Tag: GDPR
-
Mousse – first thoughts
First thoughts on the CJEU’s Mousse judgment (“is Mr/Mrs necessary?”): (i) alternative apparently required to each personalisation; (ii) data minimisation is inherent to the assessment of (strict) necessity; (iii) the risk of discrimination has an impact on a legitimate interest assessment. I’ll focus for now on (i). The CJEU appears to require the offering of…
-
Op-ed: AI training data = (non-)personal data? And is consent really relevant?
The European Data Protection Board is at it again: an urgent procedure has been launched to obtain clarification on “some of the core issues that arise in the context of processing for the purpose of developing and training an AI model”. The aim? To bring “some much needed clarity into this complex area”. Yet the…
-
Op-Ed: Who dares question the primacy of data protection?
Let the name-calling begin. Companies looking to leverage data are now told that it is just like they are responsible for oil spills, cancer and drug cartel violence. As a lawyer working for some of the companies facing these absurd comparisons, I thought I would tackle another controversial stance now: just how absolute (or relative)…
-
Op-Ed: A critical analysis of the EDPB’s “Pay or Consent” Opinion
Illustration: Dall-E rendering of just how potentially evil the European Data Protection Board (EDPB) and certain privacy rights campaigners view the “Pay or Consent” approach + large companies. I didn’t try to get any drug cartel references in there, though as a lawyer acting for adtech companies I have been likened to a drug cartel…
-
Op-Ed: Maybe no consent needed for advertising under ePrivacy “cookie” rule?
Reading through the CNIL’s new decision against Yahoo on cookies brings back to mind a question that has stuck with me for well over a decade: what is the exact reasoning that has led many EU-based authorities to say that advertising cookies/etc. are not strictly necessary for the provision of a service, and why does…
-
EDPB seeks to redefine ePrivacy – Part II: Overbroad notions and regulator activism?
Last week, I questioned the European Data Protection Board’s very authority to adopt its newly published Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (i.e. the so-called “cookie” rule), guidelines according to which those rules should also apply to a broad range of other technologies and information, such as IP addresses, pixels…
-
EDPB seeks to redefine ePrivacy – Part I: By what authority?
“They will cover many scenarios”, said an EDPB member informally a couple of days ago, talking about what would become the EDPB’s new Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (subject to a public consultation – more on that later). After having gone through them in detail, I cannot help but…