Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry

Eduardo Ustaran

Posts by Eduardo Ustaran
Posted in Data Protection & Privacy Photo of Eduardo UstaranPhoto of Lilly Taranto

Making COVID-19 Apps Data Protection Compliant

The role of COVID-19 contact tracing apps in the exit strategy of the current lockdown that is gripping much of the world is increasingly becoming a focus of attention. While that role is being hotly debated, it is very likely that those apps in combination with other measures will be deployed across many countries. Until now and despite the calls by influential bodies such as the European Data Protection Supervisor for a coordinated approach to the development of single COVID-19 mobile app involving the World Health Organization, different countries have

Posted in Data Protection & Privacy Photo of Katie McMullanPhoto of Eduardo Ustaran

Getting Customer Communications Right in Times of Coronavirus

Across the world, large retail stores and small businesses alike are shutting their doors. International flights and sporting events, conferences and concerts (and everything in between) are being cancelled. With all of the cancellations, postponements, and alternative arrangements that are required as a result of this global crisis, plus the special desire of all retail, travel, and other consumer-facing businesses to stay in touch with their customers, many organisations face the critical challenge of getting to grips with the legal rules that apply to those unsolicited communications and interactions. Privacy

Posted in Policy & Regulation Photo of Eduardo Ustaran

AG Says ePrivacy Applies to Government Access to Communications Data

On  January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data. Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory

Posted in Policy & Regulation Photo of Eduardo Ustaran

Getting Cookie Consent Right

One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (‘e-Privacy Directive’), including to the provisions regulating the use of cookies. Since then the e-Privacy Directive has required obtaining the consent of users in order

Posted in Policy & Regulation, Privacy and Security Litigation Photo of Eduardo Ustaran

Hogan Lovells calls for an alternative approach to regulating privacy in the digital economy

LONDON, 25 November 2019 – Hogan Lovells has published a study evaluating the ongoing legislative proposal for a new ePrivacy Regulation, a law aimed at updating the current ePrivacy framework in the EU. After nearly three years of debates and negotiations, the European Union is nowhere near agreeing a position on how to achieve the right balance between the need for technological innovation, public security and the protection of privacy in the context of the digital economy. According to Hogan Lovells, this is due to the structure and legislative approach of the

Posted in Policy & Regulation Photo of Eduardo UstaranPhoto of Katie McMullan

CJEU: Consent on the Internet Means ‘Opt-In’

On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17 (Planet49 – a previous post outlining the background can be found here). In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery. The questions before the CJEU amounted to the following: 1.  Does a pre-checked

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

The EDPB’s Narrow View of Contractual Necessity

The European Data Protection Board (EDPB) has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law. Article 6(1)(b) sets out one of the six possible lawful grounds for personal data processing under the European Union’s

Posted in Data Protection & Privacy, Policy & Regulation, Privacy and Security Litigation Photo of Eduardo Ustaran

EDPB Joins the Dots of ePrivacy and GDPR

On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of

Posted in Data Protection & Privacy Photo of Christine GateauPhoto of Winston MaxwellPhoto of Eduardo Ustaran

The General Data Protection Regulation timidly opens the doors to data class actions in Europe

More than 15 years after the adoption of the Data Protection Directive1, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity2. Acknowledging this, the General Data Protection Regulation (GDPR)3 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May 20184. The GDPR targets the data controller or its processor and provides a set of standardised rules relating to

Posted in Data Protection & Privacy Photo of Christine GateauPhoto of Winston MaxwellPhoto of Eduardo Ustaran

Four key lessons when facing data class actions in Europe

Could the GDPR give rise to forum shopping and are there any pre-litigation strategies that should be considered? Here, we review four key elements that should be kept in mind in respect of data class actions in the EU. Damages In the US, many class actions are dismissed for lack of ‘standing’, i.e. because the litigants do not demonstrate that they suffered an ‘injury in fact’ that is concrete and actual or imminent. Does the US ‘injury in fact’ standard apply for data class actions in Europe? Under the GDPR,

Posted in Data Protection & Privacy Photo of Winston MaxwellPhoto of Harriet PearsonPhoto of John SalmonPhoto of Eduardo Ustaran

