On March 26, 2024, the CNIL published the 2024 edition of its Practice Guide for the Security of Personal Data, which is intended to support organizations in their efforts to implement adequate security measures in compliance with their security obligations under the GDPR.
Continue Reading CNIL Publishes Latest Edition of Its Practice Guide for the Security of Personal Data

On March 7, 2024, the Court of Justice of the European Union issued its judgment in the case of Endemol Shine (Case C‑604/22). In this case, the CJEU was called upon to assess whether oral disclosure of information could be considered as processing of personal data under the GDPR and to clarify the relationship between personal data protection and public access to documents.
Continue Reading CJEU Rules That Oral Disclosure May Be Considered as Processing of Personal Data Under the GDPR

On March 7, 2024, the Court of Justice of the European Union issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of IAB Europe in the processing operations associated with its Transparency and Consent Framework and further developed CJEU case law on the concept of personal data under the GDPR.
Continue Reading CJEU Rules on IAB Europe’s Transparency and Consent Framework

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach.
Continue Reading CIPL Publishes The Zero Risk Fallacy Paper

The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP recently published a discussion paper on “Comparison of US State Privacy Laws: Data Protection Assessments.” This blog entry provides a summary of the paper and a link to download a copy of the paper.
Continue Reading CIPL Publishes Discussion Paper on Data Protection Assessment Requirements Under U.S. State Privacy Laws

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.Continue Reading CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR