European Union (EU)

On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.

The Draft Guidelines focus in particular on Article 48 GDPR, which states that a binding demand from a non-EU public authority “requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”

As an initial matter, the EDPB addresses the question of whether Article 48 operates as a blocking statute—i.e., a prohibition on disclosure of personal data subject to the GDPR to non-EU public authorities in the absence of an international agreement (e.g., a mutual legal assistance treaty) that permits that disclosure. The Draft Guidelines state that, even in the absence of such an international agreement, companies can in principle disclose personal data in response to such demands, provided that they (a) have a valid legal basis for doing so under Article 6 GDPR, and (b) can validly transfer the personal data outside the EU in accordance with Chapter V GDPR (e.g., on the basis of an EU adequacy decision, “appropriate safeguards”, or one of the derogations set out in Article 49 GDPR). The Draft Guidelines nonetheless make clear that, absent such an international agreement, any demand from a non-EU public authority will not be recognized as a binding demand by, or enforceable in, EU courts.

The Draft Guidelines also provide guidance on the Article 6 legal bases and Chapter V transfer grounds that might apply where a private entity receives a request or demand for personal data from a non-EU public authority. This guidance is broadly consistent with the EDPB’s analysis in its 2019 joint opinion with the EDPS on the CLOUD Act. Of particular note:Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.

Background

The cases originate from proceedings brought by several online intermediation and search engine service providers (collectively, “providers”) against the Italian regulator for communications (“AGCOM”).  The providers, which are not established in Italy, challenged measures adopted by AGCOM designed to ensure the “adequate and effective enforcement” of the EU Platform-to-Business Regulation (“P2B Regulation”).  Among other things, those measures required the providers, depending on the case, to: (1) enter their business into a national register; (2) provide detailed information, including information about the company’s economic situation, ownership structure, and organization; and (3) pay a financial contribution to the regulator for the purposes of supporting its supervision activities. 

The Country-of-Origin Principle

In its rulings, the Court notes that the e-Commerce Directive’s country-of-origin principle relieves online service providers of having to comply with multiple Member State requirements falling within the so-called “coordinated field” (as defined in Article 2(h)-(i) of e-Commerce Directive), that is, requirements concerning access to the service (such as qualifications, authorizations or notifications), and the provision of the service (such as the provider’s behavior, the quality or content of services). 

Member States other than where the service provider is established cannot restrict the freedom to provide such online services for reasons falling within the coordinated field, unless certain conditions are met.  In particular, measures may be taken when it is necessary for reasons of public policy, protection of public health, public security, or the protection of consumers, among other conditions (Article 3(4) of e-Commerce Directive).Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.

Objectives and General Principles

The proposed law aims to promote a “fair, transparent and responsible” use of AI, following a human-centered approach, and to monitor potential economic and social risks, as well as risks to fundamental rights.  The law will sit alongside and complement the EU AI Act (for more information on the EU AI Act, see our blogpost here).  (Article 1)

The proposed law sets out general principles, based on the principles developed by the Commission’s High-level expert group on artificial intelligence, pursuing three broad objectives:

  1. Fair algorithmic processing. Research, testing, development, implementation and application of AI systems must respect individuals’ fundamental rights and freedoms, and the principles of transparency, proportionality, security, protection of personal data and confidentiality, accuracy, non-discrimination, gender equality and inclusion.
  2. Protection of data. The development of AI systems and models must be based on data and processes that are proportionate to the sectors in which they’re intended to be used, and ensure that data is accurate, reliable, secure, qualitative, appropriate and transparent.  Cybersecurity throughout the systems’ lifecycle must be ensured and specific security measures adopted.
  3. Digital sustainability. The development and implementation of AI systems and models must ensure human autonomy and decision-making, prevention of harm, transparency and explainability.  (Article 3)

Continue Reading Italy Proposes New Artificial Intelligence Law

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

1: Health data holder

The term “health data holder” includes, among others, any natural or legal person developing products or services intended for health, developing or manufacturing wellness applications, or performing research in relation to healthcare, who:

  • in relation to personal electronic health data: in its capacity of a data controller has the right or obligation to process the health data, including for research and innovation purposes; or
  • in relation to non-personal electronic health data: has the ability to make the data available through control of the technical design of a product and related services.  These terms appear to be taken from the Data Act, but they are not defined under the EHDS.

