Regulatory Blog

On 26 October 2023, the Interactive Advertising Bureau, a European association representing digital marketing and advertising companies, released a paper with recommendations for enhancing GDPR enforcement in cross-border cases. This is in response to the European Commission's aim to simplify GDPR enforcement in these cases.

On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) came into force, with which the UK government adopted an adequacy decision for the US (the UK-US Data Bridge). The UK-US Data Bridge enables UK organisations to freely and securely transfer personal data to certified US companies under the "UK Extension to the EU-US Data Privacy Framework" (UK Extension).

On 27 October 2023, the European Data Protection Board issued an urgent binding decision instructing the Irish Data Protection Authority to take definitive action against Meta Ireland Limited within two weeks and impose a ban on the processing of personal data for behavioural advertising in the European Economic Area based on the lawful bases of contract and legitimate interest.

Meta Platforms Ireland Limited, the parent company of Instagram and Facebook, has introduces its ad-free subscription plans for European users. This move aims to address the regulatory scrutiny received by Meta for alleged data protection violations concerning personalised advertising, which could potentially impact Meta's primary revenue source.

On 19 September 2023, the European Data Protection Board and the European Data Protection Supervisor jointly released an opinion on the European Commission's proposal for a regulation on additional procedural rules for enforcing the General Data Protection Regulation.

On 23 August 2023, the European Data Protection Supervisor (EDPS) issued two opinions regarding proposals aimed at regulating financial and payment services in the European Union, which were issued by the European Commission in June of this year.

On 4 July 2023, the European Court of Justice delivered a significant judgment in Case C-252/21 involving Meta Platforms Ireland, the operator of Facebook in the European Union. The case revolved around the relationship between competition law, particularly an abuse of dominant position, and data protection law, particularly an infringement of the General Data Protection Regulation.

On 4 July 2023, the European Commission proposed new rules to enhance the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The suggested GDPR Procedural Regulation aims to streamline cooperation between data protection authorities (DPAs) by harmonising administrative procedures. The proposed regulation introduces robust procedural rules for DPAs when applying the GDPR to cases involving individuals in multiple Member States.

On 10 July 2023, the European Commission adopted the long-awaited adequacy decision for the EU-US Data Privacy Framework, concluding a three-year legal limbo for EU-US data transfers following the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the European Union.