Another week, another product announcement from someone involving AI in your pocket, on your wrist, in front of your eyes. I have met people whose lives have literally been transformed as a result of some of these tools, such as an individual who is suddenly able to use a camera in glasses to film his […]
Around the time I created my data breach risk assessment tool (after really interesting exchanges with ENISA on cybersecurity & data protection), Olivier Sustronck released something similar that he just made available for free. My firm got an award for mine, his went under the radar – but he truly deserves praise for the quality […]
OK, a few words about the CNIL decision re IQVIA. Spoiler alert: it’s in my view a completely wrong decision, and it deliberately misquotes the CJEU’s SRB judgment: 1. “[T]his role as controller prevents, in itself, the data from being regarded as anonymous” (CNIL, §90): incorrect! The CJEU explicitly states the following in §76 of […]
The Digital Omnibus evolutions at the level of the EU Council continue to have a mix of good and bad. Today, a quick focus on ePrivacy rules. First, some good: – There’s an interesting new Recital 46a on standardisation re consent preferences, stressing that technical solutions should allow data subjects to “easily set their consent […]
Confused about these GDPR 10-year anniversary posts in May 2026? While I have been working on it for a decade, I’m not keen on May 2016 (entry into force) but rather May 2018, when the GDPR became *applicable*, even more than April 2016, when it was *adopted*. Why? Before May 2018: – Enforcement of data […]
Stunned to see that Global Privacy Control won’t work as a refusal mechanism under the GDPR / Digital Omnibus, as it doesn’t support active change notifications. Some context: While the GDPR contains a “data subject request forwarding” obligation regarding erasure, rectification & rectification requests, it doesn’t in relation to consent withdrawal (or objections). In the […]
The ICO’s new adtech report to the UK government contains important lessons, also for legislators & regulators from all over Europe. Its suggestion is to foresee a consent exemption under ePrivacy rules (PECR in the UK) for “first-party” use of storage & processing capabilities of a device for the following purposes, if certain safeguards are […]
Out with a bang, but with controversial positions? The latest fines of the Belgian DPA represent the last from Hielke Hijmans, the departing Director of the Litigation Chamber. The amounts are modest by international standards (86k, 120k & 176k EUR) but are still relatively high for the Litigation Chamber in its approach to GDPR enforcement. […]
Ask them where they got their legal degree”, someone recently exhorted people to do whenever someone made a link between Recital 4 of the GDPR and Article 16 of the EU Charter of Fundamental Rights, on the freedom to conduct business. Yet now the EU Court of Justice has confirmed for the second time that […]
Today’s CJEU judgment on press & fair compensation indirectly impacts the “Consent or Pay” & broader discussions on online advertising, through its teachings on the freedom to conduct business: any measure liable to have a sufficiently direct and significant effect on the freedom of the operators concerned to exercise a trade or profession constitutes a […]
