French data protection authority says it can’t trust top US Internet companies with EU personal data – even if they keep it in the EU

French data protection authority says it can’t trust top US Internet companies with EU personal data – even if they keep it in the EU

CNIL points out that its conclusions apply not only to Microsoft hosting the Health Data Hub, but also to all the other kinds of French health data held on systems run by US companies.

Q&A: EU's top court rules that UK, French and Belgian mass surveillance regimes must respect privacy

Q&A: EU's top court rules that UK, French and Belgian mass surveillance regimes must respect privacy

Now that the CJEU has decided on the application of EU law in relation to bulk data retention and collection, the cases will be sent back to the national courts for a final decision.

EU laws may not require general and indiscriminate data retention

EU laws may not require general and indiscriminate data retention

On the plus side, the CJEU does say that information and evidence obtained as a result of indiscriminate retention of traffic and location data in breach of EU law should be disregarded in court cases.

Top EU court sinks main framework for sending personal data across the Atlantic

Top EU court sinks main framework for sending personal data across the Atlantic

It mostly affects the Internet giants like Facebook, which now seem to have no legal means of transferring EU personal data to the US – neither under Privacy Shield, nor using SCCs. Since the CJEU decision cannot be appealed, that leaves two main ways forward.

The background to EU citizens' court win over US tech giants

The background to EU citizens' court win over US tech giants

June 2018: Schrems files his second case against Facebook Ireland, arguing that the standard contractual clauses and the EU-US Privacy Shield are invalid, as they do not fully protect citizens’ rights.

Top EU court’s advisor: bulk surveillance is “disproportionate”, and national security exemptions do not always apply

Top EU court’s advisor: bulk surveillance is “disproportionate”, and national security exemptions do not always apply

Then, in 2016, the CJEU affirmed that decision by ruling specifically that “EU law precludes national legislation that prescribes general and indiscriminate retention of data,” in what is known as the Tele2 Sverige and Watson judgment.

Why 2020 will be make or break time for transatlantic personal data transfers

Why 2020 will be make or break time for transatlantic personal data transfers

according to the AG [Advocate General] the DPC [data protection commissioner in Ireland] must stop the EU-US data transfers of Facebook, once it took the view that US law violates EU fundamental rights.

Web sites have a problem after top EU court rules that pre-ticked checkboxes for tracking cookies aren’t valid for consent

Web sites have a problem after top EU court rules that pre-ticked checkboxes for tracking cookies aren’t valid for consent

Unfortunately for the online advertising industry, the CJEU begs to differ: In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.

Court confirms that IP addresses are personal data in some cases

Court confirms that IP addresses are personal data in some cases

In particular, the BGH asked the CJEU to determine whether dynamic IP addresses are personal data in the hands of a website operator, if a third party (e.g., an Internet Service Provider (" ISP ")) holds additional information (e.g., account details) that can be used to link those dynamic IP addresses to the identity of the relevant individual.