A number of people have asked me what the recent European Court judgment in the Google “right to be forgotten” case means; here’s why I have been answering that I don’t know! The case concerned a fifteen-year old article in a Spanish newspaper about a named individual who had got into financial difficulties. The individual, […]
Tag: Data Protection Directive
Posts on the (pre-2016) Data Protection Directive. For more recent information, see Data Protection Regulation, which covers the GDPR
I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to have a legal justification for this; in access management that applies both to […]
Categories
Reducing the Impact of Privacy Breaches
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
Categories
BYOD: Doing Security Together
Presenting at the Jisc’s Safer Internet Day event got me thinking a bit more about the shared interests between owners and organisations in a BYOD scheme, and the opportunity that might present. For many years I’ve liked the idea of helping users be safe in their personal Internet lives (where motivation should be a matter […]
A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The […]
The Article 29 Working Party have published an explanatory document on Binding Corporate Rules for Data Processors, to provide further detail on using the template they published last year. European data protection law requires that any export of personal data from the European Economic Area be covered by adequate measures to protect individuals whose data […]
Categories
EU DP Supervisor on Cloud Computing
A new Opinion of the EU Data Protection Supervisor discusses some of the problems in applying the current Data Protection Directive to public cloud services, and how these might be done better under the proposed Data Protection Regulation. Particular challenges include Although the Directive claims to regulate “transfers” of personal data out of the EEA, […]
The House of Commons’ Justice Committee has published a critical report on the European Commission’s proposals for a new Data Protection Regulation and Directive. While recognising the potential benefits to be had from reducing the current differences between Data Protection laws in different Member States the Committee considers the current text to be much too […]
The ASPIRE study on the future of National Research and Education Networks calls for European NRENs to work together on a common approach to cloud computing. The European Commission has just published a Cloud Strategy that also seeks a common European approach, noting that “faced with 27 partly diverging national legislative frameworks, it is very […]
Categories
Pseudonyms and Data Protection
The Information Commissioner’s consultation on an Anonymisation Code of Practice is mainly concerned with the exchange or publication of datasets derived from personal data. However it once again highlights the long-standing confusion around the treatment of pseudonyms under Data Protection law. A pseudonym is an identifier (often randomly generated) whose value is unique to me, […]