On February 11, 2025, the European Data Protection Board (“EDPB”) issued a statement outlining its expectations for aligning the proliferating use of age assurance checks with the GDPR (the “Statement”). Aiming to promote a harmonized approach across the EU, the Statement provides guidance and high-level principles for online service providers…
On 14 January 2025, the UK government launched a public consultation on proposed legislative measures to combat the ever-increasing threat of ransomware. With these proposals, the UK government is seeking to step up its efforts to understand, deter and prosecute ransomware attacks by gathering more information from victims and undermining…
Introduction In a judgment of January 8, 2025 (in Bindl v European Commission, Case T-354/22) (the “Judgment”) the EU General Court (the “Court”), the second highest court of the European Union (“EU”), ordered the European Commission (the “Commission”) to pay 400 EUR in damages to a German citizen (the “claimant”) for transferring…
On 22 May 2023, the Irish Data Protection Commission (“DPC”) fined Facebook parent Meta EUR 1.2 billion for transferring personal data to the U.S. in violation of GDPR. The DPC also ordered Meta to suspend further transfers unless it can bring such transfers into compliance within 5 months. Meta is…
On April 26, 2023, the General Court of the European Union issued a ruling in Case T-557/20, SRB v EDPS, finding that pseudonymized data shared by one party with another will not be considered personal data in the hands of the recipient, if the recipient does not have legal means…
On December 29, 2022, France’s privacy regulator (CNIL) imposed an €8 million fine on Apple. The CNIL found Apple in breach of France’s ePrivacy rules for not obtaining mobile users’ consent prior to reading and depositing Identifiers for Advertising (IDFAs) on those users’ devices. Apple has announced that it intends…
On December 13, 2022, the European Commission published a draft adequacy decision on the EU-US Data Privacy Framework (the “Framework”), the successor to the EU-US Privacy Shield Framework that was famously struck down by Europe’s top court two years ago. While the purpose of the draft adequacy decision, once adopted,…
Introduction On June 4, 2021, the European Commission (the “EC”) abolished the old Standard Contractual Clauses (the “Old SCCs”) and published a new more flexible set of clauses (the “New SCCs”) for companies that wish to export personal data from the EU to elsewhere to rely on (for more information,…
On August 5, 2022 news broke that the French Data Protection Authority (“CNIL”) proposes fining adtech company Criteo €60 million for undisclosed GDPR violations as part of an ongoing investigation opened by the CNIL in 2020. The investigation followed a 2018 complaint by the privacy NGO Privacy International against Criteo…
Introduction On 13 January 2022, the Austrian Data Protection Authority (“DSB“) ruled that the use of Google Analytics (“GA”) and the resulting export of personal data to the United States (“US”) violates the GDPR’s data export requirements. On 10 February 2022 the French data protection authority (“CNIL”) also confirmed that…