IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called 'Schrems II' case. The IAPP will aim to update the register on an ongoing basis. The link is below: https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/ While privacy pros advise to seek to put in … Continue reading DPAs’ guidances to survive in the post-‘Schrems II’ world
As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC. Arguments against Privacy Shield has changed little since the 'Schrems I' decision that invalidated Safe Harbour - governmental intrusion, lack of proportionality, ineffective role of ombudsperson. What is really new is that a … Continue reading Ambiguous status of SCC under the ‘Schrems II’ decision
France's Council of State has ordered the CNIL (French data protection watchdog) to cancel parts of its guidelines on cookies as the ban on cookies walls was not valid. The court explained that the CNIL exceeded its specific mandate under an act called "flexible law" which refers to instruments, such as regulatory authorities' guidelines, which … Continue reading An interesting twist in the ‘cookie walls’ saga.
Being a great tool for privacy pros to keep up to date with extensive case law, it also increases the overall awareness of how data protection laws are applied in cooperation between the lead DPA and the other DPAs concerned (the GDPR Article 60). As I expect more comments on this occasion in the days/weeks … Continue reading Breaking news: EDPB has published the “one-stop-shop” decision register.
One is not a ‘special case’ of another as it may seem prima facie. The KEY consideration here is that DPIA is conducted prior to rolling out new projects implying data processing operations posing a high risk and thus tailored specifically to them. In contrast, DPbD comes into play at the very earliest stage of … Continue reading Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).
A thorough analysis of clear things and grey zones of the EDPB Guidelines 3/2018 on territorial scope. My attention was, in particular, drawn by a friendly reminder that a status of a non-EU processor is dual as per Article 3(2): it is indirectly influenced by the GDPR if carries out processing on behalf of a … Continue reading Status of non-EU processors under Article 3(2) GDPR
In 'Opinion 4/2007' on the concept of personal data, Working Party 29 ('WP29’) identified four building blocks in the definition of personal data - ‘any information’, ‘relating to’, identified or identifiable’, ‘natural person’. They remained the same in the GDPR, thus rendering ‘Opinion 4/2007’ relevant for understanding the concept of personal data. However, WP29, instead … Continue reading A “purpose” element: what is inside the controller’s mind?
There's starting to be a bit of a flurry here in Sweden with the upcoming new Regulation. One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. … Continue reading Sweden is going to have fun with the new Data Protection Regulation