In practice, this means that, for example, hospitals, as data controllers, are data holders of their electronic health records.  Similarly, pharmaceutical companies are data holders of clinical trial data and biobanks.  Medical device companies may be data holders of non-personal data generated by their devices, if they have access to that data and an ability to produce it.  However, medical device companies would not qualify as a data holder where they merely process personal electronic health data on behalf of a hospital.

Individual researchers and micro enterprises are not data holders, unless EU Member States decide differently for their territory.

2: Data sets covered by EHDS

The EHDS sets out a long list of covered electronic health data that should be made available for secondary use under the EHDS.  It includes, among others:

  • electronic health records;
  • human genetic data;
  • biobanks;
  • data from wellness applications;
  • clinical trial data – though according to the recitals, this only applies when the trial has ended;
  • medical device data;
  • data from registries; and
  • data from research cohorts and surveys, after the first publication of the results – a qualifier that does not seem to apply for clinical trial data.

Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.

First, the Dutch SA decided that the company was required to perform a DPIA because

Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior

Continue Reading The EU’s Cyber Resilience Act Has Now Been Agreed

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Background

The Commission’s adoption of the adequacy decision follows three key recent developments:

  1. the endorsement of the draft decision by a committee of EU Member State representatives;
  2. the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
  3. updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.

The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).

Key Findings of the Decision

In reaching the final decision, the Commission confirms a few key points:Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative

Continue Reading EU Parliament’s AI Act Proposals Introduce New Obligations for Foundation Models and Generative AI

On April 17, 2023, the Italian Supervisory Authority (“Garante”) published its decision against a company operating digital marketing services finding several GDPR violations, including the use of so-called “dark-patterns” to obtain users’ consent.  The Garante imposed a fine of 300.000 EUR. 

We provide below a brief overview of the Garante’s key findings.

Background

The sanctioned company operated marketing campaigns on behalf of its clients, via text messages, emails and automated calls.  The company’s database of contacts was formed by data collected directly through its online portals (offering news, sweepstakes and trivia), as well as data purchased from data brokers.

Key Findings

Dark patterns.  The Garante found that, during the subscription process, the user was asked for specific consent relating to marketing purposes and sharing of data with third parties for marketing.  If the user did not select either of the checkboxes, a banner would pop-up, indicating the lack of consent, and displaying a prominent consent button.  The site also displayed a “continue without accepting” option, but this was placed at the bottom of the webpage – outside of the pop-up banner – in simple text form and smaller font size, which made it less visible than the “consent” button.  The Garante, referring to the EDPB’s guidelines (see our blogpost here), held that the use of such interfaces and graphic elements constituted “dark patterns” with the aim of pushing individuals towards providing consent.

Double opt-in.  The Garante noted that consent was not adequately documented.  While the company argued that it required a “double opt-in”, the evidence showed that a confirmation request was not consistently sent out to users.  The Garante recalled that double opt-in is not a mandatory requirement in Italy, but constitutes nonetheless an appropriate method to document consent.Continue Reading Italian Garante Fines Digital Marketing Company Over Use of Dark Patterns

In 2022, the European Union announced the creation of Digital Partnerships with three Asian countries: Japan, South Korea and Singapore. This is in line with the EU’s Digital Compass strategy which seeks to make the European Union the most connected continent by 2030. The European Commission is expanding its connections between Europe and the rest of the world to address the digital divide and further develop a sustainable digital economy with trusted partners.

Below we set out the key points from the Digital Partnerships that the European Commission has announced with Japan, South Korea and Singapore, respectively.

EU-Japan Digital Partnership

During the EU-Japan Summit organised on May 12, 2022, the European Union and Japan concluded the EU-Japan Digital Partnership, the first digital cooperation initiative to advance economic growth and provide a safe and inclusive space to solve digital issues. This effort furthers the “Data Free Flow with Trust” agenda, aimed at facilitating safe and secure cross-border data flows.

