Categories
Articles

Where should I put my data?

After a couple of years when the question of data location had dropped a little down the priority list, two things have pushed it back up again. First, the Schrems II decision of the European Court, which cancelled the US-EU Privacy Shield and added some – but it’s not yet clear how onerous – new […]

Categories
Peacasts

Brexit in 58 seconds…

Colleagues set me the challenge of saying something about my work in one minute. So here (on YouTube) is a “peacast” – my wife says it’s too small to be a “podcast” – on Brexit and GDPR: Comments very welcome on the format and, if you like it, suggestions for any other topics I could […]

Categories
Articles

Schrems II: SCCs plus… what?

The recent Schrems II decision on Standard Contractual Clauses found that, in some situations, data exporters and importers might need to agree additional measures beyond just relying on SCCs. While we’re waiting for the Information Commissioner and EDPB to give more detailed advice on which situations and which measures, here are some themes I’ve spotted […]

Categories
Articles

ECJ invalidates Privacy Shield; Model Clauses valid but may not be sufficient

[UPDATE 27/7/20: the ICO has now published a statement on the decision] On July 16th 2020, the European Court of Justice made its long-awaited decision in the case of Data Protection Commissioner [Ireland] v Facebook Ireland Ltd and Maximillian Schrems, generally known as “Schrems II”. This concerned two of the GDPR’s mechanisms for transferring personal […]

Categories
Publications

Why should non-EU organisations care about GDPR?

I was recently invited by EDUCAUSE to present a webinar on GDPR to their community of mostly North American universities and colleges. The number of participants indicates that European data protection law is a topic of interest. But the most common question was why, as non-EU organisations, they should care about GDPR. So I wrote […]

Categories
Articles

GDPR Exports and Federated Authentication

Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication. This technology allows an “identity provider” such as a university or college to assure a “service provider” such as a […]

Categories
Articles

GDPR: sending incident reports overseas

When incident response teams (CSIRTs) detect an attack on their systems, they normally report details back to the network or organisation from which the attack comes. This can have two benefits for the reporter: in the short term, making the attack stop; in the longer term helping that organisation to improve the security of its […]

Categories
Closed Consultations

Jisc response to DCMS consultation on GDPR Research implementation

Jisc responded to the DCMS consultation on implementing the Research provisions of the GDPR into UK law. The exemptions from certain obligations and data subject rights contained in section 33 of the Data Protection Act 1998 have been vital in enabling long-term research studies, including in health and social sciences, while ensuring the protection of […]

Categories
Presentations

Referendum: has the GDPR gone away?

A few hours after the result of Thursday’s referendum on membership of the European Union, I gave a presentation on the significance of the EU’s General Data Protection Regulation, due to come into force in May 2018. That might seem a waste of time, but my suggestion was that the referendum result might in fact […]

Categories
Articles

Data exports: update in 2017

The latest announcement from the Article 29 Working Party on the US-EU Privacy Shield also suggests that there shouldn’t be any short-term surprises for those using the other justifications for exporting personal data to the USA. The European Court judgment that invalidated the Safe Harbor agreement in 2015 was concerned, among other things, with the […]