The recently adopted EDPB guidelines on examples regarding data breach notification complement the Article 29 Working Party guidance on data breach notification by introducing more practice-orientated guidance and recommendations. The guidelines, adopted on January 14, 2021, and available for public commentary, aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
The Digital Services Act: Transformational Digital Regulation from the European Commission
According to the European Commission, the Digital Services Act is a comprehensive set of new rules, which regulate the responsibilities of digital services. Together with the Digital Markets Act, it will create a safer digital space for users of digital services, protecting their fundamental rights online. The Acts will also create a level playing field so that digital businesses can grow within the single market and compete globally.
New Rules? The European Regulation on Data Governance
According to the European Commission, the proposed Regulation on Data Governance (Data Protection Act) will create the basis for a new European way of data governance that is in line with EU values and principles, such as personal data protection (GDPR), consumer protection and competition rules. It offers an alternative model to the data-handling practices of the big tech platforms, which can acquire a high degree of market power because of their business models that imply control of large amounts of data.
From Metadata to Mass Surveillance? European Data Retention Revisited
This new report, “Data Retention Revisited,” published by the EDRi, critically revisits the question of data retention and concludes that the ongoing aspirations to reintroduce a data retention obligation in the EU remain in violation of EU law as long as the strict necessity of data retention is unproved and no genuinely targeted retention obligation is considered.
Socially Acceptable? EDBP Guidelines on the Targeting of Social Media Users
According to the recently published EDPB guidelines on the targeting of social media users, the term “targeter” is used to designate natural or legal persons that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria. What sets targeters apart from other social media users is that they select their messages and/or their intended audience according to the perceived characteristics, interests, or preferences of the individuals concerned, a practice which is sometimes also referred to as “micro-targeting.” Targeters can engage in targeting to advance commercial, political, or other interests.
You Want Answers? EDPB FAQ on CJEU Schrems II Decision
Following the recent judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.
CJEU Invalidates Decision on the Adequacy of Protection Under EU-US Data Protection Shield
According to the Court of Justice of the European Union press announcement, in the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
A Pillar of Empowerment? Evaluating and Reviewing GDPR Data Protection
The general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU. However, a number of areas for future improvement have also been identified.
An Irish Update: DPC Ireland Publishes GDPR Regulatory Activity Report
The purpose of this two-year assessment is to provide a wider-angled lens through which to assess the work of the Data Protection Commission (DPC) since the implementation of the General Data Protection Regulation (GDPR); in particular, to examine wider datasets and annual trends to see what patterns can be identified.
A Matter of Opinion? An EDPS View on the European Data Strategy
According to the European Data Protection Supervisor (EDPS) in his recent opinion on the European Data Strategy, the predominant business model of the digital economy is characterized by an unprecedented concentration of data in the hands of a handful of powerful players, based outside the EU, and wide-scale pervasive tracking. The EDPS goes on to share that he strongly believes that one of the most important objectives of the European Data Strategy should be to prove the viability and sustainability of an alternative data economy model – open, fair, and democratic.