The challenging job of Supervisory Authorities under the GDPR

How can the General Data Protection Regulation (GDPR) be effectively enforced so as to uphold fundamental rights and freedoms and at the same time, allow for the free flow of data within the Union? This is a question I have been pondering since well before Monday’s publication of the Irish Council for Civil Liberties’s (ICCL) 2021 report on the ...

The UK’s “data challenge” to the EU

This blog post is a re-elaboration of my interview this morning with Luca Bertuzzi, Digital & Media Editor from EurActiv, available here. Today the UK unveiled its “post-Brexit global data plans to boost growth, increase trade and improve healthcare”, which also include a multi-billion pound partnership with the US, Australia and the Republic of Korea.  Secretary of State ...

“The next great financial crisis could come from a cyber attack”: 5 critical cybersecurity measures you should put in place today

The 2021 Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response published by the New York State Department of Financial Services (“Report”) commences with a stark warning: “The next great financial crisis could come from a cyber attack.” “The SolarWinds Attack is, to date, the most visible, widespread, and intrusive information technology (‘IT’) software supply chain attack – i.e., a ...

Two-sided control

What was promised by the GDPR (Art. 80 and Rec. 142) is now a reality! Following Schrems’ filing of 422 complaints to ten EU Data Protection Authorities yesterday for cookie-related violations, it is now clear that the data protection compliance posture of companies will be checked not only by Supervisory Authorities but also – de facto and actively – by privacy organisations and associations patrolling the internet to proactively find ...

Would a US federal privacy law re-establish trusted EU-US data flows?

You might be aware that early last month US Congresswoman Suzan DelBene, Representing Washington's 1st District, introduced the Information Transparency and Personal Data Control Act – in her words “legislation that would create a national data privacy standard to protect our most personal information and bring our  laws into the 21st Century.”   Important aspects of the Information Transparency and Personal Data ...

AI & Cybersecurity: Reflections on a multidimensional relationship

Earlier this month I was a guest on Episode 47: Innovation and Tech Zoom In of the European Edition of the Breaking Banks Podcast Moderated by Ajit Tripathi. The podcast looks at “European Unicorns, Startups, Founders, Regulators and Leaders innovating the rapidly evolving Fintech scene, with some of the world’s most well-known hosts and influencers in fintech. Produced in cooperation with FintechStage.” LISTEN ...

The importance of having a coordinated incident response plan in place

This is true not only in monetary terms, but information security could even be a question of life and death.   In September 2020, a breaking article confirmed the inevitable - the first death caused by a ransomware attack. The alleged victim is a woman who necessitated urgent medical care and had to be re-rerouted to another hospital as a ...

Schrems II – No legal certainty and no quick fixes! It’s a geopolitical matter before it’s a legal one. “A NEW AGE OF DATA TRANSFERS” PART IV

I just attended today’s online LIBE meeting on possible solutions following the CJEU’s “Schrems II” decision, where it was recognized that the question of data transfers to third countries is fundamentally a geopolitical matter before being a legal one. In this way, legal certainty should be re-established as soon as possible – but such an achievement ...

Organizations are left with no practical legal grounds to transfer personal data to the United States. “A new age of data transfers” Part III

After the official statements of the European Data Protection Board (EDPB) and several Supervisory Authorities (SAs), it is clear that at the moment there is no practical way for data to lawfully flow from the EU to the US. The reasoning in 5 steps: On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the European ...

Privacy Shield is invalid. Here’s what you need to do now. “A new age of data transfers” Part I

This blog is part of a multi-part series, “A new age of data transfers”, which will explore the practical implications of the Court of Justice of the European Union’s judgement in  Case C-311/18 “Schrems II”.  Following the invalidation of the Privacy Shield on 16 July 2020 by the Court of Justice of the European Union, the situation ...