The JENTIS Legal Digest
Written by Tomislav Rachev LL.M.
Your latest update on data privacy issues around the world.
In this edition:
The never-ending saga of international data flows
New mechanism for EU-US data flows survives first legal challenge
Recently, French lawmaker Philippe Latombe filed the first challenges against the US adequacy decision of the European Commission at the EU General Court. He requested the annulment of the new transatlantic data flows agreement and the interim relief to suspend it until the Court's final decision.
For interim measures to be granted, there must be an apparent valid claim and urgency to prevent serious and irreparable harm.?
Latombe argued that the adequacy decision causes him serious and irreparable harm, especially as a user of IT platforms like Microsoft 365, Google, and Doctolib (used for medical appointments). In an order on 12.10, the judge concluded that while Latombe's arguments touch upon the decision's legality, they do not establish the existence of serious and irreparable harm necessary for interim measures. As a result, the Framework remains in effect despite the ongoing proceedings with regard to its legality. ?
A blast from the past: New Google Analytics decision in Estonia due to Schrems II
Meanwhile, in a stark reminder of the ongoing cases against website operators using Google Analytics, the Estonian DPA recently joined the ranks of multiple other European authorities by ruling?that the use of Google Analytics has led to unlawful data transfers to the US. The DPA emphasized that Google receives identifiers of website visitors, which constitute personal data because they can be combined with other transmitted data such as IP address, browser and operating system metadata, time of website visit and previously visited website. As a provider of electronic communications services under US law, Google is subject to disclosure obligations in case of a request from the US intelligence services. Notably, the authority found Google's technical measures to be insufficient for the website operator to rely on Standard Contractual Clauses or any other legal bases in Chapter V of the GDPR for the transfer. In view of the ECJ 'Schrems II' judgment, the data transfer was, therefore, found to violate GDPR. The DPA ordered the controller to stop the processing and decided to take no further action after the controller removed Google Analytics from its website. It must be noted that this decision refers to data transfers to the US prior to the adoption of the EU-US Data Privacy Framework.?
Key insights:
领英推荐
Cookie banners under fire by authorities across Europe
Spanish watchdog will start applying its new cookie guidelines in January 2024
The Spanish DPA (AEPD) explained in a recent decision that it will apply its 2020 guideline until January 2024 before beginning to apply its new rules implementing the EDPB Cookie Banner Taskforce guidelines , which impose stricter restrictions on dark patterns. Thus, website operators are granted a grace period to adjust their cookie banners.??
Nevertheless, in a decision from last month, the AEPD fined the website operator Chatwith.IO 7000 Euro under the existing rules for multiple deficiencies:?
Croatian DPA identifies three cookie-related violations in a website of a major gambling company?
A Croatian gambling company was fined 20,000 Euros for not having a legal basis for the use of its cookies, for not providing the option to grant/revoke consent separately for each type of cookie, and for not providing an easy way to revoke consent once granted.
Romanian energy company slammed with a fine due to use of cookies without consent
Restart Energy One SA was fined 8.000 Euros after investigation into its website operations and use of non-necessary cookies without obtaining valid consent.?
Key insights:
Data privacy around the globe