The Data Protection and Digital Information (No. 2) Bill (DPDIB) has been introduced to Parliament on the 8th of March 2023. It is not a complete revamp of the first Data Protection and Digital Information Bill, but this time the intention is firm. The Department of Science, Innovation and Technology (DSIT) is determined to have … Continue reading
Category Archives: Personal data
Data Protection and data analytics: what is Art. 29 WP really saying to businesses wanting to innovate with data?
In three-month time, the General Data Protection Regulation (GDPR), will become applicable to many, if not all, data processing activities to which living individuals can be associated. Businesses operating in Europe have had about two years to prepare for this change. As readers know, even if the GDPR is a lengthy piece of … Continue reading
CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law
‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered … Continue reading
Advocate General Delivers Opinion on Whether Examination Scripts Are Personal Data under Data Protection Law
Exam scripts are personal data, says the AG, when the purpose it is to identify and record the performance of a particular individual; but that doesn’t mean you can go back and change your answers! On 20 July 2017, the EU Court of Justice’s Advocate General (AG) Kokott delivered her opinion in Peter Nowak v … Continue reading
The CJEU and the concept of ‘legitimate interest’: The case of Rīgas satiksme
The Court of Justice of the European Union (CJEU) delivered its awaited judgment on 4 May in the case Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, answering two related questions: ‘(1) Must the phrase ‘is necessary for the purposes of the legitimate interests pursued by the … third party … Continue reading
Anonymisation, pseudonymisation, WiFi tracking and the French: the JCDecaux case
The topic of ‘anonymisation’ has already been covered several times on the blog (see e.g. here, here, and here). We even have a new research paper (‘Anonymous Data v. Personal Data — A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data’) recently published in the Wisconsin International Law Journal on this issue … Continue reading
ICO Requests Feedback on New Data Protection Profiling Provisions
If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading
Data Protection Concerns raised by Proposed EU Directive on Contracts for Supply of Digital Content
It may not be ‘all about the money’, but there is some ‘price tag’ often associated with what we do online…. And that’s our data! Updates on the incoming GDPR and the potential implications of the new E-Privacy Regulation dominate EU privacy and data protection discourse currently. Yet, there is another further (and potentially overlapping) … Continue reading
CJEU Advocate General Opines on the ‘Legitimate Interest’ Concept
But how exactly does EU law achieve the weighing of competing legitimate interests and rights in a data protection law context? I’ve previously written (here) about the concept of legitimate interest under data protection law and how it has captured the attention of data protection agencies, as well as the EU institutions in informing the … Continue reading
CJEU in Breyer: Dynamic IP addresses will (very?) often be personal data and German Law is too restrictive! Okay but how shall we care about voluntary and systematic retention of logs?
And here is delivered by the Court of Justice of the European Union (CJEU) another landmark judgment: C‑582/14 Breyer v Bundesrepublik Deutschland concerning the proper characterisation of IP addresses and the compatibility of German national law with Article 7(f) of the Data Protection Directive (DPD). The judgement is not available in English yet, but … Continue reading