Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines.

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679.

The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan, and Amy Smyth

On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries (the New SCCs). The New SCCs were published two days after the European Data Protection Board (EDPB) released its draft recommendations on supplementary measures (the Recommendations). (For more information, see Latham’s blog post The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.)

In the New SCCs, the Commission has substantially updated the SCC terms. The New SCCs provide for new types of data transfer (i.e., processor-to-processor and processor-to-controller transfers, in addition to the controller-to-controller and controller-to-processor transfers covered in the current SCCs) and, to a limited extent, address matters arising from the CJEU Schrems II decision.

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.

By Myria Saarinen and Charlotte Guérin

France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision.

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU.

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?

By Gail Crawford, Ulrich Wuermeling, and Calum Docherty

Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).

The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.

“Business as usual” for UK-EU data protection transition in 2020.  

By Gail E. Crawford and Susan Mann

On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position and clarifies that the GDPR continues to apply in the UK during the transition period (between 1 February 2020 and 31 December 2020, or any extension agreed by UK and EU), allowing both sides to negotiate the future data protection relationship. The ICO confirmed that the GDPR will continue to apply, and that during the transition it will be “business as usual”.

The provisions of the UK GDPR will be incorporated directly into UK law from the end of the transition period, and will sit alongside the current UK Data Protection Act 2018. At the end of the transition period, there will be the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only context.