data controller / data protection agencies / facebook / GDPR / General Data Protection Regulation / Jurisdiction / liability / online platforms / Personal data / Social media

CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law

‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered … Continue reading

big data / Data protection / data protection agencies / General Data Protection Regulation / Privacy impact assessment / Risk-based approach / sensitive data

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading

anonymisation / big data / Data protection / data protection agencies / European Data Protection Supervisor / General Data Protection Regulation / ICO / Privacy / pseudonymisation / Risk-based approach

The GDPR and the biggest mess of all: why accurate legal definitions really matter….

Issued last week, here is what seems to be the final version of the General Data Protection Regulation (the GDPR)! This 6 April 2016 version, likely to be adopted by the European Parliament this week, is now in the kiosks! HIP HIP HOORRAY I hear you thinking, either ironically because more than 4 years of … Continue reading

Data protection / data protection agencies / safe harbour

EU Commission publishes Legal Texts of New ‘Privacy Shield’ Framework for Trans-Atlantic Data Transfers

…But, will the highly anticipated EU-US ‘Privacy Shield’ live up to its super-hero billing? Last month proved to be a particularly busy time for data protection news. First, the Council of the EU adopted a political agreement on the texts that will form part of the new Data Protection Reform Package. Also hitting headlines was … Continue reading

Data protection / data protection agencies / Law enforcement

EU Justice Ministers agree ‘common position’ for new EU data protection rules in the field of law enforcement

Adoption of new Data Protection Directive for police and judicial cooperation is one step closer – however, arguments continue over the extent to which the processing of personal data for the purposes of law enforcement , as well as the “safeguarding against and the prevention of threats to public security”, should be subject to traditional … Continue reading

Data protection / data protection agencies / Privacy / safe harbour

DPAs or national supervisory authorities and the CJEU in Schrems: what does it mean to “engage in legal proceedings”?

The CJEU has definitely been very bold in its recent decision in Schrems v Data Protection Commissioner. While the judgement of the CJEU is more convincing than the opinion of the Advocate General (see my posts here and here), it is obviously not perfect. [But I wonder, perhaps naively: shouldn’t the CJEU’s decision be seen … Continue reading

data protection agencies / Jurisdiction

Sick of hearing about safe harbours? What about Weltimmo?! – CJEU decision raises prospects for companies operating web services across the EU being subject to multiple data protection authorities

How should online businesses determine which data protection laws to comply with, and how should multiple claims to jurisdiction over the national application of data protection laws be resolved? Much has been written in the last week about the ruling of the Court of Justice of the EU (CJEU) in holding that EU Commission Decision … Continue reading