Commission, IP/24/2982, 29 May 2024
On 29 May 2024, the Commission has unveiled the AI Office, established within the Commission. The AI Office aims at enabling the future development, deployment and use of AI in a way that fosters societal and economic benefits and innovation, while mitigating risks. The Office will play a key role in the implementation of the AI Act, especially in relation to general-purpose AI models. It will also work to foster research and innovation in trustworthy AI and position the EU as a leader in international discussions.
Council of the EU, PR 409/2024, 21 May 2024
On 21 May 2024, the Council approved a ground-breaking law aiming to harmonise rules on artificial intelligence, the so-called Artificial
Intelligence Act (AI Act). The flagship legislation follows a ‘risk-based’ approach, which means the higher the risk to cause harm to
society, the stricter the rules. It is the first of its kind in the world and can set a global standard for AI regulation. The new law aims to foster the development and uptake of safe and trustworthy AI systems across the EU’s single market by both private and public actors. At the same time, it aims to ensure respect of fundamental rights of EU citizens and stimulate investment and innovation on artificial intelligence in Europe. The AI Act applies only to areas within EU law and provides exemptions such as for systems used exclusively for military and defence as well as for research purposes.
On 17 May 2024, the Council of Europe has adopted the first-ever international legally binding treaty aimed at ensuring the respect of human rights, the rule of law and democracy legal standards in the use of artificial intelligence (AI) systems. The "Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law", which is also open to non-European countries, sets out a legal framework that covers the entire lifecycle of AI systems and addresses the risks they may pose, while promoting responsible innovation.
Organisation for Economic Co-operation and Development (OECD)
On 3 May 2024, the OECD Ministerial Council Meeting (MCM) has adopted revisions to the landmark OECD Principles on Artificial Intelligence (AI). In response to recent developments in AI technologies, notably the emergence of general-purpose and generative AI, the updated Principles more directly address AI-associated challenges involving privacy, intellectual property rights, safety, and information integrity.
European Data Protection Board (EDPB)
On 17 April 2024, the European Data Protection Board (EDPB) adopted an Opinion on the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms.This Opinion followed an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA).
European Commission
The European Commission offers a comprehensive overview on the Data Act, including its objectives and how it works in practice. This overview clarifies the concept of data holder in that the manufacturer can be the data holder but also that there can be more than one data holder.

The Data Act will become applicable on 12 September 2025.

The European Commission plans to issue and recommend by autumn 2025:

  • a set of model contractual terms to help businesses conclude data-sharing contracts that are fair, reasonable and non-discriminatory (Chapters II and III of the Data Act). These terms will also provide guidance on reasonable compensation and the protection of trade secrets.
  • a set of non-binding standard contractual clauses for cloud computing contracts between cloud service users and providers.

European Commission, "Data Act expleined"

On Wednesday, European Parliament approved the Artificial Intelligence Act that ensures safety and compliance with fundamental rights, while boosting innovation. It aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field. The regulation establishes obligations for AI based on its potential risks and level of impact.
On 27 December 2023, the French Data Protection Authority (CNIL) fined AMAZON FRANCE LOGISTIQUE €32 million for setting up an excessively intrusive system for monitoring employee activity and performance. The company was also fined for video surveillance without information nor sufficient security.
On 29 December 2023, the French Data Protection Authority (CNIL) fined YAHOO EMEA LIMITED €10 million for failing to respect the choice of Internet users who refused cookies on its "" website and for not allowing users of its "Yahoo! Mail" messaging service to freely withdraw their consent to cookies.
The Council presidency and the European Parliament’s negotiators have reached a provisional agreement on the proposed legislation regarding cybersecurity requirements for products with digital elements, which aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the market (cyber resilience act). 
The EU Environment and Civil Liberties committees adopted their position on creating a European Health Data Space (EHDS) to boost personal health data portability and more secure sharing. The EHDS is designed to make sharing of aggregated health data for research purposes possible whereas strong privacy safeguards are planned to govern how and why sensitive data is shared. The intention is also to give citizens the right to access prescriptions, imagery and lab tests across border.


