anonymisation / Personal data / pseudonymisation

AI and the UK DPDI Bill: moving backward

The Data Protection and Digital Information (No. 2) Bill (DPDIB) has been introduced to Parliament on the 8th of March 2023. It is not a complete revamp of the first Data Protection and Digital Information Bill, but this time the intention is firm. The Department of Science, Innovation and Technology (DSIT) is determined to have … Continue reading

big data / consent / data controller / GDPR / General Data Protection Regulation / Personal data

Data Protection and data analytics: what is Art. 29 WP really saying to businesses wanting to innovate with data?

    In three-month time, the General Data Protection Regulation (GDPR), will become applicable to many, if not all, data processing activities to which living individuals can be associated. Businesses operating in Europe have had about two years to prepare for this change. As readers know, even if the GDPR is a lengthy piece of … Continue reading

data controller / data protection agencies / facebook / GDPR / General Data Protection Regulation / Jurisdiction / liability / online platforms / Personal data / Social media

CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law

‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered … Continue reading

Data protection / General Data Protection Regulation / Personal data

Advocate General Delivers Opinion on Whether Examination Scripts Are Personal Data under Data Protection Law

Exam scripts are personal data, says the AG, when the purpose it is to identify and record the performance of a particular individual; but that doesn’t mean you can go back and change your answers! On 20 July 2017, the EU Court of Justice’s Advocate General (AG) Kokott delivered her opinion in Peter Nowak v … Continue reading

General Data Protection Regulation / illegal content / Internet intermediaries / Legitimate interest / Personal data

The CJEU and the concept of ‘legitimate interest’: The case of Rīgas satiksme

The Court of Justice of the European Union (CJEU) delivered its awaited judgment on 4 May in the case Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, answering two related questions: ‘(1)      Must the phrase ‘is necessary for the purposes of the legitimate interests pursued by the … third party … Continue reading

anonymisation / big data / Personal data / Privacy / WiFI tracking

Anonymisation, pseudonymisation, WiFi tracking and the French: the JCDecaux case

The topic of ‘anonymisation’ has already been covered several times on the blog (see e.g. here, here, and here). We even have a new research paper (‘Anonymous Data v. Personal Data — A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data’) recently published in the Wisconsin International Law Journal on this issue  … Continue reading

Data protection / General Data Protection Regulation / ICO / Personal data / pseudonymisation / Risk-based approach / sensitive data

ICO Requests Feedback on New Data Protection Profiling Provisions

If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading

Access to data / Consumer law / content data / content regulation / Data protection / Personal data

Data Protection Concerns raised by Proposed EU Directive on Contracts for Supply of Digital Content

It may not be ‘all about the money’, but there is some ‘price tag’ often associated with what we do online…. And that’s our data! Updates on the incoming GDPR and the potential implications of the new E-Privacy Regulation dominate EU privacy and data protection discourse currently. Yet, there is another further (and potentially overlapping) … Continue reading

Access to data / Data protection / General Data Protection Regulation / Law enforcement / Legitimate interest / Personal data / sensitive data

CJEU Advocate General Opines on the ‘Legitimate Interest’ Concept

But how exactly does EU law achieve the weighing of competing legitimate interests and rights in a data protection law context? I’ve previously written (here) about the concept of legitimate interest under data protection law and how it has captured the attention of data protection agencies, as well as the EU institutions in informing the … Continue reading

anonymisation / consent / Data protection / Data retention / Personal data / Risk-based approach

CJEU in Breyer: Dynamic IP addresses will (very?) often be personal data and German Law is too restrictive! Okay but how shall we care about voluntary and systematic retention of logs?

  And here is delivered by the Court of Justice of the European Union (CJEU) another landmark judgment: C‑582/14 Breyer v Bundesrepublik Deutschland concerning the proper characterisation of IP addresses and the compatibility of German national law with Article 7(f) of the Data Protection Directive (DPD). The judgement is not available in English yet, but … Continue reading