The European Data Protection Supervisor (EDPS) has issued an opinion on the European Union Agency for Cybersecurity’s (ENISA) use of the explicit consent derogation as a legal basis for cross border transfers to the US concerning subscriptions to its newsletter.

Key points:

Cry and Pray (and try to not transfer):

  • The EDPS has requested EU institutions (EUIs) take a strong precautionary approach concerning new processing operations carried out with appropriate safeguards and appropriate supplementary measures.
  • The EDPS strongly encourages EUIs to ensure that any new processing operations or new contracts with any service provides does not involve transfers of personal data to the US.
  • ENISA uses an EU based processor and US sub-processors.
  • ENISA should primarily assess with the processor the availability of alternative newsletter solutions not involving the transfer of personal data to sub-processors in the US.
  • (Failing that) ENISA should instruct is processor re: the legality of transfers and the processor should comply with the provisions of Chapter V (re cross border transfers)

Regarding the derogation of explicit consent: Consent should be freely given (e.g. the option to consult the newsletter directly on the ENISA website), specific, informed (see above re disclosure and unambiguous.


  • Data subjects need to be fully informed that the processing of their personal data involves a transfer to a third country (or an international organization).
  • In the absence of an adequacy decision and appropriate safeguards this must also include information on the possible risks of such transfers for the data subject resulting from the absence of an adequacy decision and appropriate safeguards. Per Schrems II, this should include the limitations on the protection of personal data arising from the domestic law of the US on access and use of data transfers to the US and the lack of enforceable data subject rights. Which risks exist for data subject will depend on the specificities of the US based sub-processor chosen by ENISA’s processor.
  • The information can be provided at the same time as the information and consent to the processing in general as long as it remains specific.


  • Consent should be given by a clear affirmative act e.g. ticking a box. It is not enough to say that “by registering to the newsletter the user agrees to the privacy terms and conditions of the (newsletter service provider.”
  • There needs to be a subsequent affirmative act by the participants to indicate their agreement with transfers to the US referred to by the terms and conditions.


  • Consent for transfers for subscription cannot be used for other/future outreach activities.
  • Explicit consent on transfer is different and in addition to the consent to the processing itself. ENISA could acquire the consent to the transfer when getting the consent to the processing or imposed this on the processor.


  • Be able to demonstrate that the data subject consented to the processing.


  • Data subjects need to be told about the possibility to withdraw their consent in the data protection statement. Once consent is withdrawn the data must be deleted unless there is another legal basis.
  • In case there may be difficulties to enforce contractual terms in practice in the third country, data subjects will need to be informed about this risk due to the absence of appropriate safeguards.

The development of alternative techniques to “third-party” cookies cannot be done at the expense of the right of individuals to protect their personal data and privacy, according to France’s Commission Nationale de l’Informatique et des Libertés (CNIL).

The commission has issued new guidance on what happens after third party cookies.

Data Protection Considerations:
  • The end of the use of third-party cookies does not mean that individuals will no longer be tracked on the web, in particular for advertising purposes. The actors of the advertising ecosystem will always be able to resort to alternative technologies allowing them to follow the navigation and the behavior of the users in order to target them for various purposes, and advertising in particular.
  • The development of alternative techniques to “third-party” cookies cannot be done at the expense of the right of individuals to the protection of their personal data and their privacy.
  • Their use must be done in compliance with the principles resulting from the regulations in force, namely the GDPR but also the ePrivacy Directive.
  • Alternative techniques to third party cookies rely on access to the user’s terminal equipment (smartphone, computer, etc.), to access information already stored in the equipment (advertising identifier, cohort identifier, browser setting data) or to enter information. It therefore requires consent.
  • Users must be able to choose freely and in an informed way: (a) to be the subject of a follow-up not strictly necessary for the provision of the requested service, for example to maximize the relevance of the advertisements presented with regard to their concerns at the time and, by adhering to the use of these tracers, to contribute to remuneration for a site or an application; OR (b) to refuse such follow-up.
  • It is essential to integrate, from the design stage, means allowing users to maintain control over their personal data;
  • It is also necessary to allow and facilitate the exercise of all the rights of individuals, through user-friendly interfaces, which is an essential component of the data protection approach by design (“privacy by design”) imposed by the GDPR.
  • Avoid the processing of sensitive data and ensure that the target groups they create do not lead to even indirect discrimination.
Overview of Alternative Techniques:

Certain techniques are used to allow circumvention of restrictions announced by browsers. Different methods are currently used:

