Can't find what you're looking for? Try the search bar!
Summary + thoughts on the CJEU’s answer to the 2nd question (“is IAB Europe (joint) controller?”) in the�IAB Europe�& TCF case (C-604/22). [Again, I may be biased] – 55: Broad definition of “controller” in order to ensure an effective and complete protection of data subjects (C-210/16) 57: A natural or legal person who influence “for […]
Summary + thoughts on the CJEU’s answer to the 1st question (“is the TC String personal data?”) in the IAB Europe & TCF case (C-604/22). [I may be biased] – 33: CJEU data protection Directive case law is “in principle” also relevant for the GDPR, “given that this directive was withdrawn by and replaced by […]
Breyer seemingly confirmed (means of identification are crucial), facts matter re establishment of joint controllership (it depends on whether there is actual influence and an own purpose), and joint controllership doesn’t necessarily extend to further processing (such as advertising) – we will be looking at the CJEU’s newest judgment (C-604/22 – IAB Europe / TCF […]
Another adtech discussion showing that not all information gleaned through server connections is personal data under the GDPR (or even the CCPA’s broad “personal information” concept). [Nor is it / should it be automatically covered by ePrivacy rules] In this case, it was about which data points are actually being used, by whom and who […]
What is automated decision-making? This is what the CJEU is asked in case C-634/21. In an Opinion delivered today, Advocate General Pikam�e proposed an answer. Art. 22 GDPR says that a data subject [DS] can only be subject to a decision based solely on automated processing that produces legal effects concerning him/her or �similarly significantly […]
Useful new decision by the Belgian Data Protection Authority on the limits of data subject access requests, in a case where a data subject complained that the response was (i) late and (ii) incomplete. (i) Late response: The response was late due to a long-term absence of the person normally managing data subject requests due […]
Getting some serious “You wouldn’t steal a car”* vibes from NOYB’s “Imagine having to pay for privacy in your own car” consent-or-pay allegory. I have been advising on the idea of “consent or pay” (or “pay or data”, “pay or OK” or however you wish to call it) for a few years now, and the […]
Which GDPR legal ground does a broadcaster or streaming platform need to publish audiovisual works featuring recognisable natural persons? That was the question examined by the Belgian DPA in its latest decision. The decision related to a kind of documentary, a “human interest” show/programme. The BDPA’s Litigation Chamber summarised the facts as follows (para. 2 […]
In its newest decision, the Belgian DPA takes a stance that will please both consumer rights organisations and anyone who likes to rely on the primacy of EU legislation (versus local national legislation), on an issue that would not have arisen if the Belgian legislator had stuck to the text of the GDPR. This all […]
The privacy discourse is often one-sided: regulators and campaigners are vocal (“fundamental rights violated”, “illegal consent”), and few want to push back in public (lawyers because they are not keen on voicing their opinion, businesses because they fear drawing attention to themselves) – even though the GDPR *allows* interferences with privacy and data protection rights […]