Author - Alan

05Apr

Identifying Recipients of GDPR personal data – Theory and Reality

Under the GDPR, a data subject must be informed of the recipients or the categories of recipient of their personal data. These two choices are genuine alternatives. The controller can choose. But can that choice resist circumstances? Under the old regime, likewise it was necessary only to specify non-particularized categories. Hence the semantically meaningless rubbish filling up the non-statements of processing held in various supervisory authorities' existing "registration" databases. So, under the GDPR, can we still get away with it? After all,...

By Access, Cambridge Analytica, Data recipients, Disclosure, Discovery, Facebook, Notification0 Comments
Read more...
03Apr

GDPR, IP addresses, and classification – theory and practice

IP addresses can determine jurisdiction - as classically exploited by private and public surveillance agencies, BigTech, other data brokers,  and just about any web site owner. This is well known. As is the fact that such tracking information is key to everyone's commercial efforts to destroy net neutrality and undermine the web. But what does this mean for GDPR compliance? Can it be exploited for classifying individuals' jurisdiction? Should it? What are the pros and cons? Theory (law) I note in passing...

By Automated decision-making, DPIA, GDPR, Misuse of private information, Monitoring, Profiling3 Comments
Read more...
15Mar

GDPR: Can children prevent schools from disclosing grades to parents?

"Can I sue my school for telling my grades to my parents via a website, with the European GDPR law?" This is a question asked of me on Quora some time ago by an "interested" data-subject! Normally I pass on such questions, but this hits a nerve. If you just take out the text “via a website”, we have a more general question I get asked by school and university controllers. It’s therefore also one I sometimes work through in appropriate...

By Automated decision-making, GDPR, Monitoring, Notification, Profiling, Working Party2 Comments
Read more...
12Nov

GDPR: can it impact financial regulation of foreign takeovers?

ABSTRACT: Supervisors are interested in GDPR risks. Financial regulators are interested in financial risks. Often the latter may be derivative of the former. An obvious question arises: at what point might financial regulators become interested in data protection risks? Background: I was asked a question which for various conduct reasons I can't possibly answer in the terms asked. That said, given its resonance with similar issues I've observed in the UK and other contexts, I've reformulated it to something so generic...

By DPIA, EPA, GDPR0 Comments
Read more...
10Mar

Test-Datasets and EU Liability – mixed law/IT

Here is a modified version of a question I'm about to answer on Quora. Warning: as it says on the tin, this post is both law and IT. Don't say you weren't warned... Can copies of postcode, gender and age data be used in testing without violating the Data Protection Act or the GDPR? Such questions are becoming more and more frequent, as people begin to panic with the realization that two decades of previously unlawful behavior is now going to get...

By Uncategorized1 Comment
Read more...
09Mar

Brexit: the gift that keeps on giving… And they thought it was all over!

The Three Knights are riding to the rescue! Or... is it.. the Three Stooges, or perhaps Sanchos, tilting at the windmills that seem to be spinning ever more rapidly? (yes, the GDPR does have a little dog in this race. But later...) As for my initial view? A plague on both their houses. The Three Knights do a good job, as does Professor Elliot in pointing out weaknesses. However, some of the good Professor's key points seem a trifle theoretical and, if that is right,...

By Brexit, GDPR0 Comments
Read more...
25Feb

Data protection damages awards for distress in the UK jurisdictions up 5,000% pre-GDPR?

Masochists, who ipso facto and ex officio collectively may approach 100% of my audience, will be aware of my flogging Vidal-Hall v Google (lower court judgment) to death on Linkedin and elsewhere. However, after 37 months it may be time for a quick overview of Vidal-Hall's impact on subsequent cases. The contagion has just spread to Scotland. Bottom line: data protection distress awards in England/Wales and Scotland alike are up by circa 4-5,000% in three years. Before Tugendhat J struck down s.13(2) Data Protection Act 1998 in Vidal-Hall, courts could only...

By Damages, Data Protection Act 1998, Distress, Misuse of private information0 Comments
Read more...