Eduardo Ustaran

Following the European Parliament’s election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU. Here is a list of impending privacy-related challenges faced by the new Commission.

Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole… Show more

Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.

Taking into account the political situation in Europe today, where Member States’ governments prefer an element of legal uncertainty over complete harmonisation, it is possible to see what may happen. In all likelihood, the Regulation will include some risk-based provisions, which will have the effect of raising or lowering the level of accountability of organisations handling personal data depending on the perceived risks of those activities for the individual. Show less

The controversy of the CJEU's ruling in Google v AEDP has focused on the impact of the judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. However, the CJEU's decision is not only relevant to search engines or Internet companies. The implications of the judgment are much wider.

The CJEU has shaken the basis on which the applicability of EU data protection law has been understood until now. According to the CJEU’s interpretation of the existing rules, each and every local subsidiary in the EU may be capable of triggering the applicability of the local data protection law. So here’s the critical question: would that local – Spanish, Italian, French, German… – law apply when the declared controller is in, say, Ireland or the UK?

The EU data protection authorities have realised a large number of websites are cutting corners and whilst they appear to follow the implied consent approach, some of the essential features of this model are in fact missing.

The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations.

Whilst the reform of the EU data protection framework continues its tortuous course in Brussels' corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one… Show more

Whilst the reform of the EU data protection framework continues its tortuous course in Brussels' corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process. Show less

Any global organisation that operates in Europe should take into account the current situation in order to plan how to manage its international data flows now and in the future.

European DPAs could be forgiven for thinking that they have become a focal point of reference for the functioning of the current and forthcoming EU data protection regime. This has been reinforced even more by the importance given to the one-stop-shop (OSS) debate within the Council of the EU.

The big question that remains on the ground is whether EU-based organisations that rely on Safe Harbor as the legal basis for transferring data to either their own corporate group entities or service providers operating in the U.S. are doing the right thing or should be looking for alternatives.

Our success as guardians and developers of the information society will depend on our ability to understand and effectively deal with the never-ending evolution of technology, the strategic and commercial value of personal data and the global nature of all data-reliant activities. With that in mind, here are some of the issues that we are going to have to master in order to fulfil our duties as privacy pros.

The privacy issues raised by the IoT will test our skills in the same way that more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone's benefit. Here are some tips on how we may be able to handle the IoT revolution.

A draft LIBE report into the US surveillance program proposes extreme measures with potentially catastrophic consequences for global data flows. A different, more pragmatic approach is needed instead.

In recent years, privacy and data protection have become critical issues whose significance is only set to grow. The implications of devising an effective framework to regulate the use of personal information are crucial for the future of humanity, our freedoms and our economic wellbeing.

The Future of Privacy argues that in order to get the balance right, policy makers, regulators and organisations must address the specific challenges presented by rapidly evolving technology, the… Show more

In recent years, privacy and data protection have become critical issues whose significance is only set to grow. The implications of devising an effective framework to regulate the use of personal information are crucial for the future of humanity, our freedoms and our economic wellbeing.

The Future of Privacy argues that in order to get the balance right, policy makers, regulators and organisations must address the specific challenges presented by rapidly evolving technology, the increasing value of personal information and the globalisation of data-reliant activities.

Leading expert Eduardo Ustaran makes a number of public policy suggestions about how to address these factors and anticipates the key elements that organisations and privacy professionals will need to tackle to comply with the regulatory framework of the future. Show less

There is an awesomeness factor in the way data about our digital comings and goings is being captured nowadays. That awesomeness is such that it cannot even be described in numbers. In other words, the concept of big data is not about size but about reach. In the same way that the ‘wow’ of today’s computer memory will turn into a ‘so what’ tomorrow, references to terabytes of data are meaningless to define the power and significance of big data. The best way to understand big data is to see… Show more

There is an awesomeness factor in the way data about our digital comings and goings is being captured nowadays. That awesomeness is such that it cannot even be described in numbers. In other words, the concept of big data is not about size but about reach. In the same way that the ‘wow’ of today’s computer memory will turn into a ‘so what’ tomorrow, references to terabytes of data are meaningless to define the power and significance of big data. The best way to understand big data is to see it as a collection of all possible digital data. Absolutely all of it. Some of it will be trivial and most of it will be insignificant in isolation, but when put together its significance becomes clearer – at least to those who have the vision and astuteness to make the most of it.