Getting to data nirvana – a user’s guide to data lakes and GDPR

A data lake is an infrastructure that permits different data sets from within a group to be combined and analysed together. To analyse a data lake under GDPR, it is helpful to think of a data lake in two phases, which we analyse in our user guide. The infrastructure phase Here, the guide covers: Identify the entity that is hosting the data lake. Implement an intragroup data processing agreement. Check data localisation rules. Data protection impact assessment. Data lake governance committee. The applications phase Specifically, we look at: Data lake service

Posted in Data Protection & Privacy, Policy & Regulation Photo of Winston MaxwellPhoto of Harriet PearsonPhoto of John SalmonPhoto of Eduardo Ustaran

Getting to data nirvana – regulatory silo-busting to optimize risk management

“Getting to Data Nirvana” is our four-step approach to help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy. The job of the legal and compliance teams is to make sure that their company’s data projects do not breach applicable laws. Their task is not easy because the number of laws regulating the processing of data – particularly personal data – are increasing multiplying worldwide. However, a focus solely on data compliance can prevent broader thinking about data strategy, and how legal and regulatory

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

The Future of International Data Transfers

With the current focus on the coming into effect of the EU General Data Protection Regulation (GDPR), one could (almost) be forgiven for forgetting about the question of international data flows. However, given the political and legal developments currently affecting the future of international data transfers, that would be a very serious strategic mistake. Legitimising data globalisation remains a top business priority in our uber-digitised world. The coming of age of cloud-based services, the continuous advance of mobile communications and the push by developed and developing countries to reach a

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

Cookie Consent Is the New Panic

Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are

Posted in Data Protection & Privacy, Policy & Regulation Photo of Winston MaxwellPhoto of Harriet PearsonPhoto of John SalmonPhoto of Eduardo Ustaran

Getting to data nirvana – using the GDPR to create data value

“Getting to Data Nirvana” is our four-step approach to help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy. The job of the legal and compliance teams is to make sure that their company’s data projects do not breach applicable laws. Their task is not easy because the number of laws regulating the processing of data – particularly personal data – are increasing multiplying worldwide. However, a focus solely on data compliance can prevent broader thinking about data strategy, and how legal and regulatory

Posted in Data Protection & Privacy, Policy & Regulation Photo of Winston MaxwellPhoto of Harriet PearsonPhoto of John SalmonPhoto of Eduardo Ustaran

Getting to data nirvana – understanding data value and ownership

“Getting to Data Nirvana” is our four-step approach to help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy. The job of the legal and compliance teams is to make sure that their company’s data projects do not breach applicable laws. Their task is not easy because the number of laws regulating the processing of data – particularly personal data – are increasing multiplying worldwide. However, a focus solely on data compliance can prevent broader thinking about data strategy, and how legal and regulatory

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

The True Global Effect of the GDPR

“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

Is Artificial Intelligence the Ultimate Test for Privacy?

Nothing challenges the effectiveness of data protection law like technological innovation. You think you have cracked a technology neutral framework and then along comes the next evolutionary step in the chain to rock the boat. It happened with the cloud. It happened with social media, with mobile, with online behavioural targeting and with the Internet of Things. And from the combination of all of that, artificial intelligence is emerging as the new testing ground. 21st century artificial intelligence relies on machine learning, and machine learning relies on…? You guessed it:

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

Misunderstandings, Panic and Priorities in the Year of the GDPR

It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare.

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

Thinking Strategically About Brexit and Data Protection

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

ICO Turns Spotlight on Data Broker Industry

Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. In 2012, data brokers’ trade in personal data was reported to have generated over $150 billion in revenue. The UK data protection regulator (the “ICO”) has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

Privacy in 2017 – From Challenges to Opportunities

After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written.  However, 2017 will not be without challenges and the same applies to the world of privacy and data protection.  Many of the big issues that arose during 2016 will need to be addressed in 2017.  In addition, new questions will no doubt emerge.  Here is an overview of the privacy challenges that lie ahead and what can be done about

Posted in Data Protection & Privacy Photo of Eduardo Ustaran

New Notice and Consent Rules under Proposed EU e-Privacy Regulation

The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive.  The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services.  It is also concerned with