Following the recent judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.
According to the Court of Justice of the European Union press announcement, in the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
The general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU. However, a number of areas for future improvement have also been identified.
The purpose of this two-year assessment is to provide a wider-angled lens through which to assess the work of the Data Protection Commission (DPC) since the implementation of the General Data Protection Regulation (GDPR); in particular, to examine wider datasets and annual trends to see what patterns can be identified.
According to the European Data Protection Supervisor (EDPS) in his recent opinion on the European Data Strategy, the predominant business model of the digital economy is characterized by an unprecedented concentration of data in the hands of a handful of powerful players, based outside the EU, and wide-scale pervasive tracking. The EDPS goes on to share that he strongly believes that one of the most important objectives of the European Data Strategy should be to prove the viability and sustainability of an alternative data economy model – open, fair, and democratic.
The European Data Protection Board (EDPB) is an independent European body that contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The following update shares an overview of recent EDPB guidance on the concept of consent under the EU General Data Protection Regulation (GDPR).
The recently published research paper “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models” shows how the likelihood of a specific individual to have been correctly re-identified can be estimated with high accuracy even when an anonymized dataset is heavily incomplete. The presented results reject the claims that, first, re-identification is not a practical risk and, second, sampling or releasing partial datasets provide plausible deniability. Moving forward, the results also question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Governor Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
As AI gains strategic importance, it is essential to shape global rules for its development and use. In promoting the development and uptake of AI, the European Commission has opted for a human-centric approach, meaning that AI applications must comply with fundamental rights. In this context, the rules laid down in the GDPR provide a general framework and contain specific obligations and rights that are particularly relevant for the processing of personal data in AI.
The FCC proposes that ISPs obtain affirmative opt-in consent for the use and sharing of customer data that has not been specifically collected for the purpose of providing broadband Internet related services.