  • Fingerprinting: identifying a unique user on a website or a mobile application using the technical characteristics of its browser.
  • Subdomain delegation: delegate the management of a sub-publisher domain to a third party via a redirect. This allows this third party to deposit, on the user’s terminal, cookies which will be considered as “first-party ” cookies and therefore avoid any blockages put in place by browsers.
  • Single Sign-On (SSO): allow connections to a large number of sites, applications or services via a single user account and a single authentication. This system is intended to facilitate user connection but above all allows the site or service group to have a global and consolidated view of the user’s navigation on all sites, applications or services. The account user becomes a tracker who follows the internet user during his navigation.
  • Unique identifier: allow a user to be tracked through the use of hashed deterministic data, collected during his browsing on the site. This technique can use the email address or an identifier provided by a user to connect to different online services in order to link these accounts and track the user in his use of these services.
  • Targeting via Cohort: avoiding targeting an individual by endeavoring to constitute a group of individuals with similar characteristics (center of interest, etc.), and which will be identified by a unique and persistent identifier, shared by all users of the same cohort and managed at the browser or operating system level.


The United Kingdom’s Information Commissioner’s Office has released the second chapter in its anonymization guide for public comment.

Here are some key points:

  • An effective anonymization process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context.
  • Simply removing direct identifiers from a dataset is insufficient to ensure effective anonymization. If it is possible to link any individuals to information in the dataset that relates to them, then the data is personal data. Data that may appear to be stripped of identifiers can still be personal data in cases where it can be combined with other information and linked to an individual.
  • When assessing whether someone is identifiable, you need to take account of the “means reasonably likely to be used.” You should base this on objective factors such as the costs and time required to identify, the available technologies and the state of technological development over time.
  • However, you do not need to take into account any purely hypothetical or theoretical chance of identifiability. The key is what is reasonably likely relative to the circumstances, not what is conceivably likely in absolute.
  • Data protection law does not require you to adopt an approach that takes account of every absolute or purely hypothetical or theoretical chance of identifiability. It is not always possible to reduce identifiability risk to a level of zero, and data protection law does not require you to do so.
  • When considering releasing anonymous information to the world at large, you may have to implement more robust techniques to achieve effective anonymization than when releasing to particular groups or individual organizations.
  • There are likely to be many borderline cases where you need to use careful judgement based on the specific circumstances of the case.
  • Applying a “motivated intruder” test is a good starting point to consider identifiability risk.
  • You should review your risk assessments and decision-making processes at appropriate intervals. The appropriate time for, and frequency of, any reviews depends on the circumstances.

In Connecticut, if you adopt and maintain and comply with written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework then you will not be subject to punitive damages in court against any cause of action founded in tort that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach.

Industry recognized cybersecurity frameworks are:

(1) General:

  • NIST special publication 800-171;
  • NIST special publications 800-53 and 800-53a;
  • FedRAMP
  • CIS Critical Security Controls for Effective Cyber Defense (Top 20)
  • “ISO/IEC 27000-series

(2) Controls mandated by law such as: HIPAA, GLBA, FISMA etc.


The program must be designed to:

(A) Protect the security and confidentiality of information;

(B) protect against any threats or hazards to the security or integrity of information; (C) protect against unauthorized access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.

The scale and scope of a covered entity’s cybersecurity program shall be based on:

(A) The size and complexity of the covered entity;

(B) the nature and scope of the activities of the covered entity;

(C) the sensitivity of the information to be protected; and

(D) the cost and availability of tools to improve information security and reduce vulnerabilities.


Datatilsynet Denmark has issued serious criticism — and an injunction — to bring dating app’s data processing into compliance before November 16, 2021. The group says the app failed to acquire user consent in a manner that satisfies the requirements of GDPR.


  • A declaration of consent, whereby the user by the same “click” must accept the entire personal data policy and the other user conditions, can not lead to the user giving a valid consent.
  • In this set up, it is not clear to the data subject what he accepts by clicking in the box.
  • The data subject’s general acceptance of general terms and conditions can not be construed as a clear confirmation of consent to the processing of personal data.
  • Both a reference to the company’s terms of use and a reference to the entire company’s personal data policy leads to the user being presented with a larger amount of information at once, whereby it is not clear to the user that he consents to the proposed processing of personal data.

Regarding Risk Assessment:

  • When considering risks, in a dating app, it’s not enough to consider nude photos. Things like including information on location and special categories of personal data processed should be considered also.
  • If a risk assessment also shows that a concrete treatment will entail a high risk for the rights and freedoms of natural persons, you must carry out an impact assessment in accordance with Article 35, and possibly consult with the supervisory authority prior to processing.
  • You should consider relevant measures for mitigation other than controls and restrictions on access, depending on the risks that the measure seeks to limit.

It’s time for a new agreement on transatlantic data flows, according to the U.S. Chamber of Commerce.

“The U.S. and EU must work together to swiftly finalize a new EU-U.S. Privacy Shield agreement that brings legal certainty to data transfer mechanisms,” the organization said in a statement. “This must be the top priority for both the U.S. and EU to avoid disruptions to data flows that could have massive consequences for businesses, customers, and workers on both sides of the Atlantic.”

The statement lists “13 Reasons We Need a Transatlantic Data Flow Framework.”

Among them:

  • Transatlantic Data Transfers are Ties that Bind
  • Data Flows Enable Trade in Services
  • Services Growth Depends on Data
  • Businesses Rely on Data Transfer Frameworks
  • Data Flows Give Small Businesses Opportunity

Read the full statement here.

The United Kingdom has issued an ambitious report on its 10 year plan to become an AI super power.

The document lays out a detailed business plan with 3 month, 6 month and longer objectives.


  • The document states that the government is also exploring how privacy enhancing technologies (PET) can remove barriers to data sharing by more effectively managing the risks associated with sharing commercially sensitive and personal data.
  • Long terms goals include: Including provisions on emerging digital technologies, including AI, in future trade deals alongside championing international data flows, preventing unjustified barriers to data crossing borders and maintaining the UK’s high standards for personal data protection.
  • The document calls out the Department for Digital, Culture, Media and Sport’s (DCMS) “Data: a new direction” consultation.

Read more here.

A new Congressional Research Service report on EU-US Privacy Shield invalidation and its aftermath lists possible options for Congress to facilitate US-EU data flows and a potential enhanced Privacy Shield accord. They include:

  • Exploring changes when authorizing and overseeing surveillance programs to better protect data privacy or otherwise address EU concerns;
  • Strengthening the Privacy and Civil Liberties Oversight Board (PCLOB) by urging the Administration to fill the open positions and considering whether to amend the Board’s responsibilities to specifically include oversight of intelligence community activities with regards to Privacy Shield to ensure protection of individual rights;
  • Considering comprehensive national privacy legislation to protect US personal data with data protection provisions that may align to some extent with GDPR requirements and provide some level of certainty to EU businesses and individuals while recognizing the limits that privacy legislation would have to address national security surveillance concerns;
  • Considering if a federal privacy law, combined with specific steps to address U.S. surveillance concerns, would provide sufficient safeguards and guarantees so that the EU could grant a full U.S. “adequacy” decision, eliminating the need to rely on special arrangements like Privacy Shield; or
  • Providing greater authority to FTC to bring privacy enforcement actions and enforce Privacy Shield by removing limitations on the FTC’s jurisdiction with respect to common carriers and nonprofits.

The report notes that the Biden Administration has expressed its intention to assuage EU concerns about US government access to personal data, as well as the availability of judicial redress through executive orders and administrative action. That could enable a successor accord to be reached more quickly.

The DPA of Uruguay, one of the only countries recognized as “adequate” destinations for cross border data transfers from the European Union – has issued updated guidance on the content of cross border data transfer agreements in the wake of SchremsII:

All contracts need to include:

  • purpose of processing
  • applicable data protection law
  • definitions
  • content of the transfer (as accurately and completely as possible)
  • onward transfers (and what are the conditions to enable them)
  • transparency (all the information required in the privacy notice, including processor and sub-processors)
  • the data processing operation (including technical and organizational measures)
  • dispute resolution mechanisms
  • supervisory authority
  • data protection impact assessment
  • access by foreign authorities (measures must be taken so that access is not made to all data, but only to those strictly necessary for compliance with the corresponding court order. The person in charge located in national territory should provide information on request or at the first possible opportunity.)

For controller to controller transfer also add:

  • legal basis for the processing and the transfer
  • joint and several liability
  • engaging processors
  • data breach notification

For controller to processor transfers add:

  • specific retention term
  • data breach notification
  • engagement of sub-processors
  • data subject rights process


Here are a few takeaways from what I said this week at the InfoGov World Expo virtual auditorium.

  • Is it still “early days for GDPR?” Not if you ask Germany, France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Spain’s Agencia Española de Protección de Datos (AEPD), Denmark’s Datatilsynet and other DPAs who have been hard at work enforcing and issuing fines.
  • Is this enough enforcement? Not if you ask, which is taking the initiative and filing hundreds of claims of its own.
  • Is this enforcement of the wrong kind? Maybe, if you ask UK’s Department for Digital, Culture, Media and Sport (DCMS), which proposes to alleviate the Information Commissioner’s Office from the obligation to investigate every single complaint so it can focus on bigger picture things.
  • Is the US behind the EU on data protection? Hmm, do you have an hour to read this post? It depends. The US is very well established in incident response laws and CPRA is instituting a number of key GDPR principles like: fair and lawful, data minimization, retention limitation, DPIAs and a dedicated data protection authority.
  • Are we headed to a US Federal Privacy law anytime soon? I dunno, define “soon.” The bipartisan dichotomy regarding preemption and private right of action is ongoing but, watch this space for increased federal privacy enforcement with the establishment of a Federal Trade Commission Privacy bureau, the appointment of a new commissioner specialized in privacy and the publishing of eight enforcement priorities.