Search for:

Draft ePrivacy regulation rejected by EU Council committee: In 2020 the EC will have to choose between re-drafting or withdrawal

Last Friday, the Council’s position on a draft ePrivacy Regulation was rejected by the Permanent Representatives Committee of the Council of the European Union (COREPER). This is a significant setback for the European lawmaker, as the ePrivacy Regulation is in the making for many years and should complement the GDPR on crucial topics such as cookies and unsolicited commercial advertising. A revised proposal for the new ePrivacy Regulation was issued by the Finnish presidency for review on 15 November with the aim to get it through to the European Commission meeting of 3 December 2019. However, too many Member State representatives have rejected the proposal. In 2020, the Commission, under respectively Croatian and German presidency, will have the choice to either withdraw the entire proposal, or to re-draft the proposal in a new attempt to get sufficient support for is. In practice this means that the rules in the EU around cookies and spam will remain a patchwork of national laws implementing the ePrivacy directive and that companies will have to check their compliance on a country-by-country basis.

More information available here.

Dutch DPA publishes its policy and enforcement policy 2020-2023

The Dutch Data Protection Authority (Dutch DPA) recently announced their focus areas for the coming years, being: (1) data trading, (2) digital government and (3) artificial intelligence & algorithms. According to the Dutch DPA, the data privacy expectations are strongly influenced by the continued growth of the data society and the increase in data imbalance, digital injustice and the privacy awareness of users and the greater public. The Dutch DPA concludes stating that the protection of personal data is essential to our digital society, and that this has driven the selection of their three focus areas mentioned above.

More information can be found here (available in Dutch).

Pre-ticked checkbox is no valid consent for the use of cookies

The Court of Justice (CJEU) has recently ruled in the Planet49 case that pre-ticked checkboxes allowing the use of cookies and similar technologies does not constitute valid consent under the GDPR and the ePrivacy Regulation. Consent, e.g. for the use of cookies, requires a freely given, specific, informed and unambiguous indication of the data subject. Moreover, consent giving should be a clear affirmative act of the website user, rather than passive behaviour, or just inactivity. The CJEU judgement is clear that permission given in the form of a pre-ticked checkbox does not qualify as valid consent.

This applies, among other, to consent for the use of cookies and similar technologies, regardless whether this encompasses the processing of personal data. Finally, the CJEU emphasized again the importance of transparency and that website users have to be informed about the usage and duration of the cookies, and whether and how the collected data are shared with third parties.

Case available here.

Use of automated communication systems in violation of the GDPR

Recently, the Subdistrict Court ruled that the Dutch Employee Insurance Agency (UWV) acted in violation of the GDPR by sending automated communications to an employee’s new employer, concerning the employee’s continued state of sickness and a related obligation to apply for statutory sickness benefits. The employee suffered from a long period of sickness during her prior employment relationship. She had not, however, been in any state of sickness under her current employment. UWV failed to verify with the employee and instead relied on its internal systems which still indicated that the employee was sick. As a result, UWV shared sensitive personal data concerning the employee with her new employer, without any reasonable need for doing so. The Court ruled that UWV had to compensate for the employee’s damages. Noteworthy is that the amount of the damages awarded was very low and limited to € 250 only.

Cloud storage of patient data reviewed by Dutch DPA — and found GDPR compliant

The Dutch Data Protection Authority (Dutch DPA) has recently investigated the data processing operations of MRDM, a third party IT Services provider which collects, processes and distributes individual patient-identifiable medical data and information for a number of hospitals in the Netherlands. The Dutch DPA has conducted an explorative inquiry regarding the storage, by MRDM’s sub-processor, of patient data in the cloud. However, after having reviewed the standard operating procedures, the sub-processing agreements and having investigated the technical and organizational security measures, the Dutch DPA has decided not to commence a regulatory investigation into this matter. As the Dutch DPA is generally thorough in its reviews, this decision to not take further (enforcement) steps is a meaningful sign that GDPR compliance can be achieved in respect of cloud-based processing of patient data.

For actors such as hospitals, research institutions and other players in the healthcare sector, and their technology suppliers, the outcome of the DPA’s exploration provides at least some comfort and guidance.

The notice of the Dutch DPA can be found here (available in Dutch).

GDPR Enforcement Tracker

Being half way the second year of GDPR, most of the national Data Protection Authorities in Europe have shed light on their enforcement priorities and communicated their sanctioning approaches and policies. In the meantime, a number of GDPR related enforcement actions have been issued across Europe, varying form a few hundred Euros (issued in Germany against an individual), up to 50 million Euros (issued in France against a technology company).

During our Ahead of Privacy event earlier this year, we launched the first version of our GDPR Enforcement Tracker that has now been added to our Global Knowledge Management solution. The updated Tracker provides a comprehensive overview of the EU enforcement actions since the introduction of the GDPR in May 2018.

Obviously, data privacy goes beyond the GDPR and its national implementation, with the ePrivacy/Cookie Directive as the most obvious example for Europe. Let alone the upcoming regulations in California (CCPA), Brazil (LGPD) and other geographies. The current version of our Enforcement Tracker looks through the European privacy lens. It also covers, beside the GDPR enforcement actions, relevant cases sanctioned under other regimes, such as ePrivacy, Cookie, competition or other laws we deem relevant in the privacy context.

Our GDPR Enforcement Tracker can be found here.

If you wish to know more about this update, or discuss other data privacy topics, feel free to contact the Amsterdam Privacy Team.



Wouter Seinen is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Seinen has a particular interest in all internet-related issues on the subject of intellectual property rights. Moreover, he has a record in IT and outsourcing transactions, with a particular focus on business process outsourcing. He is also a keen negotiator and litigator.


Remke Scheepstra joined Baker McKenzie as an associate in 2000, and has since been part of the Firm’s Amsterdam Labor Law practice group. She is also a member of the firm’s European Labor Practice Group. She has authored or co-authored several articles on labor and privacy issues.