To make the EU a leader in our data-driven society, the Council of the EU on 27 November 2023 adopted a new Regulation on harmonised rules on fair access to and use of data (Data Act). The data act puts obligations on manufacturers and service providers to let their users, be they companies or individuals, access and reuse the data generated by the use of their products or services, from coffee machines to wind turbines. It also allows users to share that data with third parties – for example, car owners could choose in the future to share certain vehicle data with a mechanic or their insurance company.
UNESCO has published an interim draft of its “Global toolkit on AI and the rule of law for the judiciary”. The toolkit intends to provide judicial operators with the knowledge and tools necessary to understand the benefits and risks of Artificial Intelligence (“AI”) in their work. The Toolkit aims at supporting judicial operators in reducing potential human rights risks of AI by offering guidance on the relevant international human rights law instances, principles, regulations, and the emerging case law that underpin the use of AI responsibly.
The European Data Protection Board (EDPB) adopted Guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.
The "Data Act", already agreed between MEPs and member states, was adopted by the European Parliament. It will now need formal approval by Council to become law. Acknowledging that innovation increasingly relies on data, the new law aims to stimulate innovation by eliminating barriers to data access and to clarify who can access data under what conditions. Furthermore more private and public entities shall be enabled to share data.
The Organisation for Economic Co-operation and Development (OECD) on 8 November 2023 adopted the new definition of Artificial Intelligence. It is expected that the new definition is going to be incorporated in the EU’s new AI regulations.
The European Data Protection Supervisor (EDPS) published on 24 October 2023 its own-initiative Opinion on the Artificial Intelligence Act (AI Act) as this proposed Regulation enters the final stages of negotiations between the EU’s co-legislators. The AI Act aims to regulate the development and use of Artificial Intelligence (AI) systems in the EU, including in the EU institutions, bodies, offices and agencies (EUIs). With this Opinion, the EDPS provides specific suggestions focusing on the EDPS’ future tasks as the authority in charge of overseeing AI systems in the EUIs.
On 4 July 2023, the European Commission published a Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (‘the Proposal’) and formally consulted the EDPB and EDPS in accordance with Article 42(2) of Regulation (EU) 2018/1725.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.
During its latest plenary, the EDPB adopted Guidelines on Art. 37 of the Law Enforcement Directive (LED). These Guidelines aim to provide practical guidance on the application of Art. 37 LED concerning transfers of personal data by competent authorities of EU countries to third country authorities or international organisations, competent in the field of law enforcement. In particular, these Guidelines aim to provide clarity on the legal standard for appropriate safeguards that competent authorities need to apply pursuant to Art.37(1)(a) and (b) LED and, accordingly, on the relevant factors for the assessment of whether such safeguards exist.
The first report on the State of the Digital Decade provides a comprehensive look at progress towards achieving the digital transformation to empower a more digitally sovereign, resilient, and competitive EU. It includes an assessment of the EU's performance towards Europe's 2030 objectives and targets focusing on four main pillars: digital skills, digital infrastructure, digitalisation of businesses, including the use of Artificial Intelligence (AI), and digitalisation of public services. It also includes the monitoring of the European Declaration on Digital Rights and Principles, which reflects the EU's commitment to a secure, safe and sustainable digital transformation, putting people at the centre.
The Irish Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023. The announcement contains administrative fines totalling € 345 million.
ICO PR of 24 August 2023
The Information Commissioner’s Office (ICO) and eleven other data protection and privacy authorities from around the world have published a joint statement calling for the protection of people’s personal data from unlawful data scraping taking place on social media sites.
The European Data Protection Board (EDPB) has published a document which aims at providing some clarity on the implications of the Adequacy Decision for data subjects in the EU and for entities transferring personal data from the EU to the US.
With a view to ensuring that products with digital components, such as connected home cameras, smart fridges, TVs, and toys, are safe before entering the market, member states’ representatives (Coreper) reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements (cyber resilience act).
In its Decision published on 13 July 2023, the EDPS finds that the use of Cisco Webex videoconferencing and related services by the Court of Justice of the European Union (the Court) meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies.
The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.
On 15 June 2023, the CNIL sanctioned CRITEO, which specialises in online advertising, with a fine of EUR 40 million, in particular for failing to verify that the persons from whom it processed data had given their consent.
The Council is ready to start negotiations with the European Parliament on a new law that will help millions of gig workers gain access to employment rights. On 12 June 2023, ministers for employment and social affairs agreed on the Council’s general approach for a proposed directive to improve working conditions for platform workers.
During its latest plenary, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on the calculation of administrative fines following public consultation. These guidelines aim to harmonise the methodology data protection authorities (DPAs) use to calculate fines and include harmonised ‘starting points’. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.
Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.
The Irish Data Protection Commission (“the DPC”) has announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service. A fine of €1.2 billion is imposed on Meta Ireland as well as an order requiring Meta Ireland to suspend any future transfer of personal data to the US.
The UK Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a number of breaches of data protection law, including failing to use children’s personal data lawfully.
The Italian SA imposed an immediate temporary limitation on the processing of Italian users’ data by OpenAI, the US-based company developing and managing the platform. An inquiry into the facts of the case was initiated as well. According to the Italian SA personal data is collected unlawfully and no age verification system is in place for children.
In response to the growing public attention given to ChatGPT, the Europol Innovation Lab organised a number of workshops with subject matter experts from across Europol to explore how criminals can abuse large language models (LLMs) such as ChatGPT, as well as how it may assist investigators in their daily work.
WASHINGTON – The US-Department of Commerce’s National Telecommunications and Information Administration (NTIA) said in a new report that the current mobile app store model is harmful to consumers and developers, and recommended policy changes to fix it.
The Irish Data Protection Commission (“DPC”) has announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service). WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.
The EDPB has adopted a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The EDPB underlines the need for public bodies to act in full compliance with the GDPR and includes recommendations for public sector organisations when using cloud-based products or services. In addition, a list of actions already taken by data protection authorities (DPAs) in the field of cloud computing is made available.
On Tuesday, 17 January 2023, MEPs gave their final approval to the ratification of the Additional Protocol to the Council of Europe’s Budapest Convention on Cybercrime.
On 29 December 2022, the CNIL in France sanctioned the social network TIKTOK for a total amount of 5 million euros for two reasons: users of "" could not refuse cookies as easily as they accept them. Also, they were not informed in a sufficiently precise manner of the purposes of the different cookies.
The European Parliament has given its backing to the ratification of the Additional Protocol to the Council of Europe’s Budapest Convention on Cybercrime. The new Protocol seeks to modernise the provisions of the Convention to make it fit for present-day cybercrime challenges. It introduces the possibility of emergency mutual assistance between signatories, creates a legal framework for joint investigations, and makes it possible to collect evidence via videoconference where necessary. To facilitate the sharing of electronic evidence, the Protocol would allow signatories to directly contact service providers in other countries and request domain name registration information, subscriber information and traffic data. It also includes expedited procedures for data-sharing in emergency situations.
The Irish Data Protection Commission (DPC) has announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited). Final decisions have now been made by the DPC in which it has fined Meta Ireland 210 million € (for breaches of the GDPR relating to its Facebook service), and 180 million € (for breaches in relation to its Instagram service). Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.
European Commission PR of 13 December 2022
On 13 December 2022 the European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
Council of the EU Press release 6 December 2022
The Council of the EU has adopted its common position (‘general approach’) on the Artificial Intelligence Act. Its aim is to ensure that artificial intelligence (AI) systems placed on the EU market and used in the Union are safe and respect existing law on fundamental rights and Union values.
White House PR of October 7, 2022
President Biden has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) directing the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Biden and European Commission President von der Leyen in March of 2022.
U.S. Department of Justice PR Nr. 1051 of October 3, 2022
The Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) entered into force today. The Agreement is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a law enacted by Congress in 2018, and will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime in a way that is consistent with privacy and civil liberties standards.
EDPB PR of 29 July 2022
