General Data Protection Regulation (GDPR)

Third country laws – more than meets the eye. In practice – problematic legislation in disguise.

The European Data Protection Board has issued a “Transformers” style plan for assessing whether or not you can transfer information to a third country.

  • Controllers and processors are to conduct a thorough risk assessment of the laws of the

Maybe someone is reading them after all? European Commission opens for consultation its report of the sector inquiry into consumer internet of things (IoT) devices.

The report shows that in addition to quality, brand reputation and privacy, the number of users plays a crucial role in competition. The privacy notice of the relevant device is

Several German Data Protection Authorities commence independent investigation of cross border transfers of personal data in violation of Schrems II.

The investigation has commenced by sending companies questionnaire regarding among other things, the use of service providers for:

  • sending e-mails
  • hosting of websites
  • web tracking
  • the administration of applicant data
  • the internal exchange of customer

C is for ‘cookie,’ and that’s not good enough for me.

NOYB, the privacy organization based in Vienna, Austria, is moving on hundreds of companies who use unlawful cookie banners. They have sent over 500 draft complaints so far, hoping to end “cookie banner terror.”

Per NOYB, “users must be given a clear yes/no option.

The UK Information Commissioner’s Office is calling for collaboration with UX and design firms for the implementation of the Age-Appropriate Design Code.

Per the ICO:

“We know that the aims of the design community align with this vision set out in the Children’s Code and can see design practices evolving. Designers are more conscious of

Hey voice assistant: you’ve got some complying to do.

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants.

Some key points:
  • Transparency is key but is also not easy to do well: 30 pages of single-spaced privacy notice won’t cut it. Think

“Complying with GDPR and ethical considerations when developing a digital service is actually a ‘win win situation.'” – says Forbrukerrådet’s eloquent Finn Lützow-Holm Myrstad in a conversation with IAPP – International Association of Privacy Professionals’ Jedidiah Bracy.

Some key points:
  • If you don’t collect the data, it can’t be peaked or misused. If there is

France’s CNIL, Commission Nationale de l’Informatique et des Libertés, has issued guidance on data protection in the use of chatbots.

Key Takeaways
  • Consent for cookies isn’t necessary if they are strictly required to operate the chatbot, but is required for all other cookies.
  • Retain the data only for as long as required for the purpose.