Website (French)
01/28/2022 – French Conseil d’Etat | Sanction Confirmation | Cookies
The French Administrative high court confirmed the €100 million fine imposed by the French Supervisory Authority on two entities of an American search engine company on 7 December 2020.
The French Conseil d’Etat confirmed the administrative fine and held that the one-stop-shop procedure introduced by the GDPR was inapplicable because cookies practices are regulated by the local data protection legislation (the French “Loi informatique et libertés”).
For further information: CNIL Website and Conseil d’Etat Website (French)
01/26/2022 – French Legislator | Simplified Procedure | Supervisory Authority Powers
The French legislator introduced a simplified sanction procedure to be implemented by the French Supervisory Authority.
Subject to certain conditions, the president of the Authority may now decide alone to issue (i) a warning, (ii) an injunction to comply with the GDPR with a daily penalty of up to €100, and (iii) an administrative fine up to €20,000.
For further information: Legislation (French)
01/12/2022 – French Supervisory Authority | Guidance | Processor Data Reuse
The French Authority issued Guidance on the conditions under which a processor can reuse personal data processed on behalf of the controller for its own purposes.
According to the Authority, a processor may reuse personal data for its own purposes if such reuse is compatible with the purposes for which the data was first collected and the controller has given its written permission.
For further information: CNIL Website (French)
01/06/2022 – French Supervisory Authority | Sanction | Cookies
The French Authority published a decision issued on 31 December 2021 to fine an American search engine company €150 million (€90 million for one entity and €60 million for another) for not enabling its users to refuse cookies as easily as to accept them.
The Authority also issued an injunction for the company to enable users located in France to reject cookies as easily as to accept them under 3 months, subject to a daily penalty of €100,000 in case of delay.
For further information: CNIL Website
01/06/2022 – French Supervisory Authority | Sanction | Cookies
The French Authority published a decision issued on 31 December 2021, to fine an American social media company €60 million for not enabling its users located in France to refuse cookies as easily as to accept them.
The Authority also issued an injunction for the company to enable users located in France to reject cookies as easily as to accept them under 3 months. Past this time period, a daily penalty of €100,000 would apply until full compliance.
For further information: CNIL Website
01/05/2021 – French Supervisory Authority | Guidance | Right of Access
The French Authority published Guidance regarding employees’ right to access their data and professional emails.
The Authority notably clarifies the process that the employer should follow in response to an access request and outlines the specific rules applicable to private emails.
For further information: CNIL Website (French)
01/04/2021 – French Supervisory Authority | Sanction | Data Subjects’ Rights
The French Authority published a decision issued on 28 December 2021, to fine a French telecommunication operator €300,000 for failure to comply with data subjects’ rights and data security requirements.
According to the Authority’s decision, the company also failed to comply with the right to object to processing for direct marketing purposes and with the privacy by design principle, since the company continued to send invoices to complainants for telephone lines whose subscription had been terminated.
For further information: CNIL Website (French)
03/16/2021 – Dresden Higher Regional Court | Decision | Statutory Data Retention Requirements
The Higher Regional Court of Dresden issued a ruling dated 14 December 2021 that statutory data retention requirements do not necessarily constitute a legal basis pursuant to Art. 6 (1) c of the GDPR, relating to compliance with a legal obligation, nor a right to deny data subjects’ right to erasure.
Personal data may only be processed and retained insofar as required. If necessary, documents needed to comply with statutory data retention requirements have to be redacted.
For further information see: Oberlandesgericht Dresden Decision (German)
03/07/2022 – Bavaria High Administrative Court | Decision | Review of Controllers’ Supply Chain
The High Administrative Court of Bavaria issued a decision stating that data controllers (here, water suppliers) have to verify whether their suppliers have implemented sufficient technical and organizational measures to ensure that personal data is protected from unauthorized access by third parties prior to using their devices (here, electronic radio water meters).
The Court, however, does not provide further guidance on the depth and scope of the required review.
For further information: Bayerische Staatskanzlei Website (German)
03/03/2022 – Bremen Supervisory Authority | Sanction | Legal Basis and Transparency
The Bremen Supervisory Authority issued a decision to fine a company €1.9 million for unlawful processing.
The Authority considers that the company’s processing of more than 9.500 prospective tenants’, including sensitive personal data, was not necessary for the conclusion of lease agreements. The company further obstructed data subjects’ rights.
For further information : LfDI Website (German)
02/22/2022 – Schleswig-Holstein and Baden-Württemberg Supervisory Authorities | Annual Reports
The Supervisory Authorities of Schleswig-Holstein and Baden-Württemberg published their Annual Reports for the year 2021.
Both note that data breaches and related notifications have significantly increased.
For further information: ULD Website and LfDI Website (German)
02/19/2022 – Federal Labor Court | Decision | Data Subjects’ Rights
The Federal Labor Court published a decision dated 16 December 2021 holding that data subjects’ right to access must be sufficiently specified.
According to the ruling, data subjects must clarify which data they seek access to unless this is impossible or unreasonable.
For further information: Bundesarbeitsgericht Website (German)
01/25/2022 – German Data Protection Conference | Expert Opinion | US Surveillance Law and Authorities
The German Data Protection Conference published a report dated 15 November 2021 on the state of US surveillance law and authorities.
For further information: DSK Website
01/20/2022 – Munich Regional Court | Decision | Unlawful Use of a Fonts Tool
The Regional Court of Munich ruled that the transfer of IP-addresses caused by the use of Google Fonts cannot be based on legitimate interest as it can be used without submitting IP-addresses to Google by self-hosting the font-embedding service. Instead, users’ consent is required.
For further information: Bayerische Staatskanzlei Website (German)
01/31/2022 – Hellenic Supervisory Authority | Sanction | Data Breach
The Hellenic Authority issued a decision dated 27 January 2022 to fine two telecommunication companies €6 million and €3.25 million for various non-compliances discovered in the context of a data breach.
The Authority’s investigation notably reveals infringements relating to transparency, poor anonymization and failure to allocate the roles of the two companies in relation to the processing in question. In addition to the fines, the Authority ordered to stop the processing and destroy the personal data.
For further information: HDPA Website
03/15/2022 – Irish Council for Civil Liberties | Lawsuit | Authority’s Failure to Act
The High Court allowed a non-profit organization, the Irish Council for Civil Liberties, to file a lawsuit against the Irish Supervisory Authority for failure to act against the real-time bidding practices of an American search engine company.
The organization highlights that it has filed a complaint against real-time bidding in 2018, but that the Irish Authority failed to investigate the claim.
For further information: ICCL Website
03/09/2022 – Italian Supervisory Authority | Sanction | Facial Recognition
The Italian Authority issued a decision dated 10 February 2022 to fine an American facial recognition company €20 million for unlawful biometric profiling of data subjects.
The Authority found that the company, which maintains a database of more than 10 billion faces scrapped from public internet sources (including public social media), did not have a legal basis to do so and failed to comply with a number of GDPR requirements such as transparency and storage limitation.
For further information: Garante Website (Italian)
01/19/2022 – Italian Supervisory Authority | Sanction | Unsolicited Marketing Calls
The Italian Authority issued a decision dated 16 December 2021 to impose a €26.5 million fine against a national energy provider company for processing data subjects’ data without their consent.
The Authority also finds that the company failed to address data subjects’ requests to access their personal data or to object to processing for marketing purposes.
For further information: Garante Website (Italian)
03/03/2022 – Liechtenstein Supervisory Authority | Recommendation | Data Transfers
The Liechtenstein Authority issued a press release, recommending website operators to deactivate Google Analytics and implement alternative tools due to concerns regarding international transfers of personal data.
As a reminder, the Austrian and French Supervisory Authorities issued similar statements.
For further information: DSS Website (German)
01/17/2022 – Maltese Supervisory Authority | Sanction | Data Breach
The Maltese Authority fined a company €65,000 in the context of a data breach that led to the exposure of Maltese voters’ data, including their political preferences.
The Authority highlights that sensitive data was collected and processed without a legal basis, and that the company failed to notify the data breach to the Authority within the required deadline and to communicate the same to the affected data subjects. In addition to the fine, the Authority ordered the company to erase the personal data which had been processed in an unlawful manner.
For further information: IDPC Website
03/04/2022 – Norwegian Supervisory Authority | Statement | Data Transfers
The Norwegian Authority issued a press release encouraging companies which export personal data to Ukraine and Russia to reassess the impact of such transfers.
In particular, the Authority advises to reconsider the legal basis of the transfers and recalls that security measures should be reviewed and updated if necessary.
For further information: Datatilsynet Website (Norwegian)
01/19/2022 – Polish Supervisory Authority | Sanction | Data Breach
The Polish Authority fined a company €1 million in the context of a data breach, for failing to implement appropriate security measures and to verify the effectiveness of the safeguards implemented by its processor.
For further information: UODO Website (Polish)
03/18/2022 – Spanish Supervisory Authority | Annual Report
The Spanish Authority published its Annual Report for the year 2021.
The Authority highlights that complaints increased by 35%, and mainly concerned internet services, video surveillance and marketing.
For further information: AEPD Website (Spanish)
02/11/2022 – Spanish Supervisory Authority | Sanction | HR Data
The Spanish Authority issued a €2 million fine against a company for requesting job candidates to communicate their criminal records.
For further information: AEPD Decision (Spanish)
02/01/2022 – Spanish Supervisory Authority | Sanction | Security Measures
The Spanish Authority fined a telecommunication company approx. €4 million for failing to implement appropriate security measures to prevent fraudulent duplication of SIM cards.
The SIM cards were then used as a second authentication factor to allow bank transfers from data subjects’ accounts.
For further information: AEPD Decision (Spanish)
03/21/2022 – UK Supervisory Authority | International Data Transfer Agreement | Entry into force
The UK International Data Transfer Agreement and Addendum entered into force, replacing the former Standard Contractual Clauses for international transfers of personal data.
For further information: ICO Website
03/07/2022 – UK Supervisory Authority | Guidance | Accountability and Governance
The UK Authority issued a new chapter of its draft Guidance on anonymization, which focuses on accountability and governance.
For further information: ICO Website
02/02/2022 – UK Supervisory Authority | Sanction | Unsolicited Marketing Calls
The UK Authority fined a company £200,000 (approx. €235,000) for making more than half a million unsolicited marketing calls.
The calls notably targeted individuals listed on the official “Do Not Call” register and were placed under different trading names, which are both illegal practices.
For further information: ICO Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.