On 27 November, the final text of the EU’s Data Act (the Act) was formally approved by the European Parliament and the European Council. 

It will enter into force 20 days after its publication in the EU’s official journal, which is expected in the coming days. However, the majority of its provisions will only apply 20 months after it enters into force.

Scope of the Act

The Act, which takes the form of a directly applicable EU regulation, has three central focuses:

  1. remove obstacles to the process of switching between providers of “data processing services”  and the
Continue Reading Final text of the EU’s Data Act approved

This is Part 1 in our series focused on tracking the development of the EU’s AI Act. The series will provide updates and commentary as the AI Act moves through the EU’s legislative process.

To set the scene, the EU Commission first adopted its Proposal for a Regulation laying down harmonised rules on artificial intelligence (the Proposed Act) back in April 2021. In ways a ground breaking piece of draft legislation, it was one of the first attempts to implement a regulatory framework which was specific to the use of artificial intelligence (AI) technology. This article aims

Continue Reading Tracking the AI Act: Part 1 – How the EU is thinking about regulating the AI sector

Following the first designation of Very Large Online Platforms (“VLOPS“) and Very Large Online Search Engines (“VLOSEs”) under the Digital Services Act Regulation (“DSA“) on 25 April 2023, the European Commission has now announced a call for evidence from stakeholders to inform proposed delegated acts on data access mechanisms.Continue Reading Commission Calls for Stakeholder Views on Data Access Mechanism under DSA

In a recent significant judgment1 from the Irish Circuit Court, the judge concluded that “justice is best served” by granting a stay of a data subject’s damages claim pending determination of certain preliminary references currently before the CJEU. The court expressed a view that damages in the case, if awarded, were likely to be small and a stay would not impact the procedural efficiency of the proceedings, but a delay in granting a stay could substantially and unnecessarily increase legal costs for the defendant.Continue Reading “Justice Best Served” – Data Subject Claims Stayed

The Digital Services Act (DSA), a major EU regulation for online content, was signed into law yesterday.

The DSA together with the Digital Markets Act (the DMA) form part of an EU legislative strategy that seeks to create a level playing field for both big and small businesses in the digital world, create a harmonized approach to doing business online and to create a safer environment for users online.

What ‘s new

More particularly, the DSA aims to achieve the following objectives:

  1. Establish a powerful transparency and accountability framework for internet intermediaries:

The DSA will hold intermediaries

Continue Reading Digital Services Act Update

The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose.

This publication provides a deep dive into the DPC’s findings and considers their impact on businesses.
Continue Reading WhatsApp decision considers scope of transparency obligations under the GDPR

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.
Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part II)

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I of this blog, we outline some of the key highlights of the Guidelines in respect of the controller and processor concepts and the implications of the controller to processor relationship. Part II will address the key highlights of the Guidelines in respect of joint controllers.
Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part I)

The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.
Continue Reading EDPB provides guidance on requirements of data processing contracts