Categories
Articles

Cookies: limits of regulation

In going through the new (2023) Data Protection and Digital Information (No.2) Bill I noticed that it does actually make a change to UK law on cookies: according to clause 79(2A), consent will no longer be needed to store or access information in the user’s terminal equipment if this is done by the person who […]

Categories
Articles

Consent: control or formality?

More than a decade ago, European data protection regulators identified the problem of “consent fatigue”, where website users were overwhelmed with multiple requests to give consent for processing of their personal data. In theory, responding to those requests let individuals exercise control but, in practice, it seemed more likely that they were just clicking whatever […]

Categories
Articles

Chatbots and Voicebots: legal similarities and differences

The EDPB’s new Guidance on Data Protection issues around Virtual Voice Assistants (Siri, Alexa and friends) makes interesting reading, though – as I predicted a while ago for cookies – they get themselves into legal tangles by assuming “If I need consent for X, might as well get it for Y”. We’ve been focusing more […]

Categories
Articles

Audience Measurement

To improve websites and other online services, measuring how they are used is a key tool. However the law on measuring visitors to websites is a mess. Nine years ago, when reviewing the types of cookies that do not need consent, the Article 29 Working Party of data protection regulators concluded that requiring consent when […]

Categories
Closed Consultations

Privacy online: is a separate Directive still needed?

Now that the General Data Protection Regulation has been completed, the European Commission is reviewing the ePrivacy Directive. This law was introduced in 2002 as part of the telecommunications framework, and it was recognised at the time that it was likely to be largely replaced by a future general privacy law. That has taken longer […]

Categories
Articles

Wifi location data

More than a decade ago the e-Privacy Directive mentioned “location data” in the context of telecommunications services. At the time that was almost entirely about mobile phone locations – data processed by just a handful of network providers – but nowadays many more organisations are able to gather location data about wifi-enabled devices in range […]

Categories
Articles

GDPR – the final text?

The European Council of Ministers have now published a proposed text for the General Data Protection Regulation. This still needs to be edited by the Commission’s “lawyer-linguists” to check for inconsistencies, sort out the numbering of recitals and articles etc. But the working parties of both the Parliament and the Council have recommended that the […]

Categories
Presentations

Sharing Information to Protect Privacy

I was invited to give a presentation on legal and ethical issues around information sharing at TERENA’s recent security services workshop. The talk highlighted the paradox that sharing information is essential to protect the privacy of our users when their accounts or computers have been compromised, but that sharing can also harm privacy if it’s […]

Categories
Articles

Incident Response and the Law

At the FIRST conference this week I’ve heard depressingly many incident responders saying “our lawyers won’t let us…”. Since incident response, done right, should actually support the law’s objectives, it seems we need to be smarter, and maybe a bit more assertive, about explaining how incident response and law interact. The laws most relevant to […]

Categories
Articles

Bins, MACs and Privacy Law

A recent news story reported that a small number of litter bins in London were collecting a unique identifier from passing mobile phones and using these for some sort of “footfall analysis”. There doesn’t seem to be much detail about the plans: it struck me that a helpful application could perhaps be look for the […]