Data Protection

12 Mar 2024

Privacy Boundaries: The Ronos Case and Implications for Antitrust Enforcement

Instead of Introduction The Court of Justice of the European Union (“CJEU“) opened proceedings on Case C-619/23, Ronos, according to a request for a preliminary ruling by the Administrative Court of Sofia District – Bulgaria (“Court”).  The Court requested an interpretation of the scope of powers of the Bulgarian antitrust authority (“CPC”) action in seizing conversations from a private mobile device during dawn raids carried out at premises of undertakings investigated for alleged cartel infringements. This request for a preliminary ruling on how EU law interacts with guarantees of basic human rights established in the Bulgarian Constitution gives the European […]

Details
06 Mar 2024

Navigating GDPR Compliance: Analysis of Article 30 and the Record of Processing Activities (ROPA)

Introduction In the contemporary legal landscape, data privacy stands as a paramount concern, with the General Data Protection Regulation (GDPR) serving as the cornerstone legislation governing the processing of personal data within the European Union (EU) and beyond.  Article 30 of the GDPR imposes a pivotal obligation on data controllers and processors to maintain a meticulous Record of Processing Activities (ROPA).  This article endeavors to elucidate the intricacies surrounding Article 30, offering practical insights and dissecting the evolving practices of Data Privacy Authorities concerning ROPA compliance. Understanding Article 30 of GDPR GDPR Recital 82 states: “In order to demonstrate compliance […]

Details
01 Aug 2023

EU-U.S. Data Privacy Framework: A New Adequacy Decision for Transatlantic Data Flows

On July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”).   The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“). What does this mean for EU Individuals and Businesses? The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years.  The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether […]

Details
07 Jul 2023

Data Protection and Dominant Market Positions: Court Ruling Explores GDPR Compliance

On July 4, 2023, the Court of Justice of the European Union (“CJEU“) pronounced a momentous judgment in Meta Platforms and Others.  For the first time, the CJEU ruled that national competition authorities may determine GDPR infringements when examining an abuse of a dominant position.  The CJEU’s decision clarifies the relationship between the General Data Protection Regulation (“GDPR“) and EU competition law, establishing that they can coexist and complement each other without conflict.  The case centered on Meta Platforms Ireland, which runs Facebook in the EU. The ruling has its roots in a decision issued by Germany’s antitrust regulator, the […]

Details
05 Jul 2023

Enhancing Cross-Border Cooperation: A Proposed Regulation to Strengthen Data Protection Enforcement under the GDPR

On July 4, the EU Commission introduced a new Procedural Regulation aimed at enhancing cooperation among data protection authorities (“DPAs“) when enforcing the General Data Protection Regulation (“GDPR“) in cross-border cases.  The Procedural Regulation focuses on establishing clear guidelines for DPAs handling cases involving individuals in multiple Member States without impacting any substantial elements of the GDPR, including the rights of data subjects, obligations of data controllers and processors, or the lawful grounds for processing personal data. A notable aspect of the Procedural Regulation is a provision that mandates the lead DPA to share a “summary of key issues” with […]

Details
22 Jun 2023

Who’s Responsible? Addressing Liability in the Age of AI

In the realm of modern technology, the association with Artificial Intelligence (AI) has become increasingly present.  AI has reached various segments of human activity, both private and business.  However, like any innovation or human creation, AI is imperfect and carries inherent risks.  It is susceptible to biases, errors, security breaches, and a growing level of autonomy, all of which entail potential liabilities associated with artificial intelligence. Consider the scenario of an autonomous vehicle causing an accident.  Who should bear responsibility in such a case?  Likewise, if an AI-powered medical diagnosis tool misdiagnoses a patient, who should be held accountable – […]

Details
26 May 2023

AI & Data Protection: Is GDPR Ready for Retirement?

