Support Centre

EU

Summary

Law: General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The European Data Protection Supervisor ('EDPS') is the European Union's (EU) data protection authority and monitors privacy within EU institutions and bodies. The European Data Protection Board ('EDPB') is an independent European body composed of representatives of the national data protection authorities and the EDPS.

Summary: The GDPR was approved on 24 May 2016 and became applicable in the EU Member States from 25 May 2018. It has since inspired several other privacy laws around the world. The GDPR lays down rules relating to the processing of personal data aimed at protecting natural persons, as well as provisions on the free movement of personal data. The GDPR, although a European regulation has a broad scope of application that imposes direct statutory obligations on data processors and can affect controllers established outside the EU.

The EU has also established further pieces of legislation with substantive importance within the Digital Single Market. In particular, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') regulates the processing of personal data and the protection of privacy in the electronic communications sector, with specific reference to, among other things, the regulation of unsolicited communications and cookies and similar technologies. Furthermore, the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive') establishes measures in order to achieve a high network and information systems security level within the EU. Importantly, the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive'), was published on 27 December 2022, and will repeal the NIS Directive as of 18 October 2024.

News

Insights

April 2024

International: A comparative analysis of the GDPR and India's DPDPA

In this article, Arun Babu and Gayathri Poti, from Kochhar & Co., delineate the primary disparities between the Digital Personal Data Protection Act (DPDPA) and the General Data Protection Regulation (GDPR) from a business perspective, analyzing the rationale behind these distinctions and their practical implications.

April 2024

EU: New opinion of the EDPB on valid consent in the context of consent or pay models implemented by large online platforms

On April 17, 2024, the European Data Protection Board (EDPB) published the Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. The supervisory authorities of some EU Member States asked the EDPB to issue this opinion in order to obtain clarity on the circumstances in which consent or pay models for behavioral advertising can be used by large online platforms on the basis of valid consent or under which circumstances valid consent can be given in such cases. According to the supervisory authorities, there is no uniform answer to this question. However, the clarification is particularly relevant for the general application of the principles on the concept of consent. Dr. Carlo Piltz and Alexander Weiss, from Piltz Legal, unpack the opinion, looking specifically at the opinion's implications on both platforms and European legal frameworks.

April 2024

EU: Understanding valid consent in 'consent or pay' models used by large online platforms

On April 17, 2024, the European Data Protection Board (EDPB) published Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. In this Insight article, OneTrust DataGuidance provides an overview of the opinion.

April 2024

EU: The AI Act - the first regulatory regime for AI across the EU

On March 13, 2024, the European Parliament adopted the European Union's (EU) Regulation laying down harmonized rules on artificial intelligence (AI), commonly known as the Artificial Intelligence Act (the AI Act) (see the European Parliament press release and OneTrust DataGuidance News article). Almost three years after the European Commission's first legislative proposal, and after the EU legislators reached a political agreement on the key aspects of the AI Act in December 2023 in the course of the trilogue following months of negotiations, the world's first comprehensive regulatory framework for AI has officially been approved. 

This Insight article addresses the most important questions as to what companies and other entities should know and consider when conducting any activities involving AI. Valentino Halim, Junior Partner at Oppenhoff & Partner, unpacks the AI Act and provides insight into the scope and key obligations of the new regulatory framework for AI at the EU level. 

March 2024

EU: FAQs on employee DSARs - what you need to know

The right of access is enshrined in Article 15 of the General Data Protection Regulation (GDPR). An employee data subject access request (DSAR) is when an employee asks for all the information relating to them which their employer, as the data controller, holds. In this Insight article, OneTrust DataGuidance asks some key questions on employee DSARs, with answers provided by Laura De and Laura Brodahl, from Wilson Sonsini Goodrich & Rosati, Axel Anderl, from DORDA Rechtsanwälte GmbH, Chantal Van Dam, from Hogan Lovells, and Dr. Jessica Jacobi, from KLIEMT.HR Lawyers.

March 2024

EU: Legal framework for cookies and tracking technologies - anonymization techniques and re-identification threats

Cookies and other tracking technologies are widely used by websites and online services to collect and process personal data of users, such as their preferences, behavior, location, and device information. This data can enable various purposes, such as personalization, analytics, advertising, and security. However, these practices also raise significant privacy and data protection challenges, as users may not be fully aware of or consent to the extent and nature of the data collection and processing and may face difficulties in exercising their rights and choices.

