In a groundbreaking decision, the Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB") has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb in the wake of the so-called "Schrems II" decision.

Noyb, headed by well-known Austrian privacy advocate Max Schrems, is targeting companies which it says deliberately make it hard to opt-out of tracking cookies.

The Irish DPC (Data Protection Commissioner) acknowledges in Irish Parliament hearing it "handles" GDPR complaints by not deciding about them, in violation of EU law.

The long-standing miracle of "self-resolving" GDPR complaints was then lifted by Helen Dixon: The DPC simply interprets the word "handle" to mean that the DPC can also simply dispose of complaints on the fundamental right to privacy. She openly argued “In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.”

On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. Customers of US cloud service providers must now themselves verify the data protection laws of the recipient country, document its risk assessment and confer with its customers. This article will explain what the Schrems II judgement entails for your business.

In January 2020, the Norwegian Consumer Council and the European privacy NGO noyb.eu filed three strategic complaints against Grindr and several adtech companies over illegal sharing of users’ data. Like many other apps, Grindr shared personal data (like location data or the fact that someone uses Grindr) to potentially hundreds of third parties for advertisment.

The EU's Court of Justice has just invalidated the "Privacy Shield" data sharing system between the EU and the US, because of overreaching US surveillance.

EUの司法裁判所（CJEU）は、米国が同国の国家安全保障局（NAS）の監視から米国企業が有する自国民以外の情報を保護していない、としてEUと米国の間のデータ共有に関する枠組み「プライバシーシールド」を無効にしました。Facebookなどの米国企業は、EEA域外へのパーソナルデータの移転を特別に認めるGDPR（一般データ保護規則）の標準的契約条項（SCC:Standard contractual clauses）を締結できなくなります。併せて、EU司法裁判所は、GDPRの適用を行うべき欧州委員会および、アイルランドのデータ保護委員会（Irish Data Protection Commission）などにGDPRを形骸化させないようにその責務を果たすよう求めています。