Observations on Office Re – Engineering: Privacy Offices and Research Offices

Earlier today I had the opportunity to watch the highly useful IAPP webinar entitled What Works: Benchmarking and Improving your Privacy Program. I was particularly intrigued by the comments directed at improving / re - engineering a privacy office. The presenters emphasized the constant evolution of privacy regimes on a global scale, and that today … Continue reading Observations on Office Re – Engineering: Privacy Offices and Research Offices

DPAs’ guidances to survive in the post-‘Schrems II’ world

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called 'Schrems II' case. The IAPP will aim to update the register on an ongoing basis. The link is below: https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/ While privacy pros advise to seek to put in … Continue reading DPAs’ guidances to survive in the post-‘Schrems II’ world

Ambiguous status of SCC under the ‘Schrems II’ decision

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC. Arguments against Privacy Shield has changed little since the 'Schrems I' decision that invalidated Safe Harbour - governmental intrusion, lack of proportionality, ineffective role of ombudsperson. What is really new is that a … Continue reading Ambiguous status of SCC under the ‘Schrems II’ decision

On a crucial importance of TOMs under GDPR Article 32

DPA of Baden-Württemberg (Germany) fined a health insurance company 1'240'000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent.  The fine is quite high, especially given that there have been some mitigating factors in this case: not too many data subjects … Continue reading On a crucial importance of TOMs under GDPR Article 32

The ethics of privacy

Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. Privacy underpins human dignity and other key values such as freedom of association and freedom of speech. It has become one of the most important … Continue reading The ethics of privacy

An interesting twist in the ‘cookie walls’ saga.

France's Council of State has ordered the CNIL (French data protection watchdog) to cancel parts of its guidelines on cookies as the ban on cookies walls was not valid. The court explained that the CNIL exceeded its specific mandate under an act called "flexible law" which refers to instruments, such as regulatory authorities' guidelines, which … Continue reading An interesting twist in the ‘cookie walls’ saga.

PwC vs. employee privacy

PwC developed a facial recognition tool that logs when employees are absent from their computer screens while they work from home. In particular, there have to be a specific excuse for any absence (including toilet breaks). Too invasive? No doubt. Disproportionate with no likely legal grounds? WP29 Opinion 2/2017 on data processing at work suggests … Continue reading PwC vs. employee privacy

Status of non-EU processors under Article 3(2) GDPR

A thorough analysis of clear things and grey zones of the EDPB Guidelines 3/2018 on territorial scope. My attention was, in particular, drawn by a friendly reminder that a status of a non-EU processor is dual as per Article 3(2): it is indirectly influenced by the GDPR if carries out processing on behalf of a … Continue reading Status of non-EU processors under Article 3(2) GDPR

Ticking time-bomb in the EDPB Guidelines on consent?

An old issue each privacy pro learnt by heart: "risk of negative consequences (e.g. substantial extra costs)" for data subject = no freely-given consent.  Substantial. But what if extra costs are not substantial? What if, say, 10$ turns into 11$ if you refuse to consent? Is it ok?  At leats, German watchdog seems to say … Continue reading Ticking time-bomb in the EDPB Guidelines on consent?

CJEU & legitimate interest in scope: what the controller should remember of.

CJEU gave the Judgement in the course of a preliminary ruling on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC) precluded national law from allowing installation of a CCTV system in the common parts of a residential building, relying on a legitimate interest (Case C-708/18).   The overall answer is "No, it … Continue reading CJEU & legitimate interest in scope: what the controller should remember of.