Photo of Dan Cooper

Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Contact:Read more about Dan CooperEmail

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Background

The Commission’s adoption of the adequacy decision follows three key recent developments:

  1. the endorsement of the draft decision by a committee of EU Member State representatives;
  2. the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
  3. updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.

The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).

Key Findings of the Decision

In reaching the final decision, the Commission confirms a few key points:

Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European Strategy for Data (see our

There is a flurry of new EU initiatives to regulate the metaverse. Last week, the European Commission launched a public consultation (open until May 3, 2023) to “develop a vision for emerging virtual worlds (e.g. metaverses), based on respect for digital rights and EU laws and values” such that “open, interoperable and innovative virtual worlds … can be used safely and with confidence by the public and businesses.” This initiative follows closely on another EU public consultation on allocating costs of expanding network infrastructure (open until May 19, 2023). As explained by the EU’s internal market commissioner, Thierry Breton, the increased data required by new technologies such as the metaverse necessitate transforming the underlying digital infrastructure. Separately, Commission President Ursula von der Leyen launched last September a non-legislative initiative on the metaverse. Similarly, the European Parliament is also working on its own-initiative report on opportunities, risk and policy implications for the metaverse.

As EU officials grapple with potential regulatory constraints as well as policy building blocks for the metaverse, they will need to address issues common across the globe: how to take advantage of the technological inflection point offered by the metaverse, while ensuring competition, privacy, and cybersecurity, among the many legal topics raised by the metaverse.

Metaverse Prospects

This rapidly increasing regulatory attention is unsurprising as the metaverse is estimated to generate up to $5 trillion in global market impact by 2030 and already in 2022, investments into the metaverse doubled compared to the previous year, reaching over $120 billion. As a multifaceted and complex digital ecosystem, the metaverse provides a wide array of investment opportunities as, in principle, nearly anything done physically could be done meta.

Continue Reading Regulating the Metaverse in Europe

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.

The CJEU rulings concerned DPOs who were employed at German companies and dismissed “for just cause” from their respective DPO positions due to conflicts of interest concerns.  In one case, the DPO was simultaneously chair of the company’s works council.  In the other case, there was a perceived incompatibility with the DPO’s other professional responsibilities at the company (which the judgment does not disclose).  Importantly, the DPOs had not been dismissed because of the way they performed their duties and tasks as a DPO.

The term “just cause” is used in the German Civil Code to refer to situations where it cannot be reasonably expected for the employment contract to continue as normal, i.e., until the end of the notice period or until the agreed termination date, taking into account all the circumstances of the individual case and weighing the interests of both parties.  This requirement goes beyond the provision in Article 38(3) GDPR, which provides that the DPO “shall not be dismissed or penalized by the controller or the processor for performing his tasks.”

Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

In 2022, the European Union announced the creation of Digital Partnerships with three Asian countries: Japan, South Korea and Singapore. This is in line with the EU’s Digital Compass strategy which seeks to make the European Union the most connected continent by 2030. The European Commission is expanding its connections between Europe and the rest of the world to address the digital divide and further develop a sustainable digital economy with trusted partners.

Below we set out the key points from the Digital Partnerships that the European Commission has announced with Japan, South Korea and Singapore, respectively.

EU-Japan Digital Partnership

During the EU-Japan Summit organised on May 12, 2022, the European Union and Japan concluded the EU-Japan Digital Partnership, the first digital cooperation initiative to advance economic growth and provide a safe and inclusive space to solve digital issues. This effort furthers the “Data Free Flow with Trust” agenda, aimed at facilitating safe and secure cross-border data flows.

The EU-Japan Partnership will also focus on the following areas:

  • 5G/6G technologies;
  • Ethical considerations for Artificial Intelligence (“AI”);
  • Global supply chains in the semiconductor industry;
  • Green data infrastructures and data innovation;
  • Development of digital skills for private and public sectors; and
  • Facilitation of digital trade and application of global interoperable standards.

As part of the common vision, the Digital Partnership identified a number of key action items, as follows:

  • Collaborating on the development of innovative technologies through research;
  • Implementing concrete pilot projects in cutting-edge areas such as AI and digital identity;
  • Establishing mechanisms for international collaboration and common approaches to digital transformation; and
  • Developing common principles and rules through regulatory cooperation on key technology enablers for digital trade.

All the above will reflect the highest standards of data protection and follow the objectives set out by the EU-Japan mutual adequacy arrangement. The implementation of the EU-Japan Digital Partnership will start in 2023 and the countries will review their targets and progress on an annual basis.

EU-South Korea Digital Partnership

On November 28, 2022, the European Union and the Republic of Korea launched a new Digital Partnership to boost the cooperation between the two countries in the digital field. This collaboration will mainly focus on:

  • Semiconductors;
  • Next generation mobile networks;
  • Quantum technology;
  • High Performing Computing (“HPC”);
  • Cybersecurity;
  • AI;
  • Digital platforms and standardization; and
  • Data and digital skills.

