AUTHOR ARCHIVES: Daniel Felz

Daniel Felz

Daniel Felz is an associate in the firm’s Litigation & Trial Practice Group. Daniel focuses his practice on international litigation, trade and regulation, with particular emphasis on multijurisdictional litigation, complex transactions and class actions. Read more→

Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration

Posted on: 06 Feb 2019

As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data.  One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users.  The amount of the Google fine startled many companies, but with time the shock faded.  Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not […] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Posted on: 02 Jul 2018

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general […] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Posted on: 30 May 2018

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high […] Read more

On GDPR Day, Austrian DPA issues First Binding DPIA Whitelist

Posted on: 28 May 2018

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high […] Read more

Belgian Court Uses Novel Argument to Assume International Jurisdiction over Non-EU Facebook Entities

Posted on: 21 Mar 2018

On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in […] Read more

German DPAs Publish Model GDPR Processing Records – Translations Provided

Posted on: 26 Feb 2018

In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Article 30 GDPR thus creates a new kind of documentation obligation.  This obligation […] Read more

100 Days Until GDPR Effective Date – Sharing Our GDPR Experience

Posted on: 14 Feb 2018

In less than 100 days, the General Data Protection Regulation (GDPR) will go into effect. This means that as of May 25, 2018, each national Supervisory Authority will have the authority to apply and enforce the GDPR. The GDPR raises the bar in terms of requirements substantially higher than the Data Protection Framework Directive. For instance, it recognizes new rights for data subjects (e.g. right to be forgotten and right to data portability), introduces data breach notification requirements, introduces the concept of a Data Protection Officer, and brings enhanced accountability obligations. Given […] Read more

ECJ Rules against Schrems Class Action, Sets Up Jurisdictional Questions for GDPR Class Actions

Posted on: 30 Jan 2018

In late 2015, the European Court of Justice (ECJ) issued its initial Schrems decision, invalidating the EU/US Safe Harbor and leading to important developments in the rules for transferring personal data from the EU to the US.  Since that decision, Mr. Schrems has pursued two further legal proceedings in the EU. The first involves Mr. Schrems’ challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties.  In the trial,  Alston & Bird Special Counsel Peter Swire testified as an expert on US national […] Read more

ePrivacy Regulation Trilogue Negotiations Pushed back to Fall 2018; Final ePrivacy Regulation may not be in Place until 2020

Posted on: 11 Jan 2018

About this time last January, the European Parliament released its proposal for a new ePrivacy Regulation.  The intent of the ePrivacy Regulation is to replace the current ePrivacy regime – which consists of an ePrivacy Directive and a patchwork of local implementing legislation – with a uniform set of directly-applicable EU-wide rules.  Since the Parliament released its ePrivacy Regulation draft, both the European Council and the European Parliament have reviewed it and released their own revised drafts. The ePrivacy Regulation contains a number of important rules for companies.  Traditionally, […] Read more

Challenge to Privacy Shield Dismissed by EU General Court

Posted on: 29 Nov 2017

In October of last year, we reported that digital rights advocacy group Digital Rights Ireland (“DRI”) had brought an action to annul the EU-U.S. Privacy Shield.  DRI filed its challenge before the General Court of the European Union, which is the court of first instance in the EU system with exclusive jurisdiction over challenges to the validity of EU legal acts.  Last week, the General Court dismissed DRI’s challenge, meaning that Privacy Shield remains valid and in force. DRI based its Privacy Shield suit on Article 263 of the Treaty on the Functioning of the European Union (TFEU), […] Read more