Consent is only one of the six legal grounds for processing personal data under the GDPR, but it is certainly the most well-known. While it might look safe and solid at first sight, it is becoming the weakest link of the GDPR compliance chain.

First, consent can be withdrawn at any time, and the process

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).

Following a request for preliminary ruling from the German Federal Court of Justice, the Bundesgerichtshof, the CJEU interpreted the consent requirement of Directive 2002/58/EC, as amended by Directive 2009/136/EC (hereafter the “e-Privacy Directive”) in light of former Directive 95/46/EU (hereafter the “Data Protection Directive”) as well as in light of its successor – the General Data Protection Regulation (GDPR).

The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.

Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”

Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third party access to those cookies.

The facts


Continue Reading

Executive summary

On September 17, 2019, the Belgian Data Protection Authority (DPA) issued a fine of EUR 10,000 for a breach of the General Data Protection Regulation’s (GDPR). The case related to a merchant who required the use of an electronic identity card as the sole means for the issuance of loyalty cards.

The DPA found that this practice did not comply with GDPR’s standards on (a) data minimization, as the electronic identity card contains much more information about the holder than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid.

The DPA also found that the merchant had not done enough to inform customer about its data processing activities, and thereby violated its information duties under the GDPR.

The facts


Continue Reading

On 29 July 2019, the Court of Justice of the European Union (CJEU) issued a decision in the Fashion ID case, a case referred to it by a German court. In this blog post we will focus on what this case means with regard to joint controllership when you have social media plug-ins on your

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) turned one year old on May 25th. European data protection regulators celebrated by continuing to work through a rising number of complaints and infractions, and by stepping up their monitoring for violations. US companies are directly in the crosshairs. Whether based in the EU or not, a company is potentially subject to the GDPR (and its stiff fines up to 4% of annual global revenue) if it offers goods or services to data subjects located in the EU, or monitors individuals’ online behavior or personal information in the EU. This means that a US company engaged in the common business practice of collecting data from its EU customers must assess and implement business practices to ensure GDPR compliance.

The US and EU engaged in approximately $1.3 trillion dollars in trade last year. With that level of economic activity, and accompanying data flows, many US companies should already have in place the basic structures for GDPR compliance. However, recent surveys suggest that a significant number of companies impacted by the GDPR are still grappling with compliance. In a recent Forrester Research study, “Security Through Simplicity,” over half of the responding IT decision-makers revealed that their companies had not yet carried out even basic GDPR compliance steps such as vetting third-party vendors, hiring data protection officers, training employees, setting up mechanisms for the “72-hour data breach notification” requirement, and collecting evidence and documenting efforts to address GDPR compliance risks. Further, only about 4,650 US companies are currently registered and self-certified with the EU-US Privacy Shield framework (compared to the over 100,000 mid- to large-sized companies in the US, according to business census data). Such certification goes a long way toward permitting a US company to receive certain EU data in a GDPR compliant manner.


Continue Reading

When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.

Continue Reading

The European Commission has recently released a new website providing guidance on the General Data Protection Regulation (“GDPR”) implementation requirements.  The website provides a plethora of resources both to industry looking to become compliant with GDPR standards as well as to citizens looking to understand their data protection rights.  Highlights of the website include a