When an activist joins a regulator, all is perfect – but when a former lobbyist does, that is somehow a very bad thing? A regulator’s role is not to be a one-sided attack/lap dog. Instead, they should be objective and impartial. They should weigh the pros and cons, and never be focussed only on one […]
Invoking a new CJEU decision in ongoing proceedings shortly after it has come out? Super! Even better when it confirms what you have been saying for years. I actually had a strong disagreement with an eminent data protection lawyer nearly a decade ago on this particular topic, during a discussion on the nature of cookies […]
Good to read about the EDPB promoting pseudonymisation in Seoul, but let’s be honest: their guidelines on the topic need serious updating further to the CJEU’s SRB judgment. Yes, they do say the opposite of SRB: 22. Pseudonymised data, which could be attributed to a natural person by the use of additional information, is to […]
Yes, the EU Data Act is now largely applicable, but what are the actual concerns and opportunities? In my discussions with various organisations, there has been one common fear: does this mean that I have to make all data concerning connected devices, including business-confidential information, available to everyone? The answer, as often in law, is […]
Fun day! After moderating a RAID panel with as panelists EDPB Chair Anu Talus, Luxembourg CNPD President Tine A. Larsen, Deputy Head of Data Protection Unit at the Commission’s DG Justice Karolina Mojzesowicz, MEP Brando Benifei and Gibson Dunn Partner Ahmed Baladi, I then was a speaker in a debate alongside Max Schrems of noyb.eu, […]
Cookies: EU Commission considering more pragmatism for ePrivacy – perhaps there is hope for useful legislative changes. The Commission is holding discussions next week to gather input from civil society and industry regarding the possibility of clarifying consent exemptions under Article 5(3) of the ePrivacy Directive. As readers may know, I have often written about […]
data protection podcast alert: SRB judgment implications, notably for the adtech / martech world & broader digital ecosystem. Topics: pseudonymisation, processor/controller, “singling out” versus “identification”, “outside GDPR” ≠ “free for all”, data clean rooms, and more. Listen to my discussion with Sergio Maldonado on his Masters of Privacy podcast – available through your favourite podcast […]
New Belgian Data Protection Authority decision: – Both the controller *and* the processor can be liable for not having a data processing agreement (DPA) in place – If you sign a DPA with “retroactivity clause” (i.e. foreseeing an earlier effective date than the signature date), that retroactivity clause does not have any effect from a […]
The ruling of the Court of Justice of the European Union (CJEU) of yesterday, 4 September 2025, in the EDPS v SRB case is significant – never mind the naysayers. It is the first time that the CJUE has clearly, explicitly said that if a dataset initially contains personal data but is pseudonymised, and that […]
Interestingly mixed reactions to the CJEU’s SRB ruling. Some: “nothing new!”. Others: “finally, relative nature of personal data confirmed!”. Why? The Court stated in unambiguous terms (paras. 77 + 86) that pseudonymised data can be non-personal data for a recipient if the technical and organisational measures of the pseudonymisation are effective and prevent access by […]
