big data / Data protection / data protection agencies / General Data Protection Regulation / Privacy impact assessment / Risk-based approach / sensitive data

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading

Data protection / General Data Protection Regulation / ICO / Personal data / pseudonymisation / Risk-based approach / sensitive data

ICO Requests Feedback on New Data Protection Profiling Provisions

If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading

anonymisation / consent / Data protection / Data retention / Personal data / Risk-based approach

CJEU in Breyer: Dynamic IP addresses will (very?) often be personal data and German Law is too restrictive! Okay but how shall we care about voluntary and systematic retention of logs?

  And here is delivered by the Court of Justice of the European Union (CJEU) another landmark judgment: C‑582/14 Breyer v Bundesrepublik Deutschland concerning the proper characterisation of IP addresses and the compatibility of German national law with Article 7(f) of the Data Protection Directive (DPD). The judgement is not available in English yet, but … Continue reading

anonymisation / Brexit / Data protection / Data transfer / digital identity / e-government / eIDAS / General Data Protection Regulation / safe harbour

eIDAS applies from 1 July 2016: An EU dream come true after a Brexit nightmare?

  Six days after the results of the UK Brexit referendum and it is still very hard to go back to a “normal” life, especially while remaining an EU citizen living in the UK. One of the most upsetting things of the referendum, at least for lawyer, is its nonsense. This holds true in particular … Continue reading

Data protection / Law enforcement / Security / Surveillance / terrorism

New Air Passenger Data Processing Rules to Apply from 2018

Ready, steady, go… Clock countdown formally starts for the reform of three major pieces of EU data legislation! It’s finally final – three separate pieces of data privacy-related legislation in the EU will be coming into effect soon: As anticipated by Sophie last month here, the final version of the General Data Protection Regulation (GDPR) … Continue reading

anonymisation / big data / Data protection / data protection agencies / European Data Protection Supervisor / General Data Protection Regulation / ICO / Privacy / pseudonymisation / Risk-based approach

The GDPR and the biggest mess of all: why accurate legal definitions really matter….

Issued last week, here is what seems to be the final version of the General Data Protection Regulation (the GDPR)! This 6 April 2016 version, likely to be adopted by the European Parliament this week, is now in the kiosks! HIP HIP HOORRAY I hear you thinking, either ironically because more than 4 years of … Continue reading

Data protection / data protection agencies / safe harbour

EU Commission publishes Legal Texts of New ‘Privacy Shield’ Framework for Trans-Atlantic Data Transfers

…But, will the highly anticipated EU-US ‘Privacy Shield’ live up to its super-hero billing? Last month proved to be a particularly busy time for data protection news. First, the Council of the EU adopted a political agreement on the texts that will form part of the new Data Protection Reform Package. Also hitting headlines was … Continue reading

defamation / Internet intermediaries / liability / notice-and-take down / Privacy

MTE v Hungary: is the ECtHR rewriting Delfi v Estonia?

A few months after the now infamous decision Delfi v Estonia of the Grand Chamber of the European Court of Human Rights (ECtHR) [for background, see my earlier post here], the Fourth Section of the Court issued on 2 February 2016 a judgement (MTE v Hungary) dealing with similar issues. Starting with the end of … Continue reading

Access to data / Breach notification / Data protection / Data retention / General Data Protection Regulation / Law enforcement / Personal data / Privacy / Privacy impact assessment / Surveillance

Article 29 WP and the draft directive on the processing of personal data by law enforcement agencies: has Article 29 WP been heard?

Last month, the Permanent Representatives Committee (Coreper) of the Council of the EU  the compromise texts agreed with the European Parliament on data protection reform. As a reminder, the reform is a legislative package concerning two legislative instruments: the second of which discussed here (and far less catching the press headlines than the General Data … Continue reading