I.  Strengths of the GDPR The General Data Protection Regulation (“GDPR”), implemented in 2018, has played a vital role in safeguarding personal data in the era of information and communications technologies (“ICT”).  As AI technologies continue to advance rapidly, questions arise regarding the effectiveness and adaptability of GDPR in addressing the evolving challenges of data protection.  This article examines whether GDPR is ready for retirement or if it requires updates to address AI-related data protection concerns effectively. Namely, Artificial Intelligence (AI) is defined as a methodology used in machine learning to determine which one of several used models has the […]

Details
15 May 2023

Branko Gabrić Participates in SEE Data Protection Congress

Last week, Branko Gabrić, our counsel, had the honor of being invited to speak at the South-East European Data Protection Congress in Belgrade.  The congress was held to establish a forum for data protection professionals to facilitate the exchange of ideas, opinions, updates, experiences, and the application of best practices, ultimately boosting the data protection scene in the region. Branko participated in the central panel on the first day of the conference, which focused on “Transparency – Can Organizations Ever be Too Transparent?”.  Alongside him were Boško Vojkić, Director of Data Protection at Ergomed PLC; Stevan Stanojević, founder of PrivacyOneStop; […]

Details
23 Dec 2022

European Court of Justice: Public Registries are too Public

The Judgment of the European Court of Justice (“ECJ“) from November this year raised the issue of compatibility of proclaimed fundamental human rights with public registers of ultimate beneficial owners available to all interested parties (“Judgment“). According to the Fourth Anti-Money Laundering and Terrorist Financing Directive (the “Fourth AML Directive“), all European Union member states were obliged to make public the registers of beneficial owners of companies operating in their countries so that they can be accessed by any person who has a “legitimate interest.” Accordingly, in 2019, Luxembourg passed a law confirming this directive.  It established a register of ultimate […]

Details
28 Jul 2022

The Personal Data Protection Act Revisited

Although the Personal Data Protection Act (“Act“) has been in effect for four years, it seems that its provisions have not yet been fully implemented in practice, nor have all companies in Serbia fully adapted to them. Non-compliance with the obligations prescribed by the Act especially starts hurting when inspections are carried out by the Commissioner, and a new round is being announced. So, let’s take a moment to revise what companies should pay attention to when it comes to complying with the Act. Back to basics The general obligations of companies are contained in the principles of the Act. […]

Details
06 Sep 2021

Irish watchdog issues record fine in WhatsApp data protection ruling

The Irish Data Protection Commission (“DPC”) fined Facebook’s WhatsApp with EUR 225 million in its latest EU data protection ruling.  The fine is the second largest of its kind in the EU. So far, only Amazon paid more in a privacy case in the EU. The DPC said in its ruling on September 2 that WhatsApp’s policies were not in line with the EU’s General Data Protection Regulation (“GDPR”), noting it registered breaches of Article 5(1)(a) as well as Articles 12 through 14.  The breaches particularly include the provision of information and the transparency of that information to both users […]

Details
23 Aug 2021

Schrems, Facebook and Data Privacy

Why Schrems?  The EU’s trust in the processing of personal data seems to be shaken. With the famous case Maximillian Schrems v Facebook Ireland Limited pending before the Austrian Supreme Court (“Court“) for a while now, Maximillian Schrems requested the Court to refer four questions to the Court of Justice of the European Union (“CJEU“) concerning the lawful use of personal data of all Facebook users from the EU.   So, who is Maximilian Schrems? Maximillian Schrems is a law student from Austria and a personal data protection activist who has been extremely vocal about data protection before EU authorities. […]

Details
25 Jun 2021

Data protection and Big Tech: Is it just a bump in the road?

The topic of data protection and Big Tech keeps on giving.  It appears the subject of data protection simply does not want to leave the main stage and wishes to remain in everyone’s center of attention.  This should not come as a surprise, since the world is only starting to become more integrated in terms of digital services provided by Big Tech companies. The most recent “controversy” on data protection and Big Tech comes from Germany, or to be more precise, Hamburg’s Commissioner for Data Protection (“Commissioner”).  The Commissioner investigated Facebook’s use of personal data gathered from WhatsApp users and […]

Details
13 May 2021

TikTok May Have Gone Too Far in Child Data Collection

What do Facebook, WhatsApp and TikTok have in common?  Well, they are social media giants, with billions of users all around the world.  But there is something else that these platforms have in common that is worthy of attention.  Lately, they have all been “hunted down” by regulators over their data policies.  So, we wanted to take the time to say a few words on the TikTok case. What makes the TikTok case special?  As most of you already know, TikTok is a social media platform used to make short-form videos that last between 15 and 60 seconds.  The videos […]

Details
02 Apr 2021

EU Digital Saga Continues – Digital Services Act: A Service to Consumers, but a Disservice to Businesses?

After a short break from our previous reflections on the EU’s new set of regulations concerning digital markets (more details available here), we are back with an even more vivid and thorough breakdown of the proposed regulation. To pick up where we left off, we will be taking a closer look at the Digital Services Act (“DSA“ or „Act“). As we have already familiarized ourselves with the EU’s goals and ambitions regarding new digital market regulation, we can now fully indulge ourselves by taking a closer look at the Act.  We hope that you managed to catch your breath because […]

Details
23 Nov 2020

Are Major High-Tech Companies “Skirting the Law” in Serbia Regarding Personal Data Protection?

Although it has been more than a year since the new Personal Data Protection Act (“Act”) entered into force in Serbia, some of its provisions are not yet fully applicable.  One clear-cut example is Article 44 of the Act, which requires foreign companies (therefore those who does not have a registered business seat in Serbia) to appoint a Personal Data Protection Representative for Serbia (“Representative”). Who is the Representative? This provision, (as well as the majority of the Act’s provisions), was adopted from Article 27 of the General Data Protection Regulation (“GDPR”) and refers to any personal data controller and […]

Details
21 Jun 2017

New EU Data Protection Rules – Should Serbian Companies Be Worried?

The new EU data protection framework, set to come into force on May 24, 2018 in the form of the General Data Protection Regulation (GDPR) is directly binding in all Member States, however its scope goes beyond the boundaries of the EU – affecting foreign companies that deal with personal data of EU citizens.  National Data Protection authorities of EU member states already have certain powers over foreign enterprises, as seen in the landmark Costeja case (C‑131/12) where Google Inc., an American company, was forced to protect a Spanish national’s right to the respect of his private life.  The GDPR […]

Details
26 Apr 2017

New Data Protection Enforcement: Is Your Business Ready for It?

Businesses beware – imposing fines of up to 10% of the company’s Serbia-originated annual income in respect to enforcing Data Protection compliance will be one of the measures available to the Commissioner1  as of June 1, 2017, when the new Administrative Procedure Act is set to come into force. The changes to the Administrative Enforcement Procedure are going to allow this Data Protection Authority to enforce its decisions by fining companies in an amount considerably higher than the maximum enforcement-related fine of RSD 200,000.00 (approx. EUR 1,600.00) allowed by the current statute. This means that all companies will, if ordered […]

Details
26 Apr 2016

EU Data Protection Reform Adopted

As announced by one of our previous publications, the new rules on personal data protection were adopted at the European Union (“EU”) level on April 14, 2016.  Referred to as “the culmination of over four years of hard work” in the joint statement of the European Commission (“Commission”) First Vice-President, Vice-President in charge of the Digital Single Market and Commissioner for Justice, Consumers and Gender Equality, the new policy aims to extend the citizens’ right to personal data protection, enhance legal certainty for businesses by unifying the regulation within the EU and allow for improved cooperation of Member States’ criminal […]

Details
24 Dec 2015

EU Announces Sweeping Data Protection Reform

In a trilogue meeting held on 15 December 2015 the European Parliament, the European Commission and the European Council reached a political agreement to reform EU Data Protection policy.  The new policy has been in the works since 2011, but only now have the European Council and the European Parliament managed to reach an agreement on key issues.  The final text is expected to be formally adopted in early 2016, and its rules applicable two years thereafter.  During this period, 28 member states will be required to amend their existing data protection legislation, or to pass new legislation, whereas the […]

Details