Show less

I had not heard the word 'ecosystem' since school biology lessons. But all of a sudden, someone at a networking event dropped the 'e' word and these days, no discussion about mobile communications takes place without the word 'ecosystem' being uttered in almost every sentence. An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment. The point of an ecosystem is that completely different… Show more

I had not heard the word 'ecosystem' since school biology lessons. But all of a sudden, someone at a networking event dropped the 'e' word and these days, no discussion about mobile communications takes place without the word 'ecosystem' being uttered in almost every sentence. An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment. The point of an ecosystem is that completely different organisms – each with different purposes and priorities – are able to co-exist in a more or less harmonious but eclectic way. The parallel between that description and what is happening in the mobile space is evident. Mobile communications have evolved around us to adopt a life of their own and separate from traditional desktop based computing and web browsing. Through the interaction of very different players, our experience of communications on the go via smart devices has become an intrinsic part of our everyday lives.
Show less

The beginning of 2013 could not have been more dramatic for the future of European data protection. After months of deliberations, veiled announcements and guarded statements, the rapporteur of the European Parliament's committee responsible for taking forward the ongoing legislative reform has revealed his position loudly and clearly. Jan Albrecht's proposal is by no means the final say of the Parliament but it is an indication of where an MEP who has thought long and hard about what the new… Show more

The beginning of 2013 could not have been more dramatic for the future of European data protection. After months of deliberations, veiled announcements and guarded statements, the rapporteur of the European Parliament's committee responsible for taking forward the ongoing legislative reform has revealed his position loudly and clearly. Jan Albrecht's proposal is by no means the final say of the Parliament but it is an indication of where an MEP who has thought long and hard about what the new data protection law should look like stands. The reactions have been equally loud. The European Commission has calmly welcomed the proposal, whilst some Member States' governments have expressed serious concerns about its potential impact on the information economy. Amongst the stakeholders, the range of opinions vary quite considerably – Albrecht's approach is praised by regulators whilst industry leaders have massive misgivings about it. So who is right? Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?
Show less

Making predictions as we approach a new year has become a bit of a tradition. The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today's uncertain world are pretty low. Having said that, it wouldn't be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like… Show more

Making predictions as we approach a new year has become a bit of a tradition. The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today's uncertain world are pretty low. Having said that, it wouldn't be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission's power to adopt 'delegated acts'. But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year's key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time. Show less

For a while now, it has been suggested that one of the ways of tackling the risks to personal information, beyond protecting it, is to anonymise it. That means to stop such information being personal data altogether. The effect of anonymisation of personal data is quite radical – take personal data, perform some magic to it and that information is no longer personal data. As a result, it becomes free from any protective constraints. Simple. People's privacy is no longer threatened and… Show more

For a while now, it has been suggested that one of the ways of tackling the risks to personal information, beyond protecting it, is to anonymise it. That means to stop such information being personal data altogether. The effect of anonymisation of personal data is quite radical – take personal data, perform some magic to it and that information is no longer personal data. As a result, it becomes free from any protective constraints. Simple. People's privacy is no longer threatened and users of that data can run wild with it. Everybody wins. However, as we happen to be living in the 'big data society', the problem is that with the amount of information we generate as individuals, what used to be pure statistical data is becoming so granular that the real value of that information is typically linked to each of the individuals from whom the information originates. Is true anonymisation actually possible then?
Show less

Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners' Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate. Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for… Show more

Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners' Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate. Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering. One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection. No other issue symbolised the need for this balance better than the 'one stop shop' principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.
Show less

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world. Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed. In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in… Show more

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world. Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed. In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet. At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time. So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.
Show less

Cloud computing is not a fashion or a swanky new name given to technology outsourcing. Cloud computing is not a marketing plot to sell more Internet connections and fibre optics. Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets. Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place. However, the unstoppable growth and increasing… Show more

Cloud computing is not a fashion or a swanky new name given to technology outsourcing. Cloud computing is not a marketing plot to sell more Internet connections and fibre optics. Cloud computing is not a twisted way of helping data hungry governments get their hands on corporate secrets. Cloud computing is in fact the most obvious business application of networked computing and essentially what the Internet was created for in the first place. However, the unstoppable growth and increasing power of cloud service providers and the suspicion of their critics have jointly contributed to a climate where controversies and horror stories abound, which is unfortunate when data protection and the cloud are in fact made for each other.
Show less

It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service… Show more

It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved. Show less

Not that long ago, reading this article (let along writing it) would have been regarded as nerdy. Data protection used to be seen as arcane and irrelevant to businesses and ordinary people. Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks. However, at some point, something suddenly changed. What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd… Show more

