Tag: Personal Data
-
“Better Regulation”: Rethinking (or getting rid of?) the ePrivacy Directive
The European Commission’s announcement that it will consider simplifying regulatory regimes, notably in relation to data and technology, seems to open Pandora’s box. Is it a chance to draw lessons from what works well and what works less well? In this series on “Better Regulation” in relation to the digital economy, I will be exploring…
-
Relative nature of personal data, consent for pseudonymisation? Dissecting the EDPS v SRB AG Opinion
Understanding what is and is not personal data is fundamental to the proper interpretation and enforcement of the most famous data protection law, the GDPR. If no personal data are being processed, the GDPR simply does not apply. Some have considered that “personal data” is an absolute concept, i.e. information can be “in and of…
-
Data Protection Day: podcast on AI & GDPR
Fun 45min interview with Legal4Tech on the GDPR, data protection concerns and AI, the concept of personal data and more – with a short video excerpt here. Listen to the full podcast on Spotify or Apple Podcasts.Happy Data Protection Day! Thanks Rosalia Anna D’Agostino, Giacomo Amodio & Giacomo Di Gregorio for the chat.
-
EDPB going broad on pseudonymisation
If A pseudonymises personal data of person Z and sends it to B, is it personal data from B’s perspective, even if B is never allowed to get additional information [=AddInfo] allowing the identification of Z? The EDPB suggests “yes” in its latest guidance on pseudonymisation. Based on the definition of pseudonymisation under the GDPR,…
-
Bindl – preliminary comments
The Bindl judgment is significant. Some positives for controllers/processors: (i) hypothetical, unproven data transfers are not transfers (“the mere risk of access to personal data by a third country cannot amount to a transfer of data” – para. 135);(ii) repeating the principle (for EU Institutions’ non-contractual liability, but similar ones exist in most countries) that…
-
Mousse – first thoughts
First thoughts on the CJEU’s Mousse judgment (“is Mr/Mrs necessary?”): (i) alternative apparently required to each personalisation; (ii) data minimisation is inherent to the assessment of (strict) necessity; (iii) the risk of discrimination has an impact on a legitimate interest assessment. I’ll focus for now on (i). The CJEU appears to require the offering of…
-
Op-ed: AI training data = (non-)personal data? And is consent really relevant?
The European Data Protection Board is at it again: an urgent procedure has been launched to obtain clarification on “some of the core issues that arise in the context of processing for the purpose of developing and training an AI model”. The aim? To bring “some much needed clarity into this complex area”. Yet the…
-
Op-Ed: Who dares question the primacy of data protection?
Let the name-calling begin. Companies looking to leverage data are now told that it is just like they are responsible for oil spills, cancer and drug cartel violence. As a lawyer working for some of the companies facing these absurd comparisons, I thought I would tackle another controversial stance now: just how absolute (or relative)…
-
Op-Ed: A critical analysis of the EDPB’s “Pay or Consent” Opinion
Illustration: Dall-E rendering of just how potentially evil the European Data Protection Board (EDPB) and certain privacy rights campaigners view the “Pay or Consent” approach + large companies. I didn’t try to get any drug cartel references in there, though as a lawyer acting for adtech companies I have been likened to a drug cartel…