Categories
Articles

New Presidency: new ePrivacy progress?

It seems a long time since I wrote about the ePrivacy Regulation. This was supposed to come into force alongside the GDPR, back in May 2018, and provide specific guidance on its application to the communications sector. You may remember it as “Cookie law”, though it was never just that. Unfortunately its scope grew and, […]

Categories
Articles

ePrivacy Regulation: more support for information sharing

The latest text in the long-running saga of the draft ePrivacy Regulation contains further reassuring indicators for incident response teams that want to share data to help others. Article 6(1)(b) allows network providers to process electronic communications data (a term that includes both metadata and content) where this is necessary “necessary to maintain or restore […]

Categories
Articles

ePrivacy Regulation: better news for online security

Some good news from the draft ePrivacy Regulation. More than a year after I pointed out that the Regulation could inadvertently prohibit websites and other Internet-connected services from using logfiles to secure their services, the Council of Ministers’ latest (20th September 2018) draft explicitly recognises the problem. Recital 8 now includes the positive statement that: […]

Categories
Articles

Progress Report: ePrivacy Regulation

Alongside the 1995 Data Protection Directive (DPD) sat the 2002 ePrivacy Directive (ePD), explaining how the DPD should be applied in the specific context of electronic communications. In fact, particularly after it was amended in 2009, the ePD did a bit more than that, as it turned out to be a convenient place to insert […]

Categories
Articles

IP Addresses, Privacy and the GDPR

It’s well-known that the General Data Protection Regulation says that IP addresses should be treated as personal data because they can be used to single out individuals for different treatment, even if not to actually identify them. In fact – as most organisations and network providers implement proxies, Network Address Translation (NAT) and other technologies […]

Categories
Closed Consultations

Jisc response to DCMS consultation on GDPR Research implementation

Jisc responded to the DCMS consultation on implementing the Research provisions of the GDPR into UK law. The exemptions from certain obligations and data subject rights contained in section 33 of the Data Protection Act 1998 have been vital in enabling long-term research studies, including in health and social sciences, while ensuring the protection of […]

Categories
Articles

GDPR: Alumni processes

Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner’s guidance is relevant. Indeed the Information Commissioner’s recent description of using consent-based relationships “to improve [supporters’] level of engagement with your […]

Categories
Closed Consultations

Privacy online: is a separate Directive still needed?

Now that the General Data Protection Regulation has been completed, the European Commission is reviewing the ePrivacy Directive. This law was introduced in 2002 as part of the telecommunications framework, and it was recognised at the time that it was likely to be largely replaced by a future general privacy law. That has taken longer […]

Categories
Articles

ePrivacy Regulation: a risk for website security?

Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, […]

Categories
Articles

Article 29 Working Party support security and incident response

Having had my own concerns that the European Commission’s draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it’s very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an […]