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the Proposal for a Regulation to prevent and combat child sexual abuse. The Proposal aims to impose obligations related to detecting, reporting, removing and blocking known and new online child sexual abuse material (CSAM), as well as the solicitation of children, on providers of hosting services, interpersonal communication services, software application stores, internet access services and other relevant services. The EDPB and EDPS consider child sexual abuse as a particularly serious and heinous crime. Limitations to the rights to private life and data protection must, however, respect the essence of these fundamental rights and remain limited to what is strictly necessary and proportionate. The EDPB and EDPS consider that the Proposal, in its current form, may present more risks to individuals, and, by extension, to society at large, than to the criminals pursued for CSAM.
EDPB PR of 14 July 2022
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted their Joint Opinion on the European Commission’s Proposal for the European Health Data Space (EHDS). The Proposal aims to facilitate the creation of a European Health Union and to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data. The EDPB and the EDPS welcome the idea of strengthening the control of individuals over their personal health data. However, they draw the co-legislators’ attention to a number of overarching concerns and urge them to take decisive action. In particular, the EDPB and the EDPS acknowledge that Chapter IV of the Proposal, which aims to facilitate the secondary use of electronic health data, may generate benefits for the public good. At the same time, the EDPB and the EPDS consider that these further processing activities are not without risks for the rights and freedoms of individuals.
EDPD PR 7 of 16 May 2022
On 12 May 2022 the European Data Protection Board (EDPB) has adopted guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology Systems.
EDPD PR 7 of 16 May 2022
The European Data Protection Board (EDPB) on 12 May 2022 adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.
EU-Commission PR of 11 May 2022
The EU-Commission on 11 May 2022 adopted a new European strategy for a Better Internet for Kids (BIK+), to improve age-appropriate digital services and to ensure that every child is protected, empowered and respected online.
EDPB PR of 4 May 2022
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on 4 May 2022 adopted a joint opinion on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act).
Court of Justice of the EU: Judgment of 26.4.2022 - Case C-401/19
The obligation, on online content-sharing service providers, to review, prior to its dissemination to the public, the content that users wish to upload to their platforms, is accompanied by the necessary safeguards to ensure that that obligation is compatible with freedom of expression and information. The Court of Justice dismisses the action brought by Poland against Article 17 of the directive on copyright and related rights in the Digital Single Market.
European Parliament PR of 23 april 2022 / European Commission PR of 23 april 2022
EU negotiators agree on landmark rules to effectively tackle the spread of illegal content online and protect people's fundamental rights in the digital sphere. Parliament and Council reached a provisional political agreement on the Digital Services Act (DSA). Together with the Digital Markets Act, the DSA will set the standards for a safer and more open digital space for users and a level playing field for companies for years to come.
European Parliament PR of 20 april 2022
The European Parliament on 20 april 2022 adopted its position on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union Legislative Acts. It now calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal. The European Parliament instructs its President to forward its position to the Council, the Commission and the national parliaments.
EDPB Press Release of 7 April 2022
The European Data Protection Board (EDPB) on 7 April adopted a statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA) when their data are transferred to the U.S. as a positive first step in the right direction. The EDPB also adopted letter concerning independence of Belgian SA.
European Commission PR of 25 March 2022
The European Commission and the United States announce that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020.
NIST PR of 15 March 2022
The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, in March 2022 updated its special publication “Towards a Standard for Identifying and Managing Bias in Artificial Intelligence”.
NIST PR of 17 March 2022
The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, on 17 March 2022 released an initial draft of an AI Risk Management Framework.
EDPD PR of 14 March 2022
The European Data Protection Board (EDPD) on 14 March 2022 adopted the "Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them". These Guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements.
EU Commission PR of 23 February 2022
Today, the Commission proposes new rules on who can use and access data generated in the EU across all economic sectors. The Data Act will ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all. It will lead to new, innovative services and more competitive prices for aftermarket services and repairs of connected objects. This last horizontal building block of the Commission's data strategy will play a key role in the digital transformation, in line with the 2030 digital objectives.
The European Commission has published today the findings of its competition sector inquiry into the consumer Internet of Things (IoT). The final report and its accompanying staff working document identify potential competition concerns in the rapidly growing markets for IoT related products and services in the European Union.
European Parliament, PR of 20 December 2021
On 20 December 2021 the European Parliament has adopted its position on the Commission proposal for a regulation on a Single Market For Digital Services (Digital Services Act - DSA) and amending Directive 2000/31/EC. It has instructed its President to forward its position to the Council, the Commission and the national parliaments. The European Parliament now calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal.
On 30 November 2021 negotiators from the EU-Council and the European Parliament reached a provisional agreement on a new law to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products.
During its plenary session, the EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR. By clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
IAB Europe PR of 5. November 2021
IAB Europe is informed by the Belgian data protection authority (the APD) that its Litigation Chamber is close to finalising a draft ruling that will conclude its investigation of IAB Europe and its role in the Transparency & Consent Framework (TCF). The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) in the coming 2-3 weeks under the Cooperation Procedure laid down in the GDPR.  Those DPAs will have 30 days to review it.  Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.
New in CRi
Real-​time bidding is the world’s most widespread fully automated sales system for online ad space and, at the same time, a prime example of data-​driven online marketing. The first part of this article intends to explain how real-​time bidding functions at the technical level (section B.). The second part presents the frequently expressed concerns about the substantive legality of real-​time bidding (section C.) and explains hitherto fruitless attempts by authorities at law enforcement (section D.I.). The article concludes by highlighting the possibilities and limits of privacy litigation through civil action against real-​time bidding (section D.II.).
New in CRi
Real-​time bidding is the world’s most widespread fully automated sales system for online ad space and, at the same time, a prime example of data-​driven online marketing. The first part of this article intends to explain how real-​time bidding functions at the technical level (section B.). The second part presents the frequently expressed concerns about the substantive legality of real-​time bidding (section C.) and explains hitherto fruitless attempts by authorities at law enforcement (section D.I.). The article concludes by highlighting the possibilities and limits of privacy litigation through civil action against real-​time bidding (section D.II.).
Data Protection Commission (DPC) PR of 2 September 2021
The Irish Data Protection Commission (DPC) on 2nd September 2021 announced a conclusion to a GDPR investigation it conducted into WhatsApp Ireland Ltd. The DPC’s investigation commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
New in CRi
In April 2021, the European Commission proposed a Regulation on Artificial Intelligence, known as the AI Act. We present an overview of the Act and analyse its implications, drawing on scholarship ranging from the study of contemporary AI practices to the structure of EU product safety regimes over the last four decades. Aspects of the AI Act, such as different rules for different risk-levels of AI, make sense. But we also find that some provisions of the Draft AI Act have surprising legal implications, whilst others may be largely ineffective at achieving their stated goals. Several overarching aspects, including the enforcement regime and the risks of maximum harmonisation pre-empting legitimate national AI policy, engender significant concern. These issues should be addressed as a priority in the legislative process.
European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs, July 2021
The European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs in July 2021 has published the study on the Exchanges of Personal Data After the Schrems II Judgment.
EU Commission PR of 28 June 2021
The Commission has adopted two adequacy decisions for the United Kingdom on 28 June 2021 - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a ‘sunset clause', which limits the duration of adequacy to four years. 
EDPB & EDPS PR of 21 June 2021
The EDPB and EDPS have adopted a joint opinion on the European Commission’s Proposal for a Regulation laying down harmonised rules on artificial intelligence (AI). The EDPB & EDPS call for ban on use of AI for automated recognition of human features in publicly accessible spaces and some other uses of AI that can lead to unfair discrimination.
During its plenary session, the EDPB adopted a final version of the Recommendations on supplementary measures following public consultation. The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. They aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. 
The European Commission has opened a formal antitrust investigation to assess whether Facebook violated EU competition rules by using advertising data gathered in particular from advertisers in order to compete with them in markets where Facebook is active such as classified ads. The formal investigation will also assess whether Facebook ties its online classified ads service “Facebook Marketplace” to its social network, in breach of EU competition rules.