Not that long ago, reading this article (let along writing it) would have been regarded as nerdy. Data protection used to be seen as arcane and irrelevant to businesses and ordinary people. Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks. However, at some point, something suddenly changed. What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd rules has become a critical consideration for business and government. What happened? What was the event that radically altered our perception of the importance of personal information for the world's prosperity? The crucial catalyst was in fact a combination of three factors that will also shape the future of privacy and data protection going forward.
Show less

Three years have gone by since the European Parliament shocked and awed everyone by tweaking the e-privacy directive and introducing the most controversial word in the data protection glossary – consent – in the provision that deals with Internet cookies. The debate that followed immediately afterwards about the meaning of consent and whether it will ever be realistic to get everyone using the web to comprehend, consider and positively accept the use of cookies is still ongoing. Much has been… Show more

Three years have gone by since the European Parliament shocked and awed everyone by tweaking the e-privacy directive and introducing the most controversial word in the data protection glossary – consent – in the provision that deals with Internet cookies. The debate that followed immediately afterwards about the meaning of consent and whether it will ever be realistic to get everyone using the web to comprehend, consider and positively accept the use of cookies is still ongoing. Much has been said, written and argued about this subject in the past three years. Opposing views about whether anything has changed have been aired. Passionate arguments about what constitutes consent have been put forward. All of which has contributed to a climate or confusion and myths where legal certainty is surrounded by wishful thinking, so it may be a good idea to shed some light and make some clarifications. Show less

Obama gets it. Viviane Reding gets it. This is indeed a defining moment to get our public policies right in terms of global data protection and privacy. Ignore the human and social implications of the exploitation of personal data and we will lose forever the right to privacy and possibly our freedom. Be too overprotective with one of our greatest assets of our time and we will definitely block progress and prosperity. The stakes are really that high. That was the key underlying message of the… Show more

Obama gets it. Viviane Reding gets it. This is indeed a defining moment to get our public policies right in terms of global data protection and privacy. Ignore the human and social implications of the exploitation of personal data and we will lose forever the right to privacy and possibly our freedom. Be too overprotective with one of our greatest assets of our time and we will definitely block progress and prosperity. The stakes are really that high. That was the key underlying message of the recent EU-U.S. Conference on Privacy and Protection of Personal Data held simultaneously in Brussels and Washington.
Show less

Without a doubt, figuring out how to comply with the notice and consent requirements affecting the use of cookies in Europe is going to be at the top of the New Year's resolutions of many data protection officers and privacy counsels. Despite being a nearly three year old debate, inaction has so far prevailed amongst European website operators to the frustration of the data protection authorities. A frustration which is only too visible in the latest Working Party Opinion on online… Show more

Without a doubt, figuring out how to comply with the notice and consent requirements affecting the use of cookies in Europe is going to be at the top of the New Year's resolutions of many data protection officers and privacy counsels. Despite being a nearly three year old debate, inaction has so far prevailed amongst European website operators to the frustration of the data protection authorities. A frustration which is only too visible in the latest Working Party Opinion on online behavioural advertising. We are now well past the deadline to implement these requirements and it is time to start doing something other than burying our head in the sand. Show less

Compact. Self-contained. Multi-layered. Hard to penetrate and rich inside with a mix of flavours and tones. Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law. But if the indications of what we are about to see in the regulation being proposed by the European… Show more

Compact. Self-contained. Multi-layered. Hard to penetrate and rich inside with a mix of flavours and tones. Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law. But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills. Show less

One of the key topics at the forthcoming international conference of privacy and data protection commissioners in Mexico City will be the role of enforcement. Given that the conference is organised by the Mexican supervisory authority for data privacy, this is obviously not surprising. However, one of the reasons why this topic features prominently on the agenda right now is that never before have privacy regulators focused so intensely on devising the ideal strategy to achieve their… Show more

One of the key topics at the forthcoming international conference of privacy and data protection commissioners in Mexico City will be the role of enforcement. Given that the conference is organised by the Mexican supervisory authority for data privacy, this is obviously not surprising. However, one of the reasons why this topic features prominently on the agenda right now is that never before have privacy regulators focused so intensely on devising the ideal strategy to achieve their objective. Let’s not forget, enforcement is not an end in itself, but a means to an end – ensuring compliance with the regulatory framework. But it is a hard fact that effective regulation depends entirely on the supervision and enforcement mechanisms in place.
Show less

What should we make of recent reports about the banning by the Dutch government of non EU-based cloud services and the launch by leading providers of EU-only clouds? Is this fierce European protectionism or sensible data protection? If anything, these developments show a trend towards restricting cloud computing services geographically, so that the fuzzy Internet cloud becomes a series of neatly divided gas bubbles. However, instead of a technological uproar against such an aberration, there… Show more

