This document discusses court rulings related to the GDPR and privacy. It begins by noting there has not been much litigation around data protection yet, with notable cases including challenges to data retention directives and invalidation of the EU-US Safe Harbor agreement. Two typical types of cases before the European Court of Justice are discussed - those balancing public vs. individual interests, and those interpreting secondary EU law to foster accountability. Upcoming cases are mentioned that could address issues like joint responsibility of controllers and processors and validity of consent mechanisms. Processor obligations under the GDPR are also outlined.
2. @aureliepols aurelie@mindyourprivacy.com
Data Governance & Privacy Engineer
Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency
Dutch nationality, French mother tongue, works in English, lives in Spain
AURELIE POLS,
DATA GOVERNANCE
& PRIVACY ENGINEER
• DPO for mParticle (Customer Data platform) – contractor (USA, New York)
• Chief Visionary Officer – Competing on Privacy; Founder – Aurélie Pols and Associates
• Professor of Ethics & Privacy in Big Data & Business Analytics Master – Instituto de Empresa (IE), Madrid (ES);
guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B)
• Board Member European Center On Privacy and Security, Maastricht University (NL)
• Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics
• Former Vice-chair P7002 – Data Privacy Process – IEEE
• Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry
associations, AdTech & MarTech vendors, …
2003:
OX2 Co-founder
Webanalytics.be
2008:
Sold to Digitas LBi
(Publicis)
2
12. @aureliepols aurelie@mindyourprivacy.com
Obligations under the GDPR data ecosystem
12
Source: https://www.rizikon.oi/gdpr-compliance
Appointing a DPO –
Data Protection
Officer – or not?
Described in section
4 of the GDPR, art.
37: Designation of a
data protection
officer.
Following articles
talk of position and
tasks.
The choice remains
to appoint one even
if not directly
required: moving
beyond
compliance!
28. @aureliepols aurelie@mindyourprivacy.com
Typically 2 types of cases at the ECJ
1. Public interest vs. individual interest
• Law Enforcement Directive 2016/680
• Data Retention Directive of 2006 invalidated in 2014 in Digital Rights vs.
Seitlinger case, Tele2 Sverige & Watson, … mainly telcos and profiling, serious
crime
• Schrems vs. Facebook invalidated Safeharbour in October 2015 (adequacy,
following Snowden. Also PNR in Canada, sensitive data)
2. Interpretation of EU secondary law to foster accountability of
individuals
28