Last week, the High Court of Ireland submitted eleven questions to the Court of Justice for the European Union (CJEU) to consider about the personal data transfer regime between the European Union (EU) and the United States. This referral stems from a new claim by Max Schrems, an Austrian lawyer and privacy activist. Schrems previously

As we approach calendar year end, traditionally the busiest period of the year for mergers and acquisitions, it is worth revisiting whether our existing competition law framework can and does properly assess the market power of big data.

This spring, The Economist magazine joined the ranks of some antitrust regulators, particularly from the EU, in

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next several months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part 3 of this GDPR Series is brought to you by the German law firm of Graf von Westphalen. Other blog entries in this series will be brought to you by the law firms of Mills & Reeve (UK), FIDAL (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

 Consent as a lawful basis for data-processing

Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in the Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR, however, the new Regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data.
Continue Reading General Data Protection Regulation (GDPR) Series, Part #3: GDPR Consent and Fair Processing

In less than 300 days, the European General Data Protection Regulation (GDPR) will go into effect and forever change the privacy landscape. Leading industry organization, Gartner, Inc., predicts that more than 50 percent of companies affected by the GDPR will not be fully compliant. Of course, the affected companies will include both European and non-European companies. Bart Willemsen, research director at Gartner, says “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”

How can organizations prepare for the GDPR? Gartner recommends organizations focus on five high-priority areas:
Continue Reading 5 Focus Areas in Preparation for GDPR Compliance

Japan and the European Union announced an agreement in principle on major components of a substantial free trade deal on the eve of the recent G20 summit in Hamburg. This free trade deal rivals NAFTA in scope and impact, as it will impact 40 percent of the world’s trade. Once finalized, this free trade pact

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next twelve (12) months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part #2 of this GDPR Series is brought to you by Mills & Reeve, a United Kingdom law firm. Other blog entries in this series will be brought to you by the law firms of Graf von Westphalen (Germany), FIDAL, (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

In any major project there is an analysis phase – involving a careful examination of your organization’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organization, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.

So what can be done to get started?

Perhaps the best first step is to conduct a self-assessment audit. This will help organizations map the likely impacts of the changes in data protection law on their activities.

A few key points are worth looking at in detail:
Continue Reading General Data Protection Regulation (GDPR) Series Part #2: The Importance of Self-Assessment

The GDPR will apply as of May 25, 2018. It provides a single set of very innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures—which means that any personal data processing ongoing at this date shall be in compliance with the GDPR. This leaves one year for companies to ensure compliance with the GDPR.

The GDPR provides for a scope of application wider than processing undertaken in EU countries. Indeed, it will also apply to data controllers or subcontractors not established within the EU which are in charge of data processing with the aim to provide goods and services to EU residents or to monitor EU residents’ behavior.

A business can take several steps in order to organize compliance with provisions of the GDPR:
Continue Reading GDPR Effective Date and Geographical Scope of Application

In 2016, new privacy, cybersecurity and/or data security legislation passed or became effective in a number of countries, some adopting data security measures for the first time. Several countries adopted cybersecurity focused measures with criminal penalties, hoping to more effectively combat cyber-attacks. Other countries implemented or strengthened regulations on the collection and handling of their

Last July, the United States and the European Union agreed on a new framework to allow for the transfer of Europeans’ personal data to the United States. This new framework, known as Privacy Shield, replaced the Safe Harbor Principles which the European Court of Justice struck down over concerns about the U.S.’s government’s online data