Support Centre

EU

Summary

Law: General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The European Data Protection Supervisor ('EDPS') is the European Union's (EU) data protection authority and monitors privacy within EU institutions and bodies. The European Data Protection Board ('EDPB') is an independent European body composed of representatives of the national data protection authorities and the EDPS.

Summary: The GDPR was approved on 24 May 2016 and became applicable in the EU Member States from 25 May 2018. It has since inspired several other privacy laws around the world. The GDPR lays down rules relating to the processing of personal data aimed at protecting natural persons, as well as provisions on the free movement of personal data. The GDPR, although a European regulation has a broad scope of application that imposes direct statutory obligations on data processors and can affect controllers established outside the EU.

The EU has also established further pieces of legislation with substantive importance within the Digital Single Market. In particular, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') regulates the processing of personal data and the protection of privacy in the electronic communications sector, with specific reference to, among other things, the regulation of unsolicited communications and cookies and similar technologies. Furthermore, the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive') establishes measures in order to achieve a high network and information systems security level within the EU. Importantly, the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive'), was published on 27 December 2022, and will repeal the NIS Directive as of 18 October 2024.

News

Insights

June 2024

EU: Medical Device Regulations and the AI Act – accommodating the overlapping risk-based approaches

We are currently seeing a vast development and deployment of artificial intelligence (AI)-based systems and solutions across sectors and society as a whole. At the time of writing, these deployed AI systems are about to become subject to a detailed and comprehensive regulatory burden in and of itself as the EU is about to roll out its newly finished AI Act.

While the AI Act will introduce new obligations on AI developers and deployers, it should not be forgotten that medical sector technology is already subject to its own rules. Particularly, the EU Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR) have already been established to reform the European medical device (MD) regulatory framework and set high safety and performance standards for medical devices in the EU. As AI is increasingly being deployed in the medical sector, one may ask, how do the sector-agnostic AI Act and the sector-specific MD regulations coincide? Otto Lindholm, Counsel at Dottir Attorneys Ltd, looks at the overlap between the different legislation and provides some key takeaways for navigating these.

May 2024

EU: Overview of the direct marketing rules in the EU - single opt-in, soft opt-in, and double opt-in mechanisms

The legal framework for direct marketing activities is regulated by two main legislations in the EU, namely the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive).

The GDPR is the general data protection framework applicable to companies and natural persons established in the EU or who direct their services towards EU citizens. This is an important consideration to make in terms of direct marketing because it includes US companies that are directing services to EU customers and sending marketing emails to EU customers, and that will need to respect the GDPR rules. From a material scope of applicability, the GDPR only applies when processing personal data of natural persons that are identifiable (either directly or indirectly). This means that mailing lists that solely consist of generic professional email addresses are not subject to the strict requirements in the data protection legislation in the EU.

The ePrivacy Directive is the data protection framework applicable in the electronic communications sector. The ePrivacy Directive provides a set of specific rules on data protection in the area of electronic communications, such as on the confidentiality of electronic communications, the treatment of traffic data (including data retention), and rules on spam and cookies.

A proposal for an ePrivacy Regulation was published on January 10, 2017, as the ePrivacy Directive is no longer optimally suited to the fast-changing nature of the electronic communications sectors. However, the discussions on the proposal for an ePrivacy Regulation have been stalled at the Council for almost six years, and it is uncertain whether the proposal will be adopted in the foreseeable future. The ePrivacy Directive, therefore, remains the law of the land, complementing the GDPR. Jolien Clemens, Attorney-at-Law at Timelex, explores the ePrivacy Directive rules and the GDPR as the currently applicable legal frameworks in the context of direct marketing.

May 2024

EU: Assessments under European legislation: GDPR vs. the AI Act

Six years after the go-live of the General Data Protection Regulation (GDPR), covered organizations have gotten very used to Data Protection Impact Assessments (DPIA). Seasoned privacy professionals have definitively been part of many talks about the difference between DPIAs and Privacy Impact Assessments (PIA), and if there is or should be any difference.

In a time when everyone is talking about artificial intelligence (AI) and the upcoming EU AI Act (the AI Act), organizations are turning to privacy experts to see if this new legislative and regulatory focus will lead to a similar level of compliance work (and expense). In particular, they are wondering whether the AI Act's Conformity Assessments (CA) and Fundamental Rights Impact Assessments (FRIA) will find their way into every organization's compliance framework.

In this article, Maarten Stassen, of Crowell & Moring LLP, compares the GDPR's DPIAs with the AI Act's CAs and FRIAs, considering their key practical considerations and impact on organizations.

May 2024

EU: AI and direct marketing

In today's digital age, businesses are constantly seeking innovative ways to connect with their customers and drive growth. One technology that has been making waves in the marketing industry is artificial intelligence (AI). According to the definition laid down in the EU AI Act in the last version available, 'AI system' means 'a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.' Gianluigi Marino and Andrea Cantore, from Osborne Clarke, define AI in marketing and discuss risks and obligations.

