Photo of Davinia Brennan

The Portuguese Data Protection Authority (known as the CNPD) has ordered the National Institute of Statistics (NIS) in Portugal to stop sending census data to the U.S. or other third countries, that do not provide an adequate level of data protection.

NIS used Cloudfare Inc. (a U.S. based company) to assist it with the collection of personal data from Portuguese citizens in 2021 Census Surveys. Following receipt of complaints about the collection of census data via the internet, the CNPD carried out an investigation into NIS. The CNPD found that NIS had a contract in place with Cloudfare Inc ., which provided for the transfer of the census data to the U.S., using the Standard Contractual Clauses (SCCs).  It noted that Cloudfare Inc., as a U.S. company, is directly subject to U.S. surveillance legislation for national security purposes, which provides U.S. public authorities with unrestricted access to personal data in its possession, without informing data subjects.

Continue Reading Portuguese Data Protection Authority suspends data transfers to the U.S.

Photo of Davinia Brennan

The European Parliament has adopted a new Regulation requiring online platforms to remove or disable access to flagged terrorist content in all Member States within one hour.  The Regulation will come into force 20 days after publication in the Official Journal, and will apply 12 months after its entry into force.

Continue Reading New EU Regulation adopted requiring fast removal of terrorist online content

Photo of Grace Moore

The European Data Protection Board (EDPB) recently published new Guidelines (09/2020) on the meaning of and interpretation of a “relevant and reasoned objection” under Article 60(3) of the GDPR.

The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (LSA) has a duty to cooperate with other concerned supervisory authorities (CSAs) in order to reach a consensus on cases with a cross-border component. The so-called one-stop-shop (OSS) mechanism.

Continue Reading EDPB adopts Guidelines on “Relevant and Reasoned” Objections

Photo of Davinia Brennan

The Conseil d’État, France’s highest administrative court, recently ruled that personal data collected via a platform managed by Doctolib, and hosted by an EU subsidiary of a US-based company (subject to US surveillance laws), was in line with the GDPR. The ruling is an important follow-up to Schrems II.

Continue Reading French court ruling considers lawfulness of using EU subsidiary of US cloud service provider post-Schrems II

Photo of Davinia Brennan

The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful.  When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.

Continue Reading Bavarian DPA finds data transfers to US-based email marketing platform unlawful

Photo of Sarah Dunne

The European Data Protection Board (EDPB) recently responded to questions submitted by the EU Commission seeking clarification on the consistent application of the GDPR to health research. The responses cover 21 questions and provide clarity on issues such as: the legal basis for processing health data; processing of special categories of data on a large scale; and further processing of previously collected health data. While it is clear that many questions remain unanswered, further responses are expected in forthcoming guidance currently being prepared by the EDPB.

Continue Reading EDPB responds to questions on processing health data

Photo of Davinia Brennan

The Data Protection Commission (DPC) has published its Annual Report for 2020. The Report looks back on the span of regulatory work completed by the DPC over the past year, and reveals some interesting trends and statistics. It discusses the complaints and breach notifications received; case-studies; the 83 domestic and cross-border inquiries it has open; and the fines, reprimands, and compliance orders it has issued for infringements of the GDPR and Law Enforcement Directive (LED). This briefing note considers some of the key highlights of the Report.

Continue Reading DPC publishes Annual Report for 2020

Photo of Alison Quinn

The UPC has faced continuous obstacles delaying its implementation. As matters stand, 15 contracting Member States have already ratified, including France and Italy. Once German ratification is complete it is anticipated that the final steps could be taken to set up the UPC in 2021 (with work likely starting in 2022), but more delays are now expected. In late December 2020, the German Parliament passed the ratification bill for the UPC Agreement but that was swiftly followed by the filing of two constitutional complaints with Federal Constitutional Court which delays the German process again.

Once up and running the UPC will replace all individual enforcement courts in different EU member states, enabling inventors and patent owners to enforce their patents across Europe. There will no longer be a requirement for multi-jurisdictional patent disputes, which has forced patent owners to litigate costly and complex issues throughout several European jurisdictions simultaneously.

Continue Reading Unified Patent Court- What is happening?

On 1 January 2021, the Trade and Co-operation Agreement (TCA) came into force and the general principles of EU law, existing EU treaties and EU free movement rights ceased to apply in the UK, after the transition period set out in the Withdrawal Agreement ended on 31 December 2020. Under the European Union (Withdrawal) Act 2018, EU regulations only continue to apply in the UK to the extent that they have not been modified or revoked by regulations under that Act.

The TCA itself had very little impact on IP rights – it provides minimum measures for IP protection with scope for implementing stricter measures. The minimum measures have already been implemented in the UK and EU. Under the TCA, intellectual property rights (IPRs) (both registered and unregistered) will continue to be protected to at least the standards required by the international agreements which the UK and EU are both parties to, and, in many cases, to a higher standard.

Read More

Photo of Davinia Brennan

The EU Commission looks set to adopt two adequacy decisions in favour of the UK, which will allow businesses to continue to freely transfer personal data from the EU/EEA to the UK.  On 19 February 2021, the EU Commission published two draft adequacy decisions permitting transfers of personal data to the UK under the GDPR, and under the Law Enforcement Directive (LED).

Once adopted, the decisions will replace the interim solution agreed under the EU-UK Trade and Cooperation Agreement (previously discussed here). That agreement allows businesses to transfer personal data from the EU/EEA to the UK, without putting in place additional safeguards, until 30 June 2021 or an adequacy decision comes into effect, whichever is sooner.

Next steps

The EU Commission will next obtain an opinion from the EDPB. It will then need to obtain the green light from a committee of representatives of the EU Member States.  Once this procedure is completed, the EU Commission may adopt the UK adequacy decisions. In line with Article 45(3) of the GDPR and Article 36 of the LED, the UK adequacy decisions will be reviewed every four years to ensure the UK continues to offer an adequate level of protection.

The UK Government’s Press Release welcoming the draft adequacy decisions is available here.