What should we make of recent reports about the banning by the Dutch government of non EU-based cloud services and the launch by leading providers of EU-only clouds? Is this fierce European protectionism or sensible data protection? If anything, these developments show a trend towards restricting cloud computing services geographically, so that the fuzzy Internet cloud becomes a series of neatly divided gas bubbles. However, instead of a technological uproar against such an aberration, there seems to be a quiet acceptance based on legal constraints and half baked security arguments. Is data protection being cited once again as the justification for stifling technological progress? That would not be surprising, but it is somewhat unfair and clearly unnecessary.
Show less

It has been a busy year for the European Commission’s Data Protection Unit so far. Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework. Despite all this hard work, it seems that we may not see a formal proposal until the… Show more

It has been a busy year for the European Commission’s Data Protection Unit so far. Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework. Despite all this hard work, it seems that we may not see a formal proposal until the end of the year. The reason for this - in addition to the massive pressure to get the first draft right – is that the Commission would like to feed into the proposal the outcomes of the current public consultations on cloud computing and data breach notification. That is understandable but in the meantime and to temper our anxiety, we can make an informed guess of what we will be presented with.
Show less

Irrespective of whether one agrees or disagrees with the Article 29 Working Party’s Opinion on the definition of consent, the Working Party should at least be praised for taking a clear cut line on this issue. Never before has the group of EU data protection authorities carried out such a detailed assessment of one of the legal grounds for the use of personal information. If there was ever any doubt as to where the regulators stood in terms of the conditions for obtaining individuals’… Show more

Irrespective of whether one agrees or disagrees with the Article 29 Working Party’s Opinion on the definition of consent, the Working Party should at least be praised for taking a clear cut line on this issue. Never before has the group of EU data protection authorities carried out such a detailed assessment of one of the legal grounds for the use of personal information. If there was ever any doubt as to where the regulators stood in terms of the conditions for obtaining individuals’ consent, that is no longer the case. Whether their assessment is entirely correct is a different matter and deserving of debate.
Show less

Anyone caught up in the murky world of international data transfers tends to regard the standard contractual clauses approved by the European Commission as the most popular solution to legitimise those transfers. For starters, they are freely available and have the blessing of the Commission and the regulators. Surely, those two factors alone must provide considerable comfort to finance directors and general counsels who will think that one cannot go too wrong with them. Also, from a resources… Show more

Anyone caught up in the murky world of international data transfers tends to regard the standard contractual clauses approved by the European Commission as the most popular solution to legitimise those transfers. For starters, they are freely available and have the blessing of the Commission and the regulators. Surely, those two factors alone must provide considerable comfort to finance directors and general counsels who will think that one cannot go too wrong with them. Also, from a resources perspective, drafting and entering into a set of model clauses should not be very time-consuming as it is just a matter of signing on the dotted line. So, are we wasting our time looking for alternatives? Or aren’t we...? Show less

No avid reader of Article 29 Working Party opinions would be surprised to see statements such as "location data from smart mobile devices are personal data" or "the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data". However, when those statements appear alongside references to the night table next to someone's bed, or the fact that specific locations reveal data about someone's sex life, one can't stop wondering whether… Show more

No avid reader of Article 29 Working Party opinions would be surprised to see statements such as "location data from smart mobile devices are personal data" or "the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data". However, when those statements appear alongside references to the night table next to someone's bed, or the fact that specific locations reveal data about someone's sex life, one can't stop wondering whether an intended clarification of the applicable legal framework to geolocation services available on smart mobile devices is getting a bit sensationalistic.
Show less

According to the World Economic Forum, personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike. This statement by the Swiss organisation behind the prestigious annual Davos meeting summarises its stance on the issue of personal information as an asset. Let's forget for a second the idea of data protection as a fundamental right and look… Show more

According to the World Economic Forum, personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike. This statement by the Swiss organisation behind the prestigious annual Davos meeting summarises its stance on the issue of personal information as an asset. Let's forget for a second the idea of data protection as a fundamental right and look at it as a tool to maximise the economic and societal value of data. Perhaps the big thinkers at the Forum are up to something. Show less

The official deadline for the implementation of the revised e-privacy directive across the EU is only a few weeks away and there is a clear sense of panic in the air. National governments seem to be struggling to find a rational way of formulating the controversial cookie consent rule, which essentially requires the consent of the user in order to place a humble cookie in that user's equipment or access a cookie that is already there. Meanwhile, data protection authorities are insisting that… Show more

