Author Archives: Daniel Felz

Daniel Felz
Daniel Felz is an associate in the firm’s Litigation & Trial Practice Group. Daniel focuses his practice on international litigation, trade and regulation, with particular emphasis on multijurisdictional litigation, complex transactions and class actions.  Read More

Germany Proposes Bill Requiring Social Network Takedowns – with € 50 Million Fines

Written by
Recent media reports indicated that Germany was considering legislation that would fine social networks for failing to combat fake news and hate speech.  Today, German Justice Minister Heiko Maas introduced a “Draft Law to Improve Law Enforcement in Social Networks” (abbreviated as the Network Enforcement Act (Netzwerkdurchsetzungsgesetz), or “NetzDG”).  The NetzDG aims to curb “hate-based criminality” in large social networks that have the potential to drive public opinion, and to improve law enforcement access to evidence held by social networks.  The Justice Department’s NetzDG [...] Read more

Spanish Ministry of Justice Launches Public Consultation on GDPR

Written by and
On February 7, 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the General Data Protection Regulation (“GDPR”).  The press release clarifies that although the GDPR has direct effect in the European Member States, its implementation into Spanish law is not a straightforward exercise because (i) the obligations in existing data protection legislation need to be maintained or amended (as the case may be), and (ii) other sector specific laws containing provisions on data protection need to be updated.  A [...] Read more

WP29 Releases Extensive Guidance on DPO Obligations; Companies Need to Start Planning Now

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR).  This is part one of a three-part Alston & Bird series evaluating WP29's positions, and relates to Data Protection Officer obligations under the GDPR.  Part 2 deals with the Right to Data Portability, while Part 3 analyzes guidance on the Lead Supervisory Authority mechanism. The GDPR mandates that companies appoint a Data Protection Officer (DPO) in certain circumstances.  DPOs have been a fixture [...] Read more

EU Releases Amendments to Model Clause and Country-Whitelisting Decisions – with Good News for Companies

Written by
Most privacy professionals are familiar with the European Court of Justice’s 2015 Schrems decision, which struck down the US-EU Safe Harbor mechanism.  One lesser-discussed aspect of the ECJ’s decision related to the powers of Data Protection Authorities (DPAs) within the EU’s Member States.  In the Schrems proceedings, the Irish Data Protection Commission argued that it had no authority to suspend or restrict transfers based on Safe Harbor because Safe Harbor was a decision by the EU Commission.  The ECJ rejected this argument, holding that the Commission cannot restrict DPAs’ ability [...] Read more

German DPAs to Survey Transfers in 500 Companies – with English Translation of DPA Questionnaire

Written by
Late last week, 10 of Germany’s 17 Data Protection Authorities (DPAs) announced they are planning to send written questionnaires to approximately 500 different companies regarding international data transfers.  The following provides a brief overview of the situation, as well as an English translation of the questionnaire, for companies who are potentially affected. This summary refers to the German DPA questionnaire as a “survey.”  In press releases and interviews, the German DPAs have been careful to state that the questionnaire is not an audit or enforcement action.  Additionally, [...] Read more

ECJ Declares IP Addresses are Personal Data

Written by
Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany.  Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law.  As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information.  Until the present, there has been widespread agreement that static IP addresses are personal data.  In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data.  While [...] Read more

German DPA Publishes First Privacy Shield Guidelines, Requires German-Law Contracts for Transfers

Written by
On June 7, 2016, the European Commission adopted the US-EU Privacy Shield.  Companies that self-certify under Privacy Shield with the US Department of Commerce – dubbed “Privacy Shield organizations” – are thus officially recognized by the EU as providing an adequate level of protection for data transferred from the EU.  As a result, Privacy Shield organizations may in principle freely receive transfers of personal data from the EU.  (For more information on Privacy Shield, visit our Privacy Shield FAQs.) One question that many organizations had following Privacy Shield’s adoption [...] Read more

Austrian Supreme Court Refers Schrems Consumer Class Action to ECJ

Written by
Just under a year ago today, the European Court of Justice (ECJ) issued its Schrems decision, which invalidated Safe Harbor and led to substantial developments in US-EU data-transfer mechanisms.  In parallel to the ECJ Safe Harbor litigation, Mr. Schrems has maintained two further legal proceedings in the EU: (1) a challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties; and (2) an attempt to certify an EU-wide consumer class action before the Austrian courts. Today, the Austrian Supreme Court took a major [...] Read more

German DPAs to Create Model Processing Records for GDPR Compliance

Written by
On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force.  One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.  Companies must provide their processing records (sometimes informally referred to as a “processing [...] Read more

Department of Commerce Announces First Privacy Shield Participants

Written by
Over the weekend, the Department of Commerce’s Privacy Shield website was updated to show the first participants in the U.S.-EU Privacy Shield.  In total, about 45 companies have registered for Privacy Shield.  Prominent examples include Microsoft Corp. (along with 20 subsidiaries), Salesforce, and corporate-travel giant World Travel, Inc. Companies with questions about Privacy Shield are welcomed to visit our detailed Privacy Shield FAQs. Alston & Bird is closely following the development of Privacy Shield and advising companies on all aspects of EU data protection compliance.  [...] Read more