General Data Protection Regulation / illegal content / Internet intermediaries / Legitimate interest / Personal data

The CJEU and the concept of ‘legitimate interest’: The case of Rīgas satiksme

The Court of Justice of the European Union (CJEU) delivered its awaited judgment on 4 May in the case Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, answering two related questions: ‘(1)      Must the phrase ‘is necessary for the purposes of the legitimate interests pursued by the … third party … Continue reading

big data / Data protection / data protection agencies / General Data Protection Regulation / Privacy impact assessment / Risk-based approach / sensitive data

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading

Data protection / Internet intermediaries / liability / Privacy

Data Protection & Intermediary liability: how do the French do it?

While the scope of intermediary liability exemptions is being discussed in several places around Europe (and beyond), it is interesting to go back to the Overblog legal saga, which a few years ago had been described by some as pre-announcing other popular sagas, such as the infamous Google Spain case (discussed in a previous post … Continue reading

content regulation / Copyright / Data protection / General Data Protection Regulation / immunities / Internet intermediaries / ISPs / Right to be forgotten

The GDPR, the proposed Copyright Directive and intermediary liability: one more time!

A lot has been written on the topic of intermediary liability in the past few months. But has everything been said or read? And looking at the different pieces of the regulatory jigsaw together, are we heading in the right direction? One important piece of the jigsaw is certainly the General Data Protection Regulation (GDPR) … Continue reading

anonymisation / consent / Data protection / Data retention / Personal data / Risk-based approach

CJEU in Breyer: Dynamic IP addresses will (very?) often be personal data and German Law is too restrictive! Okay but how shall we care about voluntary and systematic retention of logs?

  And here is delivered by the Court of Justice of the European Union (CJEU) another landmark judgment: C‑582/14 Breyer v Bundesrepublik Deutschland concerning the proper characterisation of IP addresses and the compatibility of German national law with Article 7(f) of the Data Protection Directive (DPD). The judgement is not available in English yet, but … Continue reading

Data retention / Data transfer / Human rights / Law enforcement / safe harbour / Security / Surveillance

CJEU Advocate General opines on the compatibility of EU-Canada PNR Agreement with EU Charter rights to privacy and personal data protection

We’ve heard it before, and we’ll hear it again… ‘How can interference with fundamental EU rights to privacy and personal data protection be justified when it comes to mass-automated data processing?’ In other words, to what extent will the EU Charter of Fundamental Rights keep this international agreement grounded before it can take flight? Earlier … Continue reading

anonymisation / big data / Data protection / General Data Protection Regulation / ICO / Personal data / Privacy / pseudonymisation / research / Risk-based approach / sensitive data

The First-Tier Tribunal and the anonymisation of clinical trial data: a reasoned expression of Englishness…. which would have to be abandoned with the GDPR?

The Queen Mary University of London v (1) The Information Commissioner and (2) Alem Matthees, EA/2015/0269 case decided by the First-Tier Tribunal (Information Rights) (FTT(IR)) on 12 August 2016 is a fascinating decision. [Could it be a stylish expression of Englishness…. or otherness?] The case-facts concern a freedom of information request for clinical trial patient data … Continue reading

Data protection / Intelligence and security agencies / Law enforcement / Privacy policies

New UK Decisions on the Data Protection Implications of Information Sharing with Law Enforcement

Compliance with governmental requests for information raise a minefield of different laws, but data protection/privacy rights hold special pitfalls Determining when the sharing of personal data is legal can be a complicated exercise. Yet, the impetus for governmental agencies to collect and share more and more information is at an unprecedented high. In the EU, … Continue reading

Brexit / Data protection / Data transfer / Jurisdiction / safe harbour

EU Approves ‘Privacy Shield’ Safe Framework for Trans-Atlantic Personal Data Transfers

Privacy shields doubling as privacy swords? … While “the best defence” may also make a “good offence” (or, “offense”, as our US counterparts would call it), first you need to be confident that your defence strategy works! Last Friday, a statement was made by EU Vice-President Ansip and Justice Commissioner Vera Jourová announcing the adoption … Continue reading