Can't find what you're looking for? Try the search bar!
Another week, another product announcement from someone involving AI in your pocket, on your wrist, in front of your eyes. I have met people whose lives have literally been transformed as a result of some of these tools, such as an individual who is suddenly able to use a camera in glasses to film his […]
OK, a few words about the CNIL decision re IQVIA. Spoiler alert: it’s in my view a completely wrong decision, and it deliberately misquotes the CJEU’s SRB judgment: 1. “[T]his role as controller prevents, in itself, the data from being regarded as anonymous” (CNIL, §90): incorrect! The CJEU explicitly states the following in §76 of […]
The ICO’s new adtech report to the UK government contains important lessons, also for legislators & regulators from all over Europe. Its suggestion is to foresee a consent exemption under ePrivacy rules (PECR in the UK) for “first-party” use of storage & processing capabilities of a device for the following purposes, if certain safeguards are […]
How solid is your anonymisation? Is “good enough + contractual prohibition to re-identify” really sufficient? The Commission’s DMA team seems to think so, though its own idea of “good enough” relies on magic personal data scrubbers. Perhaps the Commission’s DMA team should read up again on GDPR case law on “personal data” (Breyer, Scania, SRB […]
Double standards: On the Digital Omnibus re GDPR, the EDPB & EDPS claim the Commission shouldn’t have the power to adopt implementing acts to “specify means and criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities”. Yet under the Digital Markets Act, no problem at all. The situations […]
DMA & data: real risk of over-sharing of identifiable, personal search query data. The European Commission has launched a public consultation on the measures it intends to impose on Google for compliance with Article 6(11) of the Digital Markets Act (DMA) – a specific obligation to anonymise search query data and share it with other […]
Possibly the most useless legal provision ever proposed? Re-reading it doesn’t diminish my surprise at the proposed Article 29a of the GDPR, suggested in the draft EU Council compromise, which would say the following: – “Controllers and processors may apply pseudonymisation to personal data in order to reduce the risks to the data subjects concerned […]
Some key findings from the responses to the DMA-GDPR Interplay consultation, now made public by the Commission & EDPB: – Quite a few civil society responses are copies of one another. Going through the submissions, you’ll see many with identical titles (“uncompromised privacy”, “ensuring data portability is practical and secure”, …) and content. Fortunately there […]
The clear repudiation of an “absolute” concept of personal data has thrown a sharp focus on the process of pseudonymisation in the world of data protection. Through its SRB judgment of 4 September 2025, the Court of Justice of the European Union (CJEU) made it clear that personal data that has undergone pseudonymisation can be […]
On the Criteo decision of the French Conseil d’État: beyond the question of whether online identifiers are sufficient for identification (see below), this is a typical case of a court keeping fines 100% intact after questioning the scope of processing. It’s not the first time I have seen this: a court says “this isn’t all […]
