The opinion includes whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and GDPR and insight on what constitutes ‘informed consent.’
EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).
Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR
On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new FDPA in the next month, without major changes. Once approved by the Federal Council, the new FDPA will become effective on May 25, 2018, the same date as the GDPR.
The new FDPA seeks to enhance privacy protections in areas where the GDPR allows EU Member States to deviate from the Regulation.
German DPAs: 500 Companies to be Audited on Data Exports
Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a common practice for major international, as well as small and medium sized companies, without, as the authorities say, adequate attention being paid to the unique data privacy issues raised by cloud computing and software as a service (SaaS).
CJEU Advocate General Opinion: Dynamic IP Addresses are Personal Data; Member States cannot limit processing permitted by the Data Protection Directive
On May 12, 2016, the Court of Justice of the European Union’s (CJEU) Advocate General, Campos Sánchez-Bordona, published his opinion on a question referred to the CJEU for a preliminary ruling. The opinion argues that dynamic IP addresses should be considered to be personal data under European law. Moreover, the opinion asserts that Member States’ laws that limit the ability to store such personal data beyond the restrictions permitted in Directive 95/46EC (the Data Protection Directive) are non-compliant with European law. Although the CJEU’s final decision does not have to follow this opinion, the advocate general’s arguments are followed more often than not.
German DPAs: Healthcare Apps and Wearables Create High Risks for Users
During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population
Details of Privacy Shield published
On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.
German law authorizing privacy “class actions” goes into force
A new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016. A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, including the U.S.