Today, the European Commission adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries. They reflect new requirements under the General Data Protection Regulation (GDPR) and take into account the Schrems II judgement of the Court of Justice, ensuring a high level of data protection for citizens. These new tools will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.

The Commission on 3 June 2021 proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU. Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. Very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user, for example to prove their age. Use of the European Digital Identity wallet will always be at the choice of the user.

EHCR, Big Brother Watch and Others v. the United Kingdom, judgment of 25 May 2021
The European Court of Human Rights decided in its judgment of 25 May 2021, that the UK surveillance regime had violated several articles of the European Convention.
New in CRi
The debate on how to regulate digital intermediaries and safeguard a safe digital environment for their users is rapidly evolving. While jurisdictions around the world are grappling with questions on how to ensure a level-​playing field for tech players of all sorts and sizes, Europe has recently taken a significant step forward in the regulation of digital platforms, with its long-​term objective of serving as a global point of reference and blueprint for others to follow. The present article focuses on one of the EU’s new initiatives – the Digital Services Act – and offers a practical analysis of the key takeaways and expected interactions with several Member States’ parallel national initiatives which aim to impose new obligations for digital intermediaries.
New in CRi
This article discusses some issues relevant to the practical application of the DMA. Following a brief introduction, we recall the rationale for the proposed legislation and provide an overview of the scope of application of the DMA. We also take a critical look at the criteria for the gatekeeper designation and the possibility to rebut the presumption if the designation criteria are fulfilled. Finally, we address the legal basis for the proposal.
The Commission proposes today new rules and actions aiming to turn Europe into the global hub for trustworthy Artificial Intelligence (AI). The combination of the first-ever legal framework on AI and a new Coordinated Plan with Member States will guarantee the safety and fundamental rights of people and businesses, while strengthening AI uptake, investment and innovation across the EU. New rules on Machinery will complement this approach by adapting safety rules to increase users' trust in the new, versatile generation of products.
US Congressional Research Service, March 2021
The U.S. Congressional Research Service ('CRS') released, on 17 March 2021, its report on EU Data Transfer Requirements and US Intelligence Laws: Understanding Schrems II and Its Impact on the EU-U.S. Privacy Shield.
Commission, IP/21/661, 19 February 2021
The Commission has launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.
Commission, COM/2020/825 final + COM/2020/842 final, 15 December 2020
On 15 December 2020, the European Commission proposed two legislative initiatives: the Digital Services Act (DSA) and the Digital Markets Act (DMA). As part of the European Digital Strategy "Shaping Europe’s Digital Future", the DSA and DMA have two main goals: (i) to create a safer digital space in which the fundamental rights of all users of digital services are protected, and (ii) to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally
Commission, IP/20/2102, 25 November 2020
On 25 November 2020, the European Commission presented a Proposal for a Regulation on European data governance (Data Governance Act). the Data Governance Act is part of the European strategy for data and aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.
EU Parliament, PE 654.180, October 2020
On 1 October 2020, the European Parliamentary Research Service (EPRS) published a Study by Niombo Lomba and Tatjana Evas on "Digital Services Act - European added value assesment". This Study analyses the potential added value that could be achieved by enhancing the current EU regulatory framework on digital services. For that purpose, the Study examines the e-Commerce Directive and more broadly the commercial and civil law rules applicable to commercial entities operating online.
US Department of Commerce, September 2020
In September, the US Department of Commerce published a White Paper on "Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II". In view of the issues of concern to the CJEU in Schrems II (decision of 16 July 2020 in case C-311, CRi 2020, p. 109-121), this White Paper provides not only a concise discussionof the complex area of U.S. law and practice relating to government access to data for national security purposes, but also some initial observations concerning its relevance for a company's analysis.
On 24 July 2020, the  European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ (FAQ) document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S. This FAQ document supplements the Statement on the CJEU's judgment in "Schrems II" (CJEU, decision of 16 July 2020 - C-311/18, CRi 4/2020) which the EDPB adopted on 17 July 2020.
EDPB Guidelines 05/2020, 4 May 2020
On 4 May 2020, the European Data Protection Board (EDPB) has adopted its Guidelines 05/2020 on consent. These Guidelines provide a thorough analysis of the notion of consent in the GDPR.
EUROPOL, 3 April 2020
On 3 April 2020, Europol published an updated threat assessment of the COVID-19 pandemic's impact on the cybercrime landscape.
European Center for Digital Rights, Ad hoc Paper V0.2, 29 March 2020
On 29 March 2020, the noyb – European Center for Digital Rights has published its "Ad hoc Paper (V0.2) SARS-CoV-2 Tracking under GDPR" presenting the legal requirements for virus tracking systems. This Ad hoc Paper provides a general overview of the minimal GDPR requirements and possible compliance strategies.
Expert Group on Liability + New Techn., Dec 2019
In December 2019, the European Commission's Expert Group on Liability and New Technologies has published its report on "Liability for Artificial Intelligence". The Report of over 60 pages offers thorough assessment of existing liability regimes in the wake of emerging digital technologies the specific characteristics of new technologies and their applications not only can make it more difficult for victims to claim compensation, but also reveal  that certain allocations of liability are unfair or inefficient. Therefore, the Report suggests suitable adjustments the to EU and the national liability regimes.
EDPB, Guidelines 4/2019 on Art. 25 GDPR, 13 November 2019
On 13 November 2019, the European Data Protection Board (EDPB) has adopted Guidelines on Data Protection by Design & Default. The Guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR and are submitted for public consultation until 16 January 2020.
EDPB, Guidelines 2/2019, Version 2, 8 October 2019
On 8 October 2019, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board (EDPB) have adopted their "Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects" (Guidelines 2/2019, Version 2). These Guidelines concern the scope and application of Article 6(1)(b) GDPR in the context of information society services.
On 26 August 2019, the Düsseldorf Court of Appeals has granted suspensive effect to Facbooks appeal against the order by the German Bundeskartellamt (Federal Antitrust Authority) prohibiting Facebook from combining user data from various sources because: "there are serious doubts as to the legality of these orders.") and: "Contrary to the view held by the Federal Cartel Office, the data processing by Facebook, which the Federal Cartel Office has objected to, does not give rise to any relevant damage to competition, nor does it give cause for concern about any undesirable development in competition." (Section B. page 6 of the Court decision).


