The GDPR, the parallel regime and the ICO

The General Data Protection Regulation (GDPR) will be applicable in less than a year, and experts are still discussing the extent to which the new regulation will have a significant impact upon the ‘legal basis’ requirement. However, as Bob Miller suggests in this guest blog post, it might not be enough to read and re-read … Continue reading →

On Article 28a and the proposal to extend the AVMSD: is it time to be pessimistic?

The proposal to extend the Audiovisiual Media Services Directive (AVMSD) continues along its legislative path. We are now entering the trilogue negotiations phase, and, after having read the unrelated [at least at first glance] G7 Taormina Statement on the fight against terrorism and violent extremism, I am re-reading  the  text of the Proposal for a … Continue reading →

The politics of online platforms: when AG Szpunar converses with the EC in Elite Taxi v Uber.

Advocate General Szpunar (AG) delivered yesterday his opinion in the highly political and much awaited case C‑434/15 Asociación Profesional Elite Taxi v Uber Systems Spain SL. In a nutshell, the AG was asked to answer four questions concerning two important milestones of the European Union (EU) acquis: the E-commerce Directive of 2000 and the services … Continue reading →

The CJEU and the concept of ‘legitimate interest’: The case of Rīgas satiksme

The Court of Justice of the European Union (CJEU) delivered its awaited judgment on 4 May in the case Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, answering two related questions: ‘(1)      Must the phrase ‘is necessary for the purposes of the legitimate interests pursued by the … third party … Continue reading →

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading →

Anonymisation, pseudonymisation, WiFi tracking and the French: the JCDecaux case

The topic of ‘anonymisation’ has already been covered several times on the blog (see e.g. here, here, and here). We even have a new research paper (‘Anonymous Data v. Personal Data — A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data’) recently published in the Wisconsin International Law Journal on this issue  … Continue reading →

ICO Requests Feedback on New Data Protection Profiling Provisions

If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading →