big data / Data protection / data protection agencies / General Data Protection Regulation / Privacy impact assessment / Risk-based approach / sensitive data

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading

anonymisation / big data / Data protection / data protection agencies / European Data Protection Supervisor / General Data Protection Regulation / ICO / Privacy / pseudonymisation / Risk-based approach

The GDPR and the biggest mess of all: why accurate legal definitions really matter….

Issued last week, here is what seems to be the final version of the General Data Protection Regulation (the GDPR)! This 6 April 2016 version, likely to be adopted by the European Parliament this week, is now in the kiosks! HIP HIP HOORRAY I hear you thinking, either ironically because more than 4 years of … Continue reading

Data protection / data protection agencies / safe harbour

EU Commission publishes Legal Texts of New ‘Privacy Shield’ Framework for Trans-Atlantic Data Transfers

…But, will the highly anticipated EU-US ‘Privacy Shield’ live up to its super-hero billing? Last month proved to be a particularly busy time for data protection news. First, the Council of the EU adopted a political agreement on the texts that will form part of the new Data Protection Reform Package. Also hitting headlines was … Continue reading

Data protection / data protection agencies / Law enforcement

EU Justice Ministers agree ‘common position’ for new EU data protection rules in the field of law enforcement

Adoption of new Data Protection Directive for police and judicial cooperation is one step closer – however, arguments continue over the extent to which the processing of personal data for the purposes of law enforcement , as well as the “safeguarding against and the prevention of threats to public security”, should be subject to traditional … Continue reading

Data protection / data protection agencies / Privacy / safe harbour

DPAs or national supervisory authorities and the CJEU in Schrems: what does it mean to “engage in legal proceedings”?

The CJEU has definitely been very bold in its recent decision in Schrems v Data Protection Commissioner. While the judgement of the CJEU is more convincing than the opinion of the Advocate General (see my posts here and here), it is obviously not perfect. [But I wonder, perhaps naively: shouldn’t the CJEU’s decision be seen … Continue reading

data protection agencies / Jurisdiction

Sick of hearing about safe harbours? What about Weltimmo?! – CJEU decision raises prospects for companies operating web services across the EU being subject to multiple data protection authorities

How should online businesses determine which data protection laws to comply with, and how should multiple claims to jurisdiction over the national application of data protection laws be resolved? Much has been written in the last week about the ruling of the Court of Justice of the EU (CJEU) in holding that EU Commission Decision … Continue reading

Data protection / data protection agencies / ICO

A UK view of the Council’s common position on the proposed General Data Protection Regulation – Over to you, ICO…

ICO has EU reform negotiations firmly in sight as it reiterates its views on the benefits and dangers involved with a risk-based and flexible approach to data protection enforcement Further to Sophie’s post on the German viewpoint, the ICO – the UK’s data protection agency – has also added its voice to the public debate … Continue reading