On 3 July 2019 the ICO published its new Guidance on the use of cookies and similar technologies which complements the ICO's guidance on cookies in its Guide to PECR.
On 22 May 2019, OECD and partner countries formally adopted the first set of intergovernmental policy guidelines on Artificial Intelligence (AI), agreeing to uphold international standards that aim to ensure AI systems are designed to be robust, safe, fair and trustworthy.  The OECD’s 36 member countries, along with Argentina, Brazil, Colombia, Costa Rica, Peru and Romania, signed up to the OECD Principles on Artificial Intelligence at the Organisation’s annual Ministerial Council Meeting in Paris.
On 15 April 2019, the Council of the European Union gave its green light to the new Copyright Directive which will bring concrete benefits to citizens, the creative sectors, the press, researchers, educators, and cultural heritage institutions.
INtroduction of the data protection reFORM to the judicial system (INFORM)
Within the framework of the EU project "INFORM",a free e-learning programme has been developed aimed specifically at persons providing legal advice or working in the judiciary. The programme is particularly suitable for those interested in data protection law at international level.
Bundeskartellamt, Press Release of 7 February 2019
On 7 February 2019, the German Bundeskartellamt (Federal Antitrust Authority) published in English “background information” on its Facebook decision imposing on Facebook far-reaching restrictions in the processing of user data. In the authority's assessment, Facebook's terms and conditions on processing user data are neither justified under data protection principles nor appropriate under competition law standards. Surprisingly, the Bundeskartellamt offers its own interpretation of GDPR's concept of "free consent", despite not beeing responsible for data protection as federal authority. For an accurate critique see Härting, "The German Antitrust Authority’s Interpretation of GDPR Consent – Facebook Decision", CRonline Blog, 8 February 2019
EDPB, Guidelines 3/2018, 16 November 2018
On 16 November 2018, the European Data Protection Board (EDPB) adopted its Guideline 3/2018 on the territorial scope of the GDPR (Article 3). The Guidelines seek to help provide a common interpretation of the territorial scope of the GDPR and further clarification on the application of the GDPR in various standard situations, in particular where the data controller or processor is established outside of the EU, including on the designation of a representative.
New in CRi
Part One of this overview presented the 13 EU Member States which had adjusted their domestic data privacy law to the GDPR by July 2018 (Pohle, CRi 2018, 97-116).
Part Two completes this overview for 2018 and presents the national data privacy laws of the EU Member States which have introduced specific domestic laws supplementing GDPR during the third quarter of 2018.
Digital Single Market, News, 20 September 2018
On 20 September 2018, the EU-Commission issued updated guidance for ending unjustified geo-blocking to help Member States and businesses active in the area of e-commerce to adapt to the new rules which start applying across the EU as of 3 December 2018.
New in CRi
The article provides an overview of how the EU Member States have modified their domestic data privacy law in the following core areas: (1) domestic legislation (2) definitions; (3) relevant authority; (4) registration requirements; (5) data protection officers (DPO); (6) collection and processing; (7) data subject rights; (8) data transfer to third counties; (8) security of personal data; (10) data breach notification; (11) enforcement; (12) data processing in employment context; (13) provisions relating to specific processing situations (chapter 9 GDPR); (14) electronic marketing; (15) online privacy; (16) other notable domestic regulations. EU Member States without finally adjusted domestic data privacy law are listed indicating the current status of the domestic legislative process.
On 17 July 2018, the EU and Japan successfully concluded their talks on reciprocal adequacy. They agreed to recognise each other's data protection systems as 'equivalent', which will allow data to flow safely between the EU and Japan creating the world's largest area of safe data flows.
University College London, July 2018
Smart home devices are increasingly being used in domestic abuse to control and manipulate victims. Researchers from the Department of Science, Technology, Engineering and Public Policy at University College London (UCL) have published guidance for organisations working with those at risk.
EU Parliament, PR, Ref.: 20180611IPR05527, 12 June 2018
On 12 June 2018 The Civil Liberties (LIBE) Committee of the European Parliament called on the Commission to suspend the EU-US Privacy Shield since it fails to provide enough data protection for EU citizens. The resolution of the LIBE-Committee was passed by 29 votes to 25, with 3 abstentions; and the full European Parliament is expected to vote on the text in July. The LIBE Committee suggests that the data exchange deal should be suspended unless the US complies with it by 1 September 2018 adding that the deal should remain suspended until the US authorities comply with its terms in full.
EU-Commission, IP/18/4070, 6 June 2018
On 6 June 2018, the European Parliament and the Council have reached a political agreement to update the EU's telecoms rules. The new European Electronic Communications Code, proposed by the Commission, will boost investments in very high capacity networks across the EU, including in remote and rural areas.
European Data Protection Board, 25 May 2018
On 25 May 2018 the European Data Protection Board (EDPB) held its first plenary meeting. This new, independent EU decision-making-body with legal personality is created and regulated by Art. 68 - 76 GDPR and succeeds the Article 29 Working Party. During its first plenary meeting, the EDPB adopted a statement on the revision of the ePrivacy Regulation.
On 4 April 2018, the French Data Protection Authority CNIL published a new guide to "Security of Personal Data" under the GDPR. This new guide presents the basic precautions to be implemented systematically.
EU-Commission, IP/18/3041, 11 April 2018
On 11 April 2018, the European Commission proposed a "New Deal for Consumers" to strengthen EU consumer rights and enforcement. The New Deal for Comsumers is composed of two different proposals for Directives:
(1) A proposal to amend 4 Council Directives to ensure better enforcement and to modernise EU consumer protection rules, in particular in light of digital developments:
(a) Directive on unfair terms in consumer contracts,
(b) Directive on consumer protection in the indication of the prices of products offered to consumers,
(c) Directive concerning unfair business-to-consumer commercial practices and
(d) Directive on consumer rights;
(2) A proposal on representative actions for the protection of the collective interests of consumers and repealing the Injunctions Directive 2009/22/EC. This proposal aims to improve tools for stopping illegal practices and facilitating redress for consumers where many of them are victims of the same infringement of their rights, in a mass harm situation.
Datatilsynet, January 2018
On 2 February 2018, the Norwegian Data Protection Authority (DPA) published its Report "Artificial Intelligence and Privacy". This Report aims to describe and help us understand how our privacy is affected by the development and application of artificial intelligence (AI).
On 28 November 2017, the European Court of Human Rights (ECtHR) held that the video surveillance installed at the University of Montenegro’s School of Mathematics in areas where two professors taught, had amounted to an interference with their right to privacy. The ECtHR awarded significant non-pecuniary damages to each professor.
This ECtHR decision will be of significance for compensation under the new data protection regime in the EU because regarding the protection of the right to privacy  the case law of the Court of the European Union (CJEU) has been intertwined and aligned with the case law of the ECtHR (see Boehm/Andrees, CR 2016, 146-154). As of May 2018, data subjects will have a right to compensation for "non-material damage" suffered as a result of a GDPR infringement, Art. 82 (1) GDPR (see also Recitals 85 and 146 GDPR). 
On 28 September 2017, the US National Institute of Standards and Technology (NIST) released a discussion draft of new Guidelines on applying the Risk Management Framework to information systems and organizations. The Risk Management Framework integrates security and privacy controls into the system development life cycle and establishes responsibility and accountability for the security and privacy controls.
Federal Trade Commission, 15.8.2017
August 15th, 2017 the Federal Trade Commission (FTC) announced an agreement with Uber Technologies Inc. concerning its data protection policy. In particular, Uber will implement a comprehensive privacy program. In a preceding complaint FTC alleged that the company did not fulfill its own privacy and data security requirements. Another allegation against Uber is concerning the development and usage of an IPhone-App-tracker (read more at Kennedy, Uber's IPhone Tagging Caper, CRi 4/2017, 111-113).
In July 2017, the Press Unit of the European Court of Human Rights (ECtHR) has released a "Factsheet - Hate Speech" outlining the ECtHR's two distinct approaches in its case law involving incitement to hatred and freedom of Expression (Art. 10 ECHR).
In May 2017, the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs has released the in-depth study of the proposed ePrivacy Regulation "An Assessment of the Commission's Proposal on Privacy and Electronic Communications" (for comparisons see Bender/Jones/Young/Wulfert-Markert, "Recent Developments and Future Changes to Internet Privacy Rules in the EU, the UK and the U.S.", CRi 2017, pp. 68-74).

On 26 April 2017, the European Data Protection Supervisor (EDPS) published his Opinion on the ePrivacy Regulation proposed by the European Commission.

EDPS, Opinion 4/2017, 14 March 2017
On 14 March 2017, the European Data Protection Supervisor (EDPS) Giovanni Buttarelli published his Opinion on the Commission’s Proposal for a Directive on certain aspects concerning contracts for the supply of digital content. This Opinion was issued at the specific request of the Council.  While the EDPS supports the aim of the Commission’s initiative to enhance consumer rights, the EDPS suggests that the proposed Directive should avoid unintentional interference with the data protection rights and obligations set down in the General Data Protection Regulation. In particular, the EDPS warns against requiring individuals to disclose personal data in ‘payment’ for an online service.
Council of Europe, T-PD(2017)01, 23 January 2017
On 23 January 2017, the Consultative Committee of the Council of Europe´s data protection convention (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as Convention 108) adopted "Guidelines on the protection of individuals with regard to the processing of personal data in a world of Big Data". These Guidelines were prepared by Prof. Alessandro Mantelero (Politecnico di Torino, Italy) and out of the 50 voting members Denmark, Liechtenstein and Luxembourg abstained whereas Germany and Ireland objected. These Guidelines provide a general framework to policy makers and to organisations processing personal data to apply appropriate policies and measures to make effective the principles and provisions of Convention 108 in the context of Big Data.
EU Council, PR 692/16 of 28 November 2016
On 28 November 2016, the Council agreed with a qualified majority on its Common Position regarding the Draft Regulation to ban unjustified geo-blocking between Member States. Geo-blocking is a discriminatory practice that prevents online customers from accessing and purchasing products or services from a website based in another Member State. The Draft Regulation is intended to remove discrimination based on customers' nationality, place of residence or place of establishment and to boost e-commerce.
Aslam and Farrar vs. Uber, Case Nos. 2202550/2015 & Others
On 28 October 2016, the UK Employment Tribunal held in Aslam and Farrar vs. Uber that drivers for Uber are not self-employed but qualify as workers who's work in the UK entitles them to benefit from UK employment laws. Further, the UK Employment Tribunal found that Uber’s conduct raised serious health and safety issues as Uber does neither ensures that drivers take rest breaks nor prevents Drivers from exceeding a maximum number of hours per week. The case hinged on 2 aspects:
On 14 September 2016, the EU Commission set out proposals on the modernisation of copyright to increase cultural diversity in Europe and content available online, while bringing clearer rules for all online players. The proposals will also bring tools for innovation to education, research and cultural heritage institutions.Altogether and as a key part of its Digital Single Market strategy, the EU Commission's copyright proposals have three main priorities:
EU Commission, IP/16/2461, 12 July 2016
On 12 July 2016, the EU Commission adopted the EU-U.S. Privacy Shield. This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers. The EU-U.S. Privacy Shield is based on the following four principles:
EU-Commission, E-Commerce Package, IP/16/1887, 25 May 2016
On 25 May 2016, the EU-Commission presented an e-commerce package proposing measures which will affect consumers and companies buying and selling products and Services. The EU-Commission advocates "A comprehensive approach to stimulating cross-border e-commerce for Europe's citizens and businesses" in a Communication and proposes three new Regulations:
  • A Regulation on addressing geo-blocking and other forms of discrimination based on customers' nationality, place of residence or place of establishment within the internal market (1.);
  • A Regulation on cross-border parcel delivery Services (2.);
  • A Regulation on cooperation between national authorities responsible for the enforcement of consumer protection laws (3.).
EBF/GFMA/ISDA, Common Principles, 9 May 2016
On 9 May 2016, the European Banking Federation (EBF), the Global Financial Markets Association (GFMA, comprised of ASIFMA, AFME and SIFMA) and the International Swaps and Derivatives Association (ISDA) agreed on common principles to promote effective global policy on cybersecurity, data and Technology. The "International Cybersecurity, Data and Technology Principles" offer key elements which are vital for new legal standards and technological affecting the technology infrastructure of globally acting financial services firms.
Council, 5419/16, 6 April 2016
On 6 April 2016, the Council of the European Union made available its Position at first reading with a view to the adoption of a General Data Protection Regulation.
EDPS, 15 March 2016
On 15 March 2016, the European Data Protection Supervisor (EDPS) made available the internal working document prepared by the EDPS 'Policy and Consultation' and 'Supervision and Enforcement' Units intended to provide factual summaries of data protection case law.
On 2 February 2016, the EU-Commission and the United States have agreed on new framework for transatlantic data flows: the "EU-US Privacy Shield". This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.

On 3 February 2016, the WP29 welcomed the "EU-U.S. Privacy Shield" and looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data.

Council, press release 951/15, 18 December 2015
Today, the Permanent Representatives Committee (Coreper) confirmed the final text for a Data Protection Regulation resulting from the trilogue between Council, Parliament and Commission on data protection reform. The agreement on the final text was a compromise reached on 15 December 2015. This agreement is in line with the request from the European Council for negotiations on data protection reform to be concluded by the end of 2015.
CJEU, C-362/14, 6 October 2015
On 6 October 2015, the CJEU declared that the EU-Commission’s US Safe Harbour Decision is invalid. The CJEU alone has jurisdiction to declare an EU act invalid and this decision in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) affects all transfer of personal data into the USA under the umbrella of the "Safe Harbor" principles. Furthermore, the CJEU strengthened the powers of national supervisory bodies: Where a claim is lodged with the national supervisory authorities they may, even where the EU-Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.
CJEU, Opinion of Advocate General Bot in case C-362/14, 23 September 2015
on 23 September 2015, the Advocate General Bot issued his Opinion in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) affecting all transfer of personal data into the USA under the umbrella of the "Safe Harbor" principles. According to his Opinion, the EU-Commission decision finding that the protection of personal data in the United States is adequate does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the United States. Furthermore, the Opinion considers that the EU-Commission decision on "Safe Harbor" is invalid.
EASA, A-NPA 2015-10, 31 July 2015
On 31 July 2015, the European Aviation Safety Agency (EASA) has published its Consultation Document for the "Introduction of a regulatory framework for the operation of drones" which had been eagerly anticipated in the comparative overview of regulatory developments on the "Commercial Use of Drones" by Hilf/Umbach, CRi 2015, pp. 65- 71. The EASA Consultation Document outlines a possible regulatory framework for drone operations as well as concrete proposals for the regulation of low-risk drone operations and is open to comments by any person or organisation suggesting the development of a new rule or an amendment thereto until 25 September 2015.
Online Trust Alliance, IoT Trust Framework - Discussion Draft, 11 August 2015
On 11 August 2015, the Online Trust Alliance (OTA) a non-profit organization with the mission to enhance online trust, released its "Internet of Things Trust Framework - Discussion Draft", the first global, multi-stakeholder effort to address IoT risks comprehensively. The suggested IoT Trust Framework presents guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation and consumer health and fitness wearables. In the spirit of collaboration, OTA openly invites industry leaders to review the document and provide feedback.
IANA Stewardship Transition Proposal, 31 July 2015
On 31 July 2015, the IANA Stewardship Transition Coordination Group (ICG) released the Draft Proposal for the transition of the stewardship of the Internet Assigned Numbers Authority (IANA) functions from the U. S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) to the global multistakeholder community and, on 3 August 2015, the  Cross Community Working Group on Enhancing ICANN Accountability made its "CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations" available for public comment. Both, the "IANA Stewardship Transition Proposal" and the "CCWG-Accountability 2nd Draft Proposal" are open to public comment for a period of 40-days. This presents a seminal opportunity for the public to evaluate the Draft Proposal as a whole and how it meets the criteria established by NTIA.
Google Europe Blog, 30 July 2015
On 30 July 2015, Google's Global Privacy Council, Peter Fleischer, has posted that Google respectfully disagrees with the assertion that the "Right to be Forgotten" would have to be implemented globally. Following the Practical Guidelines issued by the Article 29 Data Protection Working Party in November 2014, the French Data Protection Authority (i.e. “Commission National de l’Informatique et des Libertés”, CNIL) had issued in May 2015 a formal notice requesting Google Inc. to apply delisting globally on all domain names of the search engine because the various geographical top Level domains used by Google Inc. merely represented different technical access paths to its central data processing (see Cullaffroz-Jover, CRi 2015, 126).
European Council, 564/15, 8 July 2015
On 8 July 2015, the Member States gathered at the Permanent Representatives Committee approved the deal with the EU Parliament on ending mobile roaming charges and introducing  first EU-wide rules to safeguard open internet access (= net neutrality).
EU Commission, MEMO/15/5275 of 30 June 2015
On 30 June 2015, the EU Commission has made available a fact sheet concerning roaming charges and open Internet: explaining in Q&A-form what the agreement reached on 15 June 2015 between EU Parliament, EU Council and EU Commission on key elements for a single market in telecoms is about. Certain seem two things:
  • First: The end roaming charges when travelling in the EU in June 2017 and
  • Second: The introduction of rules safeguarding the open Internet in the EU.

The Regulation also increases related consumer protection. It notably ensures that users are informed about their roaming rights and consumption and that they are empowered to detect possible breaches of open Internet rules.

EU Council, 9565/15, 15 June 2015
On 15 June 2015, the EU-Council reached a general approach on the general data protection regulation that establishes rules adapted to the digital era. The twin  aims of this regulation are to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market. This general approach means that the EU-Council has a political agreement on the basis of which it can  now begin negotiations with the EU-Parliament with a view to reaching overall agreement on  new EU data protection rules. A first trilogue with the EU-Parliament is planned for 24 June 2015.
UN Human Rights Council, A/HRC/29/32, 22 May 2015
On 22 May 2015, the United Nation's "Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression", David Kaye, made available his first annual Report adressing the use of encryption and anonymity in digital communications. Drawing from research on international and national norms and jurisprudence, and the input of States and civil society, the Report concludes that encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection. The Report will be presented at the 29th session of the Human Rights Council on 15 June - 3 July 2015.
EU Commission, Communication COM(2015) 192, 6 May 2015
On 6 May 2015, the EU Commission has adopted the Communication "A Digital Single Market Strategy for Europe" in which its detailed plans to create a Digital Single Market are unveiled.
EU-Council, Press Release 114/15 v. 13.3.2015
On 13 March 2015, the EU Council of Ministers reached a partial general approach on specific issues of the draft regulation setting out a general EU framework for data protection, on the understanding that nothing is agreed until everything is agreed. The partial general approach includes the chapters and the recitals concerning the "one-stop-shop" mechanism (chapters VI and VII) as well as the chapter and the recitals relating to the principles for protecting the personal data (chapter II).
US Supreme Court: Petition by Google (6 October 2014) and Opposition by Oracle (8 December 2014)
On 8 December 2014, Oracle has filed its Brief in Opposition to the Supreme Court of the United States against Google in a copyright dispute concerning 37 packages of computer source code written by the predecessor of Oracle America, Java programming language.
Art. 29 Data Protection Working Party, WP 225, adopted on 26 November 2014
On 26 November 2014, the European data protection authorities assembled in the Article 29 Working Party (WP29) have adopted guidelines on the implementation of the judgment of the Court of Justice of European Union (CJEU) of 13 May 2014 in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12), CRi 2014, p. 77 with remarks from US perspective by Spelman/Towle, p. 85, and remarks from an Irish perspective by Tobin, p. 87. These Guidelines contain the common interpretation of the ruling as well as the common criteria to be used by the data protection authorities when addressing complaints. The Guidelines request effective implementation of the CJEU's judgment on a global scale including all relevant ".com" domains which makes it all the more interesting to realise how such "right to be forgotten" constitutes a challenge to free speech rights recognized by the Constitution of the United States(see Brown, "The Right to be Forgotten: U.S. Rulings on Free Speech Won’t Let Google Forget", CRi 6/2014, pp. 161).
European Parliamentary Research Service, Study "III Digital Single Market", 3 October 2014
On 3 October 2014, the EU-Parliament has published part III of its study "The Cost of Non-Europe" (CoNE) analysing the "Digital Single Market" (DSM). The study focusses is on the gaps in EU legislation which may constrain the functioning of the DSM and, to a certain extent on informational gaps and shortcomings in the implementation of existing EU-level legislation that can significantly hamper the functioning of the DSM.
EUROPOL, iOCTA 2014, 29 September 2014
On 29 September 2014, The European Cybercrime Centre (EC3) of the European Police Office (EUROPOL) has published its 2014 Internet Organised Crime Threat Assessment (iOCTA). the 2014 iOCTA describes an increased commercialisation of cybercrime.
Recommending a review article by Peter Hustinx, 15 September 2014
On 15 September 2014 the European Data Protection Supervisor (EDPS) has made available the thourough data protection review article entitled "EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation" by Peter Hustinx which is based on a course given at the European University Institute's Academy of European Law in July 2013.
Council of Europe, DGI(2014)12, 22 - 26 June 2014
During the ICANN50 meeting in London that took place from 22 - 26 June 2014, Dr Monika Zalnieriute and Thomas Schneider presented their Report on "ICANN’s procedures and policies in the light of human rights, fundamental freedoms and democratic values" the preparation of which had been facilitated by the Council of Europe. The opinions expressed in this Report are the opinions of the experts and do not engage the responsibility of the Council of Europe. The Report aims at catalysing community discussion on human rights and internet governance.
Council of the EU, 2013/0027 (COD), 16 May 2014
 On 16 May 2014 the Council of the EU has published its Draft Progress Report about a "Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union" (NIS Directive). The Draft Progress Report sets out the work done so far in the Council's preparatory bodies, gives an account of the state of play in the examination of the above mentioned proposal and sets out orientations with a view to the preparation of negotiations with the EP in due course.
Human Rights Committee, Concluding observations, Adopted on10–28 March 2014
On 26 March 2014, the Human Rights Committee adopted its "Concluding observations on the fourth report of the United States of America". On page 9 at 22., the Human Rights Committee expresses its concerns about the surveillance of communications in the interests of protecting national security, conducted by the National Security Agency (NSA).
ECHR, Bucur and Toma v. Romania, Judgement of 8 January 2013 - 40238/02
On 8. January 2013, the European Court of Human Rights (ECHR) handed down judgement in the case of Bucur and Toma v. Romania (40238/02) finding a violation of Article 10 ECHR in the criminal conviction of an ex-member of the Romanian Intelligence Service who had made public irregular telephone tapping procedures. The ECHR held that the interference with the whistleblower's freedom of expression, and in particular with his right to impart information, had not been necessary in a democratic society.
Brick Court Chambers, 22 January 2014
On 22 January 2014, Jemima Stratford QC and Tim Johnston delivered their wide-ranging legal opinion (32 pages long) concerning the lawfulness of the UK government’s interception, use and transfer of intelligence data to Tom Watson, chair of the All Party Parliamentary Group on Drones. The opinion not only raises serious questions about whether or not the security services are acting within the scope of the law, but also questions whether the law itself (the Regulation of Investigatory Powers Act 2000) is in line with the European Convention on Human Rights.
Report and Recommendations of 12 December 2013
On 12 December 2013, the President's Review Group revealed its Report and Recommendations entitled "Liberty and Security in a Changing World". Looking at past and current practices of national security against threats of international terrorism, the proliferation of weapons of mass destruction, and cyber espionage and warfare, the Report aknowledges a robust foreign intelligence collection capability and aims to harmonize it with the committment to the protection of privacy and civil liberties ("fundamental values that can be and at times have been eroded by excessive intelligence collection"). Against this background, 46 recommendations are developed to change US intelligence collection activities.
Report by EU-Co-Chairs of 27. November 2013
On 27 November, the EU-Commission and the EU-Presidency Council have published as Co-Chairs their "Report on the Findings of the EU Co-Chairs of the Ad Hoc EU-US Working Group on Data Protection". The purpose of this Working Group was to establish the facts about US surveillance programmes and their impact on fundamental rights in the EU and personal data of EU citizens. The summary of the main findings is provided here:
On 23 September 2013, the US state California amended its the California Online Privacy Protection Act ("CalOPPA") to include a section titled “Privacy Rights for California Minors in the Digital World.”
On 9 September 2013, the Organization for Economic Cooperation and Development (OECD) published its revised Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013 Guidelines).
On 9 August 2013, the U.S. National Security Agency (NSA) has published a Paper called "The National Security Agency: Missions, Authorities, Oversight and Partnerships" aimed at providing a succinct description of the NSA's mission, authorities, oversight and partnerships.
On 24 July 2013, the European Commission has published a Document by DG Home dating from March this year and called "Evidence for necessity of data retention in the EU" collating evidence provided to the Commission on the necessity of data retention including case studies from across the EU.
European Court of Human Rights
On 16 July 2013, the European Court of Human Rights (ECHR) has issued a Chamber judgment (not final) in the case of Wegrzynowski and Smolczewski v. Poland (application no. 33846/07) and found, unanimously, that a newspaper was not obliged to completely remove from its Internet archive an article found by a court to be inaccurate because there had been no violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights.
