Free tools and resources for Data Protection Officers!

Tag Archives for " opinion "

EU Commission Comments on NTIA’s Approach to Consumer Privacy

On November 9, 2018, the European Commission (“the Commission”) submitted comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy.

In its comments, the Commission welcomes and agrees with many of the high-level goals identified by NTIA, including harmonization of the legal landscape, incentivizing privacy research, employing a risk-based approach and creating interoperability at a global level.

Full article: EU Commission Responds to NTIA Request for Comment on Developing the Administration’s Approach to Consumer Privacy

Third-Party Vendor Management Means Managing Your Own Risk

When considering the termination of a vendor relationship, you must consider the vendor, the contract and the business impact. Although this article is aimed at the privacy considerations in terminating a vendor relationship, there are other considerations within a general business frame.

Full article: Third-Party Vendor Management Means Managing Your Own Risk: Chapter Nine

Europe’s AI ethics chief: No rules yet, please

In a global race to dominate artificial intelligence technology, Europe needs to keep its urge to regulate under control — at least for now. That’s the main message from Pekka Ala-Pietilä, a former president of Nokia and tech entrepreneur who is overseeing EU efforts to draw up principles that will underpin any future regulation of the technology.

Source: Europe’s AI ethics chief: No rules yet, please – POLITICO

CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers ( i.e. , media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas.

Full article: CNIL Details Rules On Audience and Traffic Measuring In Publicly Accessible Areas

How real is the threat of data protection group litigation in the UK?

In the run up to the implementation of the EU General Data Protection Regulation 2016/679, there were various dystopian predictions of huge fines and the rise of US style class action. Some of these claims have rightly been criticised as sales patter and scaremongering.

Two recent cases in the English courts help to some extent to clarify the evolving risk of group litigation for data protection, albeit that these are early skirmishes and there will undoubtedly be more litigation to follow.

Source: UK: How real is the threat of data protection group litigation in the UK?

What does the newly signed ‘Convention 108+’ mean for UK adequacy?

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) has been given an overhaul to bring it into line with the General Data Protection Regulation. While Convention 108 is not an EU document, the European Commission sees the protocol as a way of encouraging “third countries” to adopt the basic tenets of the GDPR. This could be particularly interesting for the U.K., which will become a third country after Brexit.

Full article: What does the newly signed ‘Convention 108+’ mean for UK adequacy?

Dangerous loophole to the GDPR in the ePrivacy proposal

Is tracking an essential element of every internet service financed by ads? By allowing service providers to install advertising cookies ‘without users’ consent,’ the latest version of the ePrivacy regulation creates a dangerous loophole to the high standards established by the GDPR.

Full article: Dangerous loophole to the GDPR in the ePrivacy proposal

The road to GDPR certifications won’t be a short one

The EU General Data Protection Regulation has been in effect for five months, and yet there has not been much progress on the certification front. Companies are waiting to see what form certification will look like under Articles 42 and 43 of the GDPR, and tech vendors are coming out with solutions to help organizations display their GDPR compliance efforts in the interim.

While GDPR certifications have not yet appeared, plenty of regulatory bodies have come out with guidance on the subject. With all the guidance that’s emerged from global regulatory bodies, there remains controversy surrounding GDPR certifications. Under Article 42 of the GDPR, certification mechanisms will be issued to data controllers and processors.

Full article: The road to GDPR certifications won’t be a short one, it seems

Privacy is now the CEO’s business

Until very recently, individuals appeared happy to offer unfettered access to their personal information in return for free services such as messaging, fitness apps or music. As a result, privacy was viewed by most organisations as a regulatory inconvenience and personal data was treated as just another corporate asset. However, CEOs can no longer afford to ignore privacy and rely on the compliance department for a superficial paint job.

Full article: Privacy is now the CEO’s business

GDPR: the ‘controller v processor’ debate in financial services

Lessons can be learned in the financial services sector from the rush to update contracts to account for the General Data Protection Regulation (GDPR) taking effect earlier this year. The GDPR spurred banks, insurers and other financial institutions to review their existing contracts, most notably their data processing agreements. There is a lot of confusion in this sector about the concepts of ‘controllers’ and ‘processors’ of personal data. Both controllers and processors have distinct obligations under the GDPR.

Full article: GDPR: the ‘controller v processor’ debate in financial services

>