On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data. In practice, this means the new
Latest from Inside Privacy - Page 2
European Parliament Adopts DSA
On July 5, 2022, the European Parliament adopted the Digital Services Act (“DSA”) with 539 votes in favor, 54 votes against and 30 abstentions, following the political deal reached on April 23, 2022 (see our previous blog here).
Key aspects
The DSA is addressed to providers of intermediary services (e.g., Internet service providers, cloud…
8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law
The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).
As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status…
European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers
On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers. These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.
These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader…
Cross-Border Data Transfer Developments in China
After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of…
Italian Garante Bans Use of Google Analytics

On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics. The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools…
Court of Justice of the EU Decides that the Passenger Name Record Directive is Compatible with EU Law
On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”). However, the CJEU also decided that the PNR Directive limits the…
Congressman McHenry Releases Discussion Draft of Financial Data Privacy Bill
On June 23, Congressman Patrick McHenry released a discussion draft of new legislation to modernize federal financial data privacy law. The draft legislation would amend and build on the Gramm-Leach-Bliley Act (“GLBA”). The draft includes notable provisions on consumer rights, data minimization, and disclosures. It also updates the definition of “financial institution” to include data…
EU Consumer Protection and Data Privacy Authorities Adopt 5 Key Principles for Fair Advertising to Children
On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here). These recommendations are based on relevant requirements…
FTC Announces Plans to Begin Privacy Rulemaking In June
Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August. This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” …