The EU-Japan Partnership will also focus on the following areas:

  • 5G/6G technologies;
  • Ethical considerations for Artificial Intelligence (“AI”);
  • Global supply chains in the semiconductor industry;
  • Green data infrastructures and data innovation;
  • Development of digital skills for private and public sectors; and
  • Facilitation of digital trade and application of global interoperable standards.

As part of the common vision, the Digital Partnership identified a number of key action items, as follows:

  • Collaborating on the development of innovative technologies through research;
  • Implementing concrete pilot projects in cutting-edge areas such as AI and digital identity;
  • Establishing mechanisms for international collaboration and common approaches to digital transformation; and
  • Developing common principles and rules through regulatory cooperation on key technology enablers for digital trade.

All the above will reflect the highest standards of data protection and follow the objectives set out by the EU-Japan mutual adequacy arrangement. The implementation of the EU-Japan Digital Partnership will start in 2023 and the countries will review their targets and progress on an annual basis.

EU-South Korea Digital Partnership

On November 28, 2022, the European Union and the Republic of Korea launched a new Digital Partnership to boost the cooperation between the two countries in the digital field. This collaboration will mainly focus on:

  • Semiconductors;
  • Next generation mobile networks;
  • Quantum technology;
  • High Performing Computing (“HPC”);
  • Cybersecurity;
  • AI;
  • Digital platforms and standardization; and
  • Data and digital skills.

The key action items from the EU-Korea Digital Partnership include:

  • Engaging in collaborative research activities, facilitating access to, and participation in, international standardisation relating to emerging technologies in the digital sector.
  • The sharing of information on: (i) cybersecurity threats and other aspects of cybersecurity, (ii) data-related laws and systems, which build on the existing adequacy decision that the European Commission granted to Korea (and ensuring data free flow of data between Korea and the EU) and working towards identifying commonalities between their existing regulatory approaches, (iii) views on a 6G roadmap and future 6G spectrum needs, (iv) the laws and systems aimed at the development and global use of trustworthy and human-centric AI (e.g., definitions, use cases, high risk AI applications, and response measures) and coordinating positions on AI governance, (v) platform policies, and (vi) approaches to protectionist measures in the digital space.
  • The Digital Partnership will also establish a Korea-EU forum for semiconductor researchers to (i) discuss and share information on the latest technologies and trends, (ii) identify gaps and potential disruptions to the global supply chain, and (iii) explore potential opportunities for international standardisation of trusted chips and chip security.

EU-Singapore Digital Partnership

The European Union and Singapore announced on December 15, 2022 a new partnership that will focus on the digital sector and its issues. The EU-Singapore Digital Partnership will be formally signed and launched in 2023 and aims at reinforcing existing relationships between the European Union and Singapore in the digital realm to achieve sustainable economic growth. The range of digital issues the collaboration will focus on are:

  • Trade facilitation;
  • Trusted data flows and data innovation;
  • Digital trust and standards;
  • Digital skills for workers;
  • Digital transformation of businesses and public services; and
  • Emerging technologies (e.g. 5G/6G, AI and digital identities).

In contrast to the other partnerships, the EU-Singapore Digital Partnership is the first one to agree on the development and application of Digital Trade Principles (“Principles”). These Principles are designed to provide a common framework for digital strategies, which will in turn be used contribute to the ongoing OECD discussions on establishing rules regarding electronic commerce.

What are the next steps?

In announcing these Digital Partnerships, EU Commissioner, Thierry Breton mentioned that these Digital Partnerships are likely to:

  • impact recent EU proposals, such as the EU Chips Act or AI Act; and
  • help achieve interoperability between the EU and Asia, as the EU Commission and ASEAN countries continue to cooperate in the digital space.

As mentioned above, all three Digital Partnerships will be formally launched in 2023. We expect that the Digital Partnerships will be used as a strategic pathfinder for closer region-to-region digital connectivity and to develop enhanced cooperation with other ASEAN countries such as Thailand, Malaysia, among others.

If you would like to learn more about these Digital Partnerships, or how Covington could help you participate in related policy initiatives, please do not hesitate to contact us.Continue Reading EU Digital Partnerships with Asia: A New Path Towards Enhanced Digital Collaboration and Opportunities