Categories
Articles

Draft AI Regulation: thinking about risks

The European Commission has just published its draft Regulation on Artificial Intelligence (AI). While there’s no obligation for UK law to follow suit, the Regulation provides a helpful guide to risk from different applications of AI, and the sort of controls that might be required. What “AI” is covered? According to Article 3(1) [with sub-clauses […]

Categories
Articles

Audience Measurement

To improve websites and other online services, measuring how they are used is a key tool. However the law on measuring visitors to websites is a mess. Nine years ago, when reviewing the types of cookies that do not need consent, the Article 29 Working Party of data protection regulators concluded that requiring consent when […]

Categories
Articles

Draft NIS2 Directive: security teams “should” be collaborating

Anyone who works with flows, logs and other sources of information to protect network and information security should already be familiar with Recital 49 of the GDPR, where European legislators explained why that was (subject to a risk-based design) a good thing. Now the European Commission has published its draft of the replacement Network and […]

Categories
Presentations

Data Protection and Incident Response

Recently I was invited to give a one-hour presentation on Data Protection and Incident Response, looking at how the demands of the two fields align and support each other, and how law and guidance have come to recognise that over the past decade or so. I finished with some thoughts on areas – data collection […]

Categories
Articles

Data Breach Shanty

To celebrate my 500th blog post, here’s another sea shanty: What shall we do with the stolen data? What shall we do with the stolen data? What shall we do with the stolen data? Early in the morning. Way-hey the fines are rising Way-hey the fines are rising Way-hey the fines are rising Early in […]

Categories
Articles

Adequacy Shanty

Inspired by Gavin Freeguard’s National Data Strategy Sea-Shanty, and in homage to the shanty-makers (I’ve worked the North Atlantic on small ships), here’s my “Adequacy Shanty”… Farewell and adieu to you, fair Spanish data, Farewell and adieu to you data of Spain, For our UK law may be judg-ed inadequate, And we may never see […]

Categories
Presentations

Thinking with GDPR

[Based on a presentation for the NISO Plus conference, February 22-25, 2021] One thing it seems everyone knows about Europe is that we have a strong privacy law: the General Data Protection Regulation, or GDPR. In this talk I’d like to get you viewing that not just as a law, but as a really useful […]

Categories
Articles

WHOIS access and the NIS2 Directive

The European Commission’s proposed update of the Network and Information Security Directive may revive discussions about access to WHOIS data. When a domain name is registered, contact details are typically requested for various purposes, including billing, administrative and technical questions. For most of the history of the DNS this ‘WHOIS’ data – including names, postal […]

Categories
Peacasts

Thinking (using COVID-19) about location data

During the pandemic, a lot of ideas have come up – not just contact tracing! – where useful information might be derived from location data. It struck me that a selection of those might be an interesting illustration of how intrusiveness isn’t just about the data we use, but what we use it for. Here’s […]

Categories
Articles

Sandbox Tales: Public Interest and Privacy Notices

The latest report on ICO sandbox participation contains a rapid pivot, and some useful discussion of the “public interest” justification for processing. Back in mid-2019, NHS Digital was awarded a sandbox place for a system for recruiting volunteers into clinical trials (the actual conduct of trials is out of scope). A few months into 2020 […]