The official deadline for the implementation of the revised e-privacy directive across the EU is only a few weeks away and there is a clear sense of panic in the air. National governments seem to be struggling to find a rational way of formulating the controversial cookie consent rule, which essentially requires the consent of the user in order to place a humble cookie in that user's equipment or access a cookie that is already there. Meanwhile, data protection authorities are insisting that obtaining consent must not be a farce and Internet businesses are waiting for a silver bullet that will end this surreal nightmare. Here is the story so far and some thoughts on how the new obligation can be complied with in practice. Show less

Possibly the most commonly asked privacy-related question by any organisation looking to expand into Europe is whether EU data protection law applies to it. That is in fact a question that the creators of the original EU data protection directive considered very carefully and tried to address in the black letter of the law to avoid uncertainties. However, as a result of the tension between the two parallel objectives of the directive - to protect the fundamental rights and freedoms of… Show more

Possibly the most commonly asked privacy-related question by any organisation looking to expand into Europe is whether EU data protection law applies to it. That is in fact a question that the creators of the original EU data protection directive considered very carefully and tried to address in the black letter of the law to avoid uncertainties. However, as a result of the tension between the two parallel objectives of the directive - to protect the fundamental rights and freedoms of individuals, and to facilitate the free flow of personal data between Member States - the rules that determine the applicability of EU data protection law are far from clear cut. Fortunately, European regulators are well aware of this and even they scratch their heads when trying to reconcile the words of the applicability of the law criteria with their supervisory duties. Show less

Legislators, regulators and privacy professionals are set for a very busy year ahead. Serious legislative developments are always likely to bring with them some uncertainty and turmoil. But when these changes are directly affected by an ongoing technological transformation and complemented by the relentless actions of keen regulators, we know we face something just short of a revolution. That’s precisely what the year ahead looks like, so here’s a brief guide to 2011 – the year without holidays.

At any given time, each of the 37 legislative changes currently being considered by the European Commission as part of the reform of the EU data protection directive would qualify as a major development. As a whole, the proposed reform package is awesome. From greater transparency to full harmonisation across Member States, the Commission’s strategy is ambitious and far-reaching. In some areas, the Commission appears willing to test the boundaries of what regulation can practically achieve and… Show more

At any given time, each of the 37 legislative changes currently being considered by the European Commission as part of the reform of the EU data protection directive would qualify as a major development. As a whole, the proposed reform package is awesome. From greater transparency to full harmonisation across Member States, the Commission’s strategy is ambitious and far-reaching. In some areas, the Commission appears willing to test the boundaries of what regulation can practically achieve and Viviane Reding herself, the Commissioner leading this process, is not afraid to speak up. The enhancement of people’s data privacy rights is top of her priorities and the introduction of the ‘right to be forgotten’ is spearheading this quest. Show less

After months of anticipation, weeks of gossip and leaked strategy documents, the European Commission has finally and publicly come out of the legislative policy closet. The publication of the Commission’s approach for modernising the EU legal system for the protection of personal data is a crucial milestone. In fact, the potential impact of the Commission’s official communication should not be underestimated. If it gets it right, this will shape the future of privacy - a must-have value for the… Show more

After months of anticipation, weeks of gossip and leaked strategy documents, the European Commission has finally and publicly come out of the legislative policy closet. The publication of the Commission’s approach for modernising the EU legal system for the protection of personal data is a crucial milestone. In fact, the potential impact of the Commission’s official communication should not be underestimated. If it gets it right, this will shape the future of privacy - a must-have value for the information society. If it gets it wrong, not only will legal compliance be compromised, but a fundamental right will end up being very badly damaged. Show less

Is individual choice still the essence of data privacy law? In the early days of data protection as a regulated activity, putting people in control of their information was thought to be what mattered the most. From the 1980 OECD Guidelines to the latest version of the EU e-privacy directive, consent has been a cornerstone across legal regimes and jurisdictions. European data protection law is based on the principle that an individual’s consent is the most legitimate of all legitimate… Show more

Is individual choice still the essence of data privacy law? In the early days of data protection as a regulated activity, putting people in control of their information was thought to be what mattered the most. From the 1980 OECD Guidelines to the latest version of the EU e-privacy directive, consent has been a cornerstone across legal regimes and jurisdictions. European data protection law is based on the principle that an individual’s consent is the most legitimate of all legitimate grounds to use information about people. But does this approach still hold true? Can we – as individuals – attempt to have a meaningful degree of control over the vast amount of information we generate as we go about our lives? Show less