News

As the UK adequacy renewal comes to an end, EDRi member Open Rights Group reflects on its outcome and the broader implications for the future of EU-UK relatiopnships. The post UK adequacy decision: a risk for the future and a lesson to be learnt appeared first on European Digital Rights (EDRi).

The EU and Brazil adopted, on 27 January, mutual adequacy decisions which confirm that their levels of data protection are comparable. This recognition allows for personal data to flow freely between the EU and Brazil

Brussels, December 3rd - During its plenary meeting in December, the European Data Protection Board (EDPB) held an online meeting yesterday with commissioners and representatives from national data protection authorities (DPAs) from the countries and organizations that have made a decision regarding adequate protection within the EU. This meeting was the second of its kind, following the first meeting in October 2024. A decision on adequate protection is an important instrument in EU data protection legislation, enabling the free flow of personal data from within the EU.

Brussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024. An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Eu

Brussels, November 5th - During its latest plenary meeting, the EDPB (European Data Protection Board) issued an opinion on the draft decision by the European Commission regarding the adequate level of protection for personal data in Brazil.* Once this decision is adopted, it will ensure that personal data can be freely transferred from Europe to Brazil, and that individuals can maintain control over their data. In this opinion, which was prepared at the request of the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules regarding government access to personal data...

Brussels, 5 November - During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data. In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal da

Brussels, October 20th - During its latest plenary meeting, the EDPB (European Data Protection Board) adopted two opinions on the draft decisions of the European Commission regarding the extension of the validity of the decisions on the adequacy of the United Kingdom, as stipulated in the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), until December 2031. The EDPB opinions, requested by the Commission under Article 70(1)(s) of the GDPR and Article 51(1)(g) of the LED, address the proposed six-year extension of the two decisions on the adequacy of the United Kingdom, which are currently due to expire.

Brussels, 20 October - During its latest plenary, the EDPB adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.* The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in D

News from the European Union.

There is a growing movement for reforms in data protection. The European Commission is proposing specific changes to make compliance easier for small and medium-sized enterprises, and the United Kingdom is implementing significant reforms. The reforms in the United Kingdom are focused on...

Under Clause 14 of the Data Transfer SCCs, the data importer must carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. If the risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-e

Volgens artikel 14 van de Standaard Contractuele Bepalingen (SCC's) voor gegevensuitwisseling, moet de partij die de gegevens importeert een risicoanalyse uitvoeren om te verifiëren of de wet- en regelgeving en praktijken van het ontvangende derde land de mogelijkheid van de gegevensimporteur om te voldoen aan de SCC's voor gegevensuitwisseling, kunnen belemmeren. Indien de risicoanalyse aantoont dat de SCC's voor gegevensuitwisseling op zichzelf niet voldoende zijn om een in wezen gelijkwaardig beschermingsniveau te garanderen voor de persoonsgegevens in het ontvangende derde land, moeten aanvullende waarborgen worden geïmplementeerd, zoals end-to-end-versleuteling.

The Commission has endorsed enthusiastically a recent US order to implement a new framework to protect the privacy of personal data shared between the US and Europe. Dick Roche begs to differ. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

De Commissie heeft met enthousiasme een recent Amerikaans besluit gesteund om een nieuw kader te implementeren ter bescherming van de privacy van persoonlijke gegevens die worden uitgewisseld tussen de VS en Europa. Dick Roche is het daar niet mee eens. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

De Advocaat-Generaal van het Gerechtshof van de Europese Unie (HvJEU) heeft een niet-bindend advies uitgebracht, waar privacyactivisten zich zorgen over maken, omdat dit de mogelijkheden van gebruikers om hun privacyrechten op te eisen onder de AVG (Algemene Verordening Gegevensbescherming) verder zou kunnen beperken. Volgens het [advies](https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110), dat vorige week is uitgebracht, zouden Europeanen nauwelijks enige compensatie ontvangen als...

> The Advocate General of the Court of Justice of the European Union (CJEU) issued a non-binding opinion, which privacy advocates fear could further limit users’ possibilities to enforce their privacy rights under the GDPR. > According to [the opinion](https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110) delivered last week, Europeans would hardly get compensated if t

> Legally, until an adequacy determination is granted, companies should continue to follow the European Data Protection Board’s recommendations on measures that supplement transfer tools. But, once the EU is named as a “qualifying state” (assuming it will be) and complaints can be summited, this should become less daunting. The EDPB recommendations state that companies must “assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appro

De AVG (Algemene Verordening Gegevensbescherming) omvat de verantwoordingsplicht (RBA) voor alle verplichtingen van de verantwoordelijke partij zoals die in de AVG zijn vastgelegd. Waar de overdrachtsregels worden beschreven als verplichtingen van de verantwoordelijke partij (in plaats van als absolute principes), is de verantwoordingsplicht van artikel 24 dus van toepassing. Volgens Lokke Moerel, professor in het internationaal ICT-recht aan de Universiteit van Tilburg en expert op het gebied van cyberbeveiliging, wordt dit niet tegengesproken door het vonnis van het Europees Hof van Justitie in de zaak Schrems II, noch door de aanbevelingen van het EDPB (European Data Protection Board) over aanvullende maatregelen na het vonnis Schrems II.

The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security

De Deense Autoriteit voor Persoonsgegevens heeft onderzoek gedaan naar het instrument Google Analytics en de bijbehorende instellingen, evenals de voorwaarden waaronder het instrument wordt aangeboden. Op basis van dit onderzoek concludeert de Deense Autoriteit voor Persoonsgegevens dat het instrument, zonder aanvullende maatregelen, niet op een wettelijke manier kan worden gebruikt. Wettelijk gebruik vereist de implementatie van aanvullende maatregelen, naast de instellingen die door Google worden aangeboden.

The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

De boete is het resultaat van een onderzoek dat in 2020 is begonnen en zich richtte op de manier waarop het bedrijf persoonlijke gegevens van kinderen verwerkte. Op basis van berichten in de media richtte het onderzoek zich op kinderen tussen de 13 en 17 jaar oud die toestemming hadden om zakelijke of creatieve Instagram-accounts te gebruiken. Hierdoor waren telefoonnummers en e-mailadressen van kinderen openbaar toegankelijk.

> The fine is the result of an investigation that began in 2020 and focused on the company’s processing of children’s personal data. Based on press reports, the investigation focused on children between the ages of 13 and 17 who were allowed to operate business or creator Instagram accounts. As a result, children’s phone numbers and email addresses were publicly accessible.

"Op basis van de feiten van de zaak, zien wij niet hoe [Meta] haar overdracht van persoonsgegevens na de uitspraak in de zaak Schrems II had kunnen voortzetten als ze zich had gehouden aan de AVG," staat er in het bezwaar van de Noorse autoriteit.

> “Based on the facts of the case, we do not see how [Meta] could have continued its personal data transfers following the Schrems II judgment had it acted in accordance with the GDPR,” the Norwegian objection reads.

De voorgestelde boete volgt op klachten die de privacyorganisatie "Privacy International" heeft ingediend tegen Criteo. [...] In het kader van de sanctieprocedure van de CNIL heeft Criteo het recht om te reageren op het rapport, zowel met betrekking tot de vermeende overtredingen als de voorgestelde sanctie.

> The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. […] Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction.

The European Commission faces a lawsuit over allegations it is violating its own data protection rules by transferring citizens’ personal data on one of its websites to Amazon Web Services in the United States.

The European Commission is to face a lawsuit over allegations it is violating its own data protection rules when transferring citizens' personal data from one of its websites to the United States.