To address these challenges, the EU has adopted two main legal frameworks that regulate the use of cookies and other tracking technologies: the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (the ePrivacy Directive). In this Insight article, Pedro Marques Gaspar, Manager (Digital Regulation) at PwC Spain, discusses the legal framework and best practices for the use of cookies in a privacy-friendly and compliant way.

February 2024

EU: How to comply with the ePrivacy Directive - EDPB guidelines on the technical scope of Article 5(3)

Timea Bana, Partner at Dentons, explores the evolving landscape of data protection in the digital age, delving into the significance of European Data Protection Board (EDPB) guidelines to navigate complexities arising from technological advancements, offering clarity for entities such as online advertisers and businesses engaged in digital services.

February 2024

EU: The Data Act - what you need to know

On January 11, 2024, the European Commission issued a press release marking the entry into force of the Regulation on Harmonised Rules on Fair Access to and Use of Data (the Data Act) on the same date, as part of the European Union's (EU) digital strategy. The Data Act aims to facilitate the exchange of data and will become applicable in 20 months, on September 12, 2025. OneTrust DataGuidance Research gives an overview of the Data Act, with further insights provided by Wim Nauwelaerts, Partner at Alston & Bird. 

February 2024

EU: Main establishment of a controller under the GDPR - understanding the EDPB's Opinion

On February 13, 2024, the European Data Protection Board (EDPB) published its Opinion on the notion of the main establishment of a controller in the EU under the General Data Protection Regulation (GDPR) (the Opinion). OneTrust DataGuidance Research breaks down the Opinion with expert comments from Philip James and Anna Allen, from Eversheds Sutherland's Global Privacy & Cybersecurity Group.

February 2024

EU: Approaches to enforcement of the new digital and data-related legislation at EU level

In today's rapidly evolving digital landscape, the EU stands at the forefront of introducing comprehensive digital and data-related legislation. The EU's intentions are to balance the interests of the data economy, promote fair competition, and protect the rights of individuals. In this article, Theresa Ehlen, Philipp Roos, and John-Markus Maddaloni, from Freshfields Bruckhaus Deringer, delve into the practical implementation of the EU rules for the data and digital landscape.

February 2024

EU: Navigating the AI Act - key practical considerations for users and other AI actors

Understanding the obligations inherent under the EU Artificial Intelligence Act (the AI Act) is paramount for users and other actors navigating this dynamic landscape.

The AI Act predominantly imposes obligations on 'providers' (developers) rather than on 'users' (deployers) of high-risk artificial intelligence (AI) systems. While some of the risk posed by the systems listed in Annex III comes from how they are designed, significant risks stem from how they are used. This means that providers cannot comprehensively assess the full potential impact of a high-risk AI system during the conformity assessment, and therefore that users must have obligations to uphold fundamental rights as well. The first part of this series on the AI Act explored what types of AI are covered and what obligations are applicable to each AI actor. The second part of this series offered a brief explanation of the profound importance of providers' comprehending and adhering to the provider obligations. In the third and final article of this series, Sean Musch and Michael Charles Borrelli, from AI & Partners, and Charles Kerrigan, from CMS UK, explore the significance of comprehending these provider obligations and places them in the broader context of the ever-evolving AI terrain.

February 2024

EU: The AI Act – Where we stand today

The EU Artificial Intelligence Act (AI Act) is part of the overarching EU Digital Strategy. The strategy 'focuses on putting people first in developing technology, and defending and promoting European values and rights in the digital world.'1

On December 8, 2023, after an extensive discussion that lasted several days and was preceded by months of intense negotiations, the EU Parliament, Council, and Commission announced that they had reached a provisional agreement on the AI Act. 

This is not the end of the legislative process since this is only a political agreement, and for the AI Act to become EU legislation both the Parliament and Council are required to formally adopt the same. A reasonable forecast is that enactment will take place by the end of 2024, but it remains to be seen how discussions will proceed. These discussions will be focused on the actual text of the AI Act, which may be different from the text that is available today. In this Insight article, Francesca Gaudino, from Baker & McKenzie LLP, comments on the current text of the AI Act, which may be amended upon formal adoption by the Parliament and Council. 

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback