18 Matching Annotations
  1. Nov 2019
    1. Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default. The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.

      On opt in vs opt out in GDPR.

    1. Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.

      On opt in vs opt out in GDPR.

  2. Oct 2019
  3. May 2019
    1. Unsurprisingly living up to its reputation, Facebook refuses to comply with my GDPR Subject Access Requests in an appropriate manner.

      Facebook never has cared about privacy of individuals. This is highly interesting.

  4. Sep 2018
    1. E' altresì necessario accellerare la creazione di una struttura di certificazione del software nazionale che consenta di usufruire di tecnici che possano testare i software creati per la PA e assicurarne la conformità alle regole AGID e al GDPR (privacy by design). In tale ambito la capacità nazionale è attualmente molto limitata.

  5. May 2018
  6. Apr 2018
    1. A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

      I see a lot of cookie notices that give vague reasons like "improving user experience". Specifically disallowed by GDPR?

    2. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

      GDPR can allow opt out rather than opt in.

    1. The alternative, of a regulatory patchwork, would make it harder for the West to amass a shared stock of AI training data to rival China’s.

      Fascinating geopolitical suggestion here: Trans-Atlantic GDPR-like rules as the NATO of data privacy to effectively allow "the West" to compete against the People's Republic of China in the development of artificial intelligence.

  7. Feb 2018
    1. The extraterritorial nature of these two frameworks — they protect the privacy rights of people in Europe regardless of where their data is collected — means that they will become the de facto standard for privacy around the world.

      I'm not totally clear on how would be enforced yet, but jeepers

    2. Your privacy testing procedures should predict the ways unauthorized users would access actual data on your system. Would a suspicious search for user data, or an alteration to a record, be logged as a security vulnerability? Is data stored in login cookies? Could someone gain access to data by intentionally triggering an error?

      This sounds a lot like threat modelling.

    3. The European term “personal data” differs from the American term “personally identifiable information.” The latter pertains to a much more limited set of information than the European model. It also does not see information as contextual, whereas the European framework emphasizes the risks inherent in data aggregation.

      Important distinction. This is a useful article

  8. Jan 2018
    1. No more retention scams that allow online signups but demand users phone a call centre to delete their accounts.

      Holy caw, this covers opt-out after subscriptions too? Eeeenteresting...

    1. L’article 15 complète l’article 40 de la loi du 6 janvier 1978 pour utiliser la marge de manœuvre prévue à l’article 23 du règlement relatif à la limitation de certains droits des personnes concernées. Cet article prévoit la possibilité pour le droit national de limiter, par la voie de mesures législatives, la portée des obligations et des droits des personnes concernées (droit à l’information droit d’accès, droit de rectification, droit à l’effacement, droit à la portabilité, droit d’opposition, etc.), lorsqu’une telle limitation respecte l’essence des libertés et droits fondamentaux et qu’elle constitue une mesure nécessaire et proportionnée dans une société démocratique pour garantir certains objectifs (sécurité nationale, défense nationale, sécurité publique, prévention et la détection d’infractions pénales, protection de l’indépendance de la justice et des procédures judiciaires, objectifs importants d’intérêt public général de l’Union ou d’un État membre,…). Le considérant 41 du règlement précise à cet égard qu’« une mesure législative » au sens de cet article, « ne signifie pas nécessairement que l’adoption d’un acte législatif par un parlement est exigée, sans préjudice des obligations prévues en vertu de l’ordre constitutionnel de l’État membre concerné ».


    1. The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for US companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2 % of worldwide turnover.

      This appears to be the source for the quote. If you search the web for the quote, though, it seems most often to be attributed to Wikipedia itself.