Another week, another product announcement from someone involving AI in your pocket, on your wrist, in front of your eyes. I have met people whose lives have literally been transformed as a result of some of these tools, such as an individual who is suddenly able to use a camera in glasses to film his […]
How solid is your anonymisation? Is “good enough + contractual prohibition to re-identify” really sufficient? The Commission’s DMA team seems to think so, though its own idea of “good enough” relies on magic personal data scrubbers. Perhaps the Commission’s DMA team should read up again on GDPR case law on “personal data” (Breyer, Scania, SRB […]
The clear repudiation of an “absolute” concept of personal data has thrown a sharp focus on the process of pseudonymisation in the world of data protection. Through its SRB judgment of 4 September 2025, the Court of Justice of the European Union (CJEU) made it clear that personal data that has undergone pseudonymisation can be […]
[This is a translation of an op-ed in French that was published in the French journal Revue Politique on SRB and the Digital Omnibus, plus the newest EDPB & EDPS Joint Opinion on the topic. The original in French can be found on the Revue Politique website. + The banner image is a jest – […]
As I was in a meeting when the European Data Protection Board opened registration for its pseudonymisation stakeholder event of 12 December 2025, I missed the short (approx. 1h) registration window and they placed me on a waiting list instead – a pity given my frequent interventions on the EU Court of Justice’s SRB judgment […]
When I pointed out issues with the DMA-GDPR Guidelines & resulting risks for *all* controllers (not just gatekeepers), the EDPB’s Gwendal Le Grand said something to the effect of “Don’t just post about it, submit a response”. So here we go, a copy of the response submitted yesterday to the public consultation by the Commission […]
The ruling of the Court of Justice of the European Union (CJEU) of yesterday, 4 September 2025, in the EDPS v SRB case is significant – never mind the naysayers. It is the first time that the CJUE has clearly, explicitly said that if a dataset initially contains personal data but is pseudonymised, and that […]
In law, the choice of words matters, and a given interpretation can mean the difference between a behaviour being permitted or prohibited. When some recently claimed that the Cologne Higher Regional Court might have misinterpreted one of the European Union’s newer data-related acts, the Digital Markets Act (DMA for short), the challenge to the judges’ […]
Does training of AI systems involve the processing of personal data, and is it permitted under the GDPR? These were the two fundamental questions that I have already looked into in two previous articles: On the date of that second article, the Cologne Higher Regional Court (the Oberlandesgericht Köln – the Cologne HRC) delivered a […]
This is an article that I wrote in the context of a Chatham House rules roundtable on questions to be tackled more extensively in the future regarding the interaction between AI systems & data protection. This particular one relates to AI agents and the notion of authority, notably as regards (i) the user’s perspective (subordination?), […]
