Search general data protection

The 35th International Data Protection and Privacy Commissioners Conference, which comprises national, regional and local data protection and privacy authorities from all five continents, convened in Warsaw last week. The Conference adopted a total of nine resolutions and a declaration, which is the highest number of resolutions since the Conference’s first annual meeting back in 1979. This year’s resolutions focus on two main topics:

  • Internet and technology issues, such as

    • web tracking
    • profiling
    • apps
    • openness and privacy notices

  • International enforcement coordination

Continue Reading Web Tracking, Profiling, Mobile Apps, Privacy Notices and More Effective International Enforcement Coordination Among Hot Topics of the 35th International Conference of Privacy Commissioners

The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the first set of internationally agreed privacy principles. Whereas the eight basic principles of the 1980 Guidelines (namely the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability principles) are maintained, the revised Guidelines introduce a number of new concepts and changes to the OECD privacy framework, implementing a risk based approach. These include: 

  • implementing privacy management programs – essential elements discussed in this respect include privacy policies, employee training and education, provisions for sub-contracting, audit process and privacy risk assessment;
  • introducing mandatory data security breach notification – requiring notification to the privacy enforcement authority where there is a significant security breach affecting personal data and notification to individuals where such a breach is likely to adversely affect individuals;
  • the need for privacy enforcement authorities and national privacy strategies – the revised Guidelines recognize the need to establish authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis; they also promote the development of a coordinated approach across governmental bodies up to the highest levels; Member countries should also consider complementary measures, including education and awareness raising, skills development and the promotion of technical measures;
  • improving global interoperability – to be improved through international arrangements (examples mentioned include the U.S.-EU Safe Harbor framework, the EU Binding Corporate Rules and the Council of Europe Convention 108 on the Automated Processing of Personal Data) and global cooperation among privacy enforcement authorities.

Continue Reading Revised OECD Privacy Guidelines Strengthen Accountability Principle

On April 2, the Article 29 Working Party (the “Working Party”) approved a new Opinion on a principle of European data protection law known as the “purpose limitation”.  The principle (which stems from Article 6(1)(b) of the Data Protection Directive) requires that data controllers only collect data for “specific”, “explicit” and “legitimate” purposes, and not process the data for further purposes that are incompatible with the purposes for which data were originally collected.  As each of these terms have been interpreted differently in different Member States, causing potential confusion for data controllers operating in multiple jurisdictions, one of the main aims of the Working Party paper is to provide clearer, more harmonized interpretations of the principle.  The paper also aims to generally clarify the current legal framework and assist policy makers in drafting the new EU data protection legal framework, and offers guidance on specific scenarios (such as so-called “Big Data” processing).
Continue Reading Article 29 Working Party Releases New Opinion on Purpose Limitation

The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. 

This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU when Google declined to comply with an order from the Spanish Data Protection Authority.  A Spanish citizen, Costeja, wanted Google to de-list references to a publication in a Spanish newspaper in 1998, which discussed the auction of Costeja’s house in connection with his failure to pay social insurance contributions.

Google has taken the position that search engines should not be obligated to remove links to valid (i.e., non-incorrect, defamatory, or otherwise illegal) material that exists online.  Rather, only the original publisher can make the decision to remove such content, at which point it will disappear from the search engine index once removed from source webpages. Continue Reading Must Google Forget You?

The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has today published a CyberSecurity Strategy alongside a Commission proposed Directive on Network and Information Security (“NIS”).

While much of the Strategy and Directive is aimed at Member State governments (e.g., to improve capabilities and cooperation to prevent and respond to cyber-attacks), several proposals target private companies in the energy, transport, financial services and health sectors, as well as “enablers of key internet services” such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks. 

These companies would be required, under the Directive, to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”.  

Further, they would have to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide — effectively extending current EU incident reporting requirements, which only apply to communication network and service providers, to a broad universe of private sector companies.  To be clear, this incident reporting obligation is separate from and additional to the proposal for all companies to report breaches of personal data to national supervisory authorities under the Commission 2012 proposal for a General Data Protection Regulation.

The Commission also intends to launch “a platform on NIS solutions” to develop “incentives for the adoption of secure ICT solutions” — considering technical norms, standards and possibly EU-wide certification schemes — to be applied to ICT products used in Europe, and to make recommendations to ensure cybersecurity across the ICT value chain.  The Commission also will examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications.

The EU institutions will now start to review the Strategy and proposed Directive.  The process to adopt the Directive could take two years, at which point Member States will be required to implement the legislation into national laws, which could take another 18 months or more.Continue Reading EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive

On 19 December 2012, the European Data Protection Supervisor (EDPS) and the Assistant Supervisor, M. Giovanni Buttarelli, published a new Opinion that sets out their views on the Commission proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use (the Regulation).  The Commission proposal, released in July 2012, touches on a variety of data protection issues, ranging from the legal basis that clinical research organisations (CROs) must rely on when processing sensitive health data gathered in clinical trials to the establishment of a centralized database at the European Medicines Agency (EMA) that is intended to store records of clinical investigators and adverse event reports from across Europe.

In general, the EDPS appears to have welcomed the Commission’s approach;  apparently, the Commission draft was altered to adapt to early informal EDPS criticisms, and so already contains provisions that are relatively sensitive to data privacy concerns.  Perhaps surprisingly, the EDPS also refrains from commenting extensively on the Regulation’s approach to the issue of how clinical trial participants may provide informed consent to their participation in the trial.  However, the EDPS nevertheless does make a number of suggestions about how the draft Regulation should be further modified.  We discuss the particular suggestions after the jump.Continue Reading EDPS Suggests Amendments to the Commission Proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use

On March 25, 2026, the UK’s Office of Communications (“Ofcom”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their common expectations for age assurance on online services (“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators. Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24).  The case concerns the GDPR right of access and the conditions for claiming damages.  In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.

Continue Reading EU Court Defines Limits to the GDPR Right of Access