On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any
EU Regulation
European Court Puts the Brakes on AML Directive: Public Access to Beneficial Ownership Database Violates European Privacy Laws

Ruling Could Influence FinCEN in Forthcoming Regulations Under the CTA
On November 22nd, an appeals court in Luxembourg issued a decision that highlights the tensions between anti-money laundering (“AML”) goals and privacy concerns, and could impact impending beneficial ownership regulations to be issued under the U.S. Corporate Transparency Act (“CTA”). Specifically, the appeals court decided…
The European Commission’s Adoption of New SCCs
On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).
Continue Reading The European Commission’s Adoption of New SCCs
Privacy Shield Invalidated by the European Court of Justice
On July 16, 2020, the European Court of Justice (Court) ruled in the “Schrems II” case that the one of the most commonly used cross border data transfer mechanisms between the European Union (EU) and the United States (US), the EU-US Privacy Shield Framework (Privacy Shield), has been invalidated. The Court reasoned that when transferring…
Making Sense of EU Cookie Law in the Wake of CJEU’s Planet49 Ruling
The perplexing question of what U.S. companies must do to comply with EU “cookie” law became slightly more clear with the recent decision of the European Court of Justice (CJEU) in Planet49 GmbH, but numerous questions still remain. A main source of confusion about cookies is the interplay between two EU privacy laws, the…
Cookie Audit from Bavarian Data Protection Authority May Serve As GDPR Warning
Following numerous privacy complaints, the State Office for Data Protection Supervision (BayLDA) recently conducted a random audit on 40 companies and found widespread problems with their cookie disclosures. The purpose of the audit was to determine whether website users were able to obtain transparent information regarding the use and tracking of their information by third-party…
The Differing US and EU Regulatory Responses to the Rise in Algorithmic Profiling
The online world is increasingly shaped by forces beyond our control. Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see,…
Using the GDPR to Comply with the California Consumer Privacy Act
Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here. Instead, the focus of this post will be on the overlap between the CCPA and the GDPR. …
Continue Reading Using the GDPR to Comply with the California Consumer Privacy Act
GDPR is Now Effective – How Will Regulators Enforce It?
What happened?
Today the EU General Data Protection Regulation (GDPR) goes into effect, ending the data protection landscape as we know it. This comprehensive privacy law applies directly to the 28 EU countries and companies established in or doing business in those countries. Unlike its predecessor, the GDPR applies to companies established outside of the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU, such as through the use of cookies. The GDPR imposes a number new of requirements on companies and raises the stakes by imposing potential maximum fines up to 4% of worldwide revenue.
Continue Reading GDPR is Now Effective – How Will Regulators Enforce It?
ACC Foundation: State of Cybersecurity Webcast
The ACC Foundation will be hosting a webcast on April 18, 2018 at 12:00 EDT to discuss the preliminary results of the Foundation’s State of Cybersecurity Report. This is the second Report of its kind that the ACC Foundation has published. You can sign up for the webcast here.
The Report surveyed 600 in-house…