On 10 July 2013, the EU-Parliament's Civil Liberties Committee has agreed on the next steps to be taken in its surveillance inquiry into alleged spying by the US and EU countries. On 4 July 2013, the EU-Parliament had adopted a Resolution on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' privacy (2013/2682(RSP)) which  instructed the Committee on Civil Liberties, Justice and Home Affairs to conduct an in-depth inquiry into the matter in collaboration with national parliaments and the EU-US expert group set up by the Commission and to report back by the end of the 2013 (see Nr. 16 of the Resolution). The Civil Liberties Committee will hold hearings with their authorities, legal and IT experts, NGOs, data protection authorities, national parliaments following this issue and private firms involved in data transfers. The first hearing takes place on 5 September 2013.
On 9 July 2013, The EU-Parliament's Legal Affairs Committee has unanimously adopted a Report on a proposal for a Directive "on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online uses in the internal market". Under the rules approved the Legal Affairs Committee, online music service providers will get licenses more easily and musicians will receive royalties more quickly, enabling consumers to enjoy a wider range of music online.
On 17 April 2013, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, has submitted his Report  analysing the implications of States’ surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression of the in accordance with Human Rights Council resolution 16/4. While considering the impact of significant technological advances in communications, the Report underlines the urgent need to further study new modalities of surveillance and to revise national laws regulating these practices in line with human rights standards.
On 31 May 2013, the Council of the European Union sitting in configuration of Justice and Home Affairs has released a draft Compromise Text responding to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.
CJEU, 30 May 2013, C-270/11
On 30 May 2013, the Court of Justice for the European Union (CJEU) has ordered Sweden to make a lump sum payment of €3 000 000 for its delay in transposing the Data Retention Directive into national law. Given that the Directive is intended to ensure that electronic communications data are available for the purpose of the investigation, detection and prosecution of serious crime, any delay in its transposition is liable to have consequences for public and private interests.
On 13 May 2013, the European Data Protection Authorities, assembled in the Article 29 Data Protection Working Party, have adopted an "Advice Paper on Essential Elements of a Definition and a Provision on
Profiling within the EU General Data Protection Regulation" arguing for clear limits to profiling.
On 10 May 2013, the US Court of Appeals for the Federal Circuit has issued its ruling in CLS Bank International v. Alice Corporation on the patent-eligibility of method and computer-readable medium claims. Though the Court holds that the method and computer readable medium claims before it do not recite patent-eligible subject matter under 35 U.S.C. § 101, the ten judges of this decision formed no less than six different opinions on the matter.
On 8 May 2013, the Queen's speech also announced that "a draft Bill will be published establishing a simple set of consumer rights to promote competitive markets and growth." The purpose of this Consumer Rights Bill is to:
  • Give consumers clearer rights in law and to make sure that consumer rights keep pace with technological advances.
  • Provide important new protections for consumers alongside measures to reduce regulation for business, all with the aim of making markets work better.
On 19 April 2013, the European data protection authorities, assembled in the Article 29 Working Party (WP29), have adopted an Explanatory Document on Binding Corporate Rules for Processors (Processor BCR) in order to further explain the principles and elements to be found in Processor BCR set out in the Working Document 02/2012 (WP195) adopted on 6 June 2012.
On 2 April 2013, the Article 29 Data Protection Working Party has adopted its opinion 03/2013 in which the European data protection authorities assess and clarify the principle of purpose limitation with the aim to offer guidance on its practical application under the current and under proposed future legal framework (WP203).
In March 2013, the WIPO Arbitration and Mediation Center has presented a Report with the results of its International Survey on Dispute Resolution in Technology Transactions (Survey). The Survey had been designed to assess the current use in technology-related disputes of Alternative Dispute Resolution (ADR) methods as compared to court litigation, including a qualitative evaluation of these dispute resolution options and the results of this Survey provide a statistical basis to identify trends in the resolution of technology-related disputes as well as  emerging best practices as potential guidance for intellectual
property stakeholders in their dispute resolution strategies.
In March 2013, the Federal Trade Commission (FTC) has published a Staff Report "Paper, Plastic ... or Mobile?" on mobile payment. The Staff Report discusses the emerging options and concerns for consumers using mobile payment and highlights those areas where staff believes continued monitoring and attention are warranted. In the end, it is clear that building a framework for mobile payments that keeps the consumer experience in mind will go a long way towards developing consumer trust and widespread adoption of these new products and services.
In February 2013, the World Economic Forum has published a report on "Unlocking the Value of Personal Data: From Collection to Usage" prepared in collaboration with the Boston Consulting Group. The Report examines the need for new approaches in the policies which enable the managing of personal data in ways that are flexible, adaptive and contextually driven. The report highlights outcomes from a nine month, multistakeholder, global dialogue on how the principles for using personal data may need to be refreshed to ensure they protect the rights of individuals, unlock socio-economic value and are fit for the complexities of a hyperconnected world.
In January 2013, the Califonia Attorney General’s Privacy Enforcement and Protection Unit has published "Privacy on the Go: Recommendations for the Mobile Ecosystem" for the mobile app industry. The aim of these recommendations is to help educate this industry and to promote privacy best practices by encouraging app developers and other players in the mobile sphere to consider privacy at the outset of the design process.
On 20 November 2012, the European Network and Information Security Agency (ENISA) published its report "The Right to be Forgotten - Between Expectations and Practice" authored by Peter Druschel, Michael Backes and Rodica Tirtea. The Report aims to cover the technical means to enforce or support "the right to be forgotten" in information systems and explores its obstacles and limitations.
On 5 September 2012, the Congress Research Service (CRS) published its report "The Trans-Pacific Partnership Negotiations and Issues for Congress" authored by Ian F. Fergusson (Coordinator Specialist in International Trade and Finance), William H. Cooper (Specialist in International Trade and Finance), Remy Jurenas (Specialist in Agricultural Policy) and Brock R. Williams (Analyst in International Trade and Finance). The CRS-Report examines the Trans-Pacific Partnership agreement (TPP) within the broader context of multilateral and bilateral trade relations and international market access and compares the TPP to the Anti-Counterfeiting Trade Agreement (ACTA) among other free trade agreements (FTAs) the USA has signed with other nations that carry provisions increasing the enforcement of intellectual property rights abroad.
On 29 June 2012, the Canadian Bill C-11 received Royal Assent and is, therefore, about to introduce fundamental changes into the Canadian Copyright Act. Aim of Bill C-11 is to update the rights and protections of copyright owners to better address the challenges and opportunities of the Internet, so as to be in line with international standards.
On 23 February 2012, the Obama administration released the white paper "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy". the white paper proposes an elaborate framework for protecting privacy in the digital age.
On 26 March 2012, the Federal Trade Commission (FTC; chief privacy policy and enforcement agency in USA) has released its final report "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers". In this report, the FTC not only details best practices for businesses to protect the privacy of consumers and to give them greater control over the collection and use of their personal data, but also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.
On 25 January 2012, the European Commission has proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.
On 23 January 2012, the International Chamber of Commerce (ICC) has posted a "Data Protection Principle of Accountability Discussion Paper". This Discussion Paper provides an overview of current global discussions of the data protection principle of accountability. 
On 20 October 2011, the International Chamber of Commerce has published a Discussion Paper on "Approaching Shortages of Mobile Broadband Spectrum Threaten to Limit Broadband Deployment and Economic Growth". This Discussion Paper informs governments and regulators about the economic benefits of taking action now to ensure that sufficient spectrum is available to support the increasing demands following current and expected data traffic trends.
On 15 November 2010, U.S. Participants in the Anti-Counterfeiting Trade Agreement (ACTA) negotiations announced published the finalised text of the Agreement, after resolving the few issues that remained outstanding after the final round of negotiations in Tokyo.