April 2024

EU: Mitigating the risks of the EU's high-risk AI systems requirements

In this Insight article, Iain Borner, Chief Executive Officer at The Data Privacy Group, delves into the transformative impact of the EU Artificial Intelligence Act (AI Act), which establishes a regulatory framework aimed at fostering trustworthy artificial intelligence (AI) aligned with European values. With a focus on high-risk AI systems, the AI Act introduces mandatory compliance processes and provisions, setting a precedent for ethical innovation that prioritizes people's rights and safety.

April 2024

International: A comparative analysis of the GDPR and India's DPDPA

In this article, Arun Babu and Gayathri Poti, from Kochhar & Co., delineate the primary disparities between the Digital Personal Data Protection Act (DPDPA) and the General Data Protection Regulation (GDPR) from a business perspective, analyzing the rationale behind these distinctions and their practical implications.

April 2024

EU: New opinion of the EDPB on valid consent in the context of consent or pay models implemented by large online platforms

On April 17, 2024, the European Data Protection Board (EDPB) published the Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. The supervisory authorities of some EU Member States asked the EDPB to issue this opinion in order to obtain clarity on the circumstances in which consent or pay models for behavioral advertising can be used by large online platforms on the basis of valid consent or under which circumstances valid consent can be given in such cases. According to the supervisory authorities, there is no uniform answer to this question. However, the clarification is particularly relevant for the general application of the principles on the concept of consent. Dr. Carlo Piltz and Alexander Weiss, from Piltz Legal, unpack the opinion, looking specifically at the opinion's implications on both platforms and European legal frameworks.

April 2024

EU: Understanding valid consent in 'consent or pay' models used by large online platforms

On April 17, 2024, the European Data Protection Board (EDPB) published Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. In this Insight article, OneTrust DataGuidance provides an overview of the opinion.

April 2024

EU: The AI Act - the first regulatory regime for AI across the EU

On March 13, 2024, the European Parliament adopted the European Union's (EU) Regulation laying down harmonized rules on artificial intelligence (AI), commonly known as the Artificial Intelligence Act (the AI Act) (see the European Parliament press release and OneTrust DataGuidance News article). Almost three years after the European Commission's first legislative proposal, and after the EU legislators reached a political agreement on the key aspects of the AI Act in December 2023 in the course of the trilogue following months of negotiations, the world's first comprehensive regulatory framework for AI has officially been approved. 

This Insight article addresses the most important questions as to what companies and other entities should know and consider when conducting any activities involving AI. Valentino Halim, Junior Partner at Oppenhoff & Partner, unpacks the AI Act and provides insight into the scope and key obligations of the new regulatory framework for AI at the EU level. 

April 2024

EU: Navigating the AI Act - a comparative analysis: EU AI Act vs NIST's AI RMF

The first part of this series on the EU's Artificial Intelligence Act (AI Act) explored the covered types of artificial intelligence (AI) and the corresponding obligations of each AI actor. The second part of this series provided a brief explanation of the importance for providers to comprehend and adhere to their obligations. In the third installment, we examined these provider obligations within the broader context of the evolving AI landscape. In the fourth article of this series, Starr Drum, Shareholder at Polsinelli PC, compares the AI Act with the National Institute of Standards and Technology's (NIST) Artificial Intelligence Risk Management Framework (AI RMF 1.0) (AI RMF). Through an exploration of their distinct features and complementary aspects, this article provides essential insights for organizations navigating AI governance.

As the adoption of AI accelerates globally, regulatory and voluntary frameworks play a crucial role in ensuring responsible and trustworthy AI deployment. This comparative analysis of the EU's AI Act against the NIST's AI RMF sheds light on the similarities and differences between these two influential guideposts, providing insights for organizations navigating the complex landscape of AI governance.

March 2024

EU: FAQs on employee DSARs - what you need to know

The right of access is enshrined in Article 15 of the General Data Protection Regulation (GDPR). An employee data subject access request (DSAR) is when an employee asks for all the information relating to them which their employer, as the data controller, holds. In this Insight article, OneTrust DataGuidance asks some key questions on employee DSARs, with answers provided by Laura De and Laura Brodahl, from Wilson Sonsini Goodrich & Rosati, Axel Anderl, from DORDA Rechtsanwälte GmbH, Chantal Van Dam, from Hogan Lovells, and Dr. Jessica Jacobi, from KLIEMT.HR Lawyers.

March 2024

EU: Legal framework for cookies and tracking technologies - anonymization techniques and re-identification threats

Cookies and other tracking technologies are widely used by websites and online services to collect and process personal data of users, such as their preferences, behavior, location, and device information. This data can enable various purposes, such as personalization, analytics, advertising, and security. However, these practices also raise significant privacy and data protection challenges, as users may not be fully aware of or consent to the extent and nature of the data collection and processing and may face difficulties in exercising their rights and choices.

To address these challenges, the EU has adopted two main legal frameworks that regulate the use of cookies and other tracking technologies: the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (the ePrivacy Directive). In this Insight article, Pedro Marques Gaspar, Manager (Digital Regulation) at PwC Spain, discusses the legal framework and best practices for the use of cookies in a privacy-friendly and compliant way.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.