The key action items from the EU-Korea Digital Partnership include:

  • Engaging in collaborative research activities, facilitating access to, and participation in, international standardisation relating to emerging technologies in the digital sector.
  • The sharing of information on: (i) cybersecurity threats and other aspects of cybersecurity, (ii) data-related laws and systems, which build on the existing adequacy decision that the European Commission granted to Korea (and ensuring data free flow of data between Korea and the EU) and working towards identifying commonalities between their existing regulatory approaches, (iii) views on a 6G roadmap and future 6G spectrum needs, (iv) the laws and systems aimed at the development and global use of trustworthy and human-centric AI (e.g., definitions, use cases, high risk AI applications, and response measures) and coordinating positions on AI governance, (v) platform policies, and (vi) approaches to protectionist measures in the digital space.
  • The Digital Partnership will also establish a Korea-EU forum for semiconductor researchers to (i) discuss and share information on the latest technologies and trends, (ii) identify gaps and potential disruptions to the global supply chain, and (iii) explore potential opportunities for international standardisation of trusted chips and chip security.

EU-Singapore Digital Partnership

The European Union and Singapore announced on December 15, 2022 a new partnership that will focus on the digital sector and its issues. The EU-Singapore Digital Partnership will be formally signed and launched in 2023 and aims at reinforcing existing relationships between the European Union and Singapore in the digital realm to achieve sustainable economic growth. The range of digital issues the collaboration will focus on are:

  • Trade facilitation;
  • Trusted data flows and data innovation;
  • Digital trust and standards;
  • Digital skills for workers;
  • Digital transformation of businesses and public services; and
  • Emerging technologies (e.g. 5G/6G, AI and digital identities).

In contrast to the other partnerships, the EU-Singapore Digital Partnership is the first one to agree on the development and application of Digital Trade Principles (“Principles”). These Principles are designed to provide a common framework for digital strategies, which will in turn be used contribute to the ongoing OECD discussions on establishing rules regarding electronic commerce.

What are the next steps?

In announcing these Digital Partnerships, EU Commissioner, Thierry Breton mentioned that these Digital Partnerships are likely to:

  • impact recent EU proposals, such as the EU Chips Act or AI Act; and
  • help achieve interoperability between the EU and Asia, as the EU Commission and ASEAN countries continue to cooperate in the digital space.

As mentioned above, all three Digital Partnerships will be formally launched in 2023. We expect that the Digital Partnerships will be used as a strategic pathfinder for closer region-to-region digital connectivity and to develop enhanced cooperation with other ASEAN countries such as Thailand, Malaysia, among others.

If you would like to learn more about these Digital Partnerships, or how Covington could help you participate in related policy initiatives, please do not hesitate to contact us.

Continue Reading EU Digital Partnerships with Asia: A New Path Towards Enhanced Digital Collaboration and Opportunities

On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics.  The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law, in particular with regards to the use of Google Analytics and similar services. 

The Garante’s statement follows an order (here) issued against an Italian website operator to stop data transfers to Google LLC in the U.S., and joins other European data protection authorities in their actions relating to the use of Google Analytics (see our previous blogs here and here).

Below we summarize the Garante’s key considerations.

  • Google Analytics’ “IP Anonymization” feature

The Garante analyzes Google Analytics’ so-called “IP-Anonymization” feature, which allows the transfer of user IP addresses to Google Analytics after masking the IP address’ last octet.  The Garante finds that such feature constitutes a pseudonymization of the IP address, and not anonymization.  According to the Garante, the feature does not prevent Google LLC from re-identifying the user, given Google’s capabilities to enrich such data through additional information it holds, especially in circumstances where those users maintain and use a Google account.

Continue Reading Italian Garante bans use of Google Analytics

On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.

Setting the Stage

At the outset of the Guidelines, the EDPB defines “dark patterns” as “interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data”.  The EDPB then provides a taxonomy of 6 defined categories of dark patterns, namely:

  1. Overloading– overwhelming users with a large quantity of requests, information, options, or possibilities to prompt them to share more data;
  2. Skipping– designing the interface or user experience in a way that causes users to forget (or fail to consider) all or certain data protection aspects of a decision;
  3. Stirring– appealing to the emotions of users or using visual nudges;
  4. Hindering– obstructing or blocking users from becoming informed about the use of their data or exercising control it by making certain actions hard or impossible to achieve;
  5. Fickle– designing the interface in an inconsistent and unclear manner which makes it difficult to navigate user controls or understand processing purposes; and finally,
  6. Left in the dark– designing the interface in a way to hide information or privacy controls, or to leave users uncertain about how their data is processed and the control they can exercise over it.

The EDPB notes that these six categories can also be thematically framed as “content-based patterns” (i.e., referring to the content of information presented to users, including the context, wording used, and informational components) or “interface-based patterns” (i.e., referring to the manner that content is displayed, navigated through, or interacted with by users, which can have a direct influence on the perception of dark patterns).

Beneath the six over-arching categories of dark patterns outlined above, the EDPB then identifies 15 specific dark pattern behaviors and considers how each them can manifest during the lifecycle of a social media user account, a continuum which the EDPB breaks down into the following 5 stages: (1) opening a social media account; (2) staying informed on social media; (3) staying protected on social media; (4) exercising personal data rights on social media; and (5) leaving a social media account.
Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here).  The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.

Among other things, the proposed Regulation:

  • grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
  • requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
  • requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
  • requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
  • authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
  • requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
  • requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
  • imposes interoperability requirements on operators of “data spaces”.

As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon.  Below, we discuss the key provisions of the Data Act in more detail.
Continue Reading European Commission Publishes Draft Data Act

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside