Please enable javascript in your browser to view this site

GDPR

Age assurance: An imperfect science and solution

Age assurance engages the familiar trade-off in online safety regulation between protecting children and guarding privacy rights. As appetite grows for restrictions on access to digital services, we examine existing methods, regulatory approaches, and wider debate.

COVID-19 contact-tracing apps could turn out to be a failed experiment

Despite a promising start in some countries, nearly all contact-tracing apps have failed to meet expectations – either due to technical problems, barriers to interoperability, or lack of public trust. Different approaches have emerged, however the collaboration between Apple and Google on a decentralised API is now becoming the most prevalent option. Adoption of the apps will need to grow significantly for contact-tracing to succeed. For this to happen, governments will need to show they take privacy seriously.

Where are we after 18 months of GDPR?

The EU’s General Data Protection Regulation is 18 months old. Governments of 19 EU countries made submissions to the European Council in preparation for the first review. They highlight some gaps in the legislation, with particular regard to cross-border cooperation and enforcement, monitoring of codes of conduct, and to the need for GDPR to retain a forward-looking view so that it does not stifle technological development.

Why the ICO’s Facebook investigation demonstrates the power regulators now have

On 10 July 2018, the UK Information Commissioner Office (ICO) published an update on its investigation into data analytics in political campaigns i.e. the Facebook-Cambridge Analytica scandal. The ICO has decided to fine Facebook £500k – the maximum possible amount under pre-GDPR data protection rules. The fine would have been much higher had GDPR applied. It also sent warning letters to 11 political parties, requiring them to accept audits of their data protection practices, among other actions.

Two weeks into GDPR: How do tech companies’ new privacy policies compare?

GDPR has been in place two weeks now, much to the relief of the many individuals who were swarmed with emails requiring fresh consent to the receipt of newsletters and other marketing messages. Leading up to the 25th May, customers have also been notified of the changes to the privacy policies most tech companies inevitably had to make. Assembly has studied how they compare, with particular regard to the validity of GDPR’s safeguards outside the EU, and to the legal bases adopted for treatment of personal data.

GDPR is almost here, but it will not change the world in a day

The most talked about day of the last two years is almost upon us. The European General Data Protection Regulation (GDPR) will come into force tomorrow, promising much stronger rights and safeguards for users’ personal data. For now, the main effect it has had has been, paradoxically, to irritate the very people it is supposed to protect, due to the deluge of emails we have all received from companies seeking fresh consent.

Are DPAs ready for the consistent approach required by GDPR?

Among the significant changes it will bring about, the GDPR includes detailed rules for Data Protection Authorities to adopt consistent approaches and interact more regularly and effectively with one another. To this end, the newly founded European Data Protection Board will play a key role in overseeing the consistency mechanism created by GDPR. Assembly’s research shows there are still striking differences in funding and staff across DPAs.

How are European data protection authorities approaching GDPR?

The entry into force of GDPR is now imminent. Assembly’s Privacy and Data Protection Tracker has analysed and compared the approach taken by Data Protection Authorities in various countries, to prepare businesses for the new regulation. Differences in approaches across countries remain, although the pan-European nature of GDPR means companies can find useful insight in the activity of all DPAs across the EU.