Image by Jae Rue from Pixabay

Two scandals involving algorithmic-based final scores for high-school seniors put automated decision-making based on personal data in the spotlight this summer, abruptly revealing to the large public the serious dangers of a society sorted by algorithms. The two cases concern the International Baccalaureate (IB) program and the finals of high-school graduates in the UK (‘A-levels’ and equivalent).

Ultimately, these developments show why the protection of personal data is an essential right that needs to be safeguarded in our new, data-rich world, and why it should indeed be construed and regulated differently than privacy. …


Image by Silentpilot from Pixabay

The Chinese government published a draft Personal Information Protection Law two weeks ago. It is modeled after EU’s GDPR, but with some twists. A full translation in English is available courtesy of New America. The draft is currently under public consultation. Below are 13 Key Points it encompasses — very brief, for the busy privacy professional.

The Draft Law:

1) applies to very broadly defined “personal information” (PI) — which includes the “identifiable” element from the GDPR [Art. 4];

2) includes lawful grounds for processing after the GDPR model, but with “legitimate interests” notably missing [Art. 13];

3) applies to…


As Europe is grappling with an exponential increase in COVID-19 cases, some European Data Protection Authorities issued public interest guidance on the limits of collecting, sharing and using personal data relating to health in these exceptional circumstances. Particular areas of concern are related to the breadth of measures that employers can legally take to monitor the health of their employees, as well as the collection of health data by government agencies. …


America’s own GDPR was introduced in Congress in 1974. This Bill applied to government and companies, it restricted international transfers and offered U.S. and foreign “data subjects” rights to access, erasure and even… explanation.

The U.S. has been recently working towards finally adopting comprehensive privacy and data protection rules, with unfolding efforts both at federal and state level. Until now, only Californians can claim they actually achieved something on the road to protecting their rights impacted by the widespread collection and use of personal information. …


The Court of Justice of the European Union published on October 1st its long-awaited judgment in the Planet49 case, which clarifies many key aspects of how can cookies be lawfully used by publishers under EU’s legal obligations.

© Ryan Godolphin; Image licensed under Creative Commons

The case was referred by a German Court in proceedings initiated by a non-governmental consumer protection organization representing the participants to an online lottery. It dealt with questions which should have been clarified long time ago, after Article 5(3) was introduced in Directive 2002/58 (the ‘ePrivacy Directive’) by an amendment from 2009, with Member States transposing and then applying its requirements anachronistically:

  • Is…


Here’s a fresh truth bomb (photo from Pixabay.com)

A ‘notice and consent’ privacy law puts the entire burden of privacy protection on the person and then it doesn’t really give them any choice. The GDPR does the opposite of this.

There is so much misunderstanding about what the GDPR is and what the GDPR does, that most of what is out there at this point is more mythology than anything else.

For example, an article in Axios claimed over the weekend that ‘the notice and consent approach forms the backbone of the GDPR’. This claim is simply not true.

Understanding and correctly categorizing the regulatory framework of the GDPR is actually very important, now. Look at US Senate’s hearing yesterday, on ‘GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation’. …


Photo from Pixabay.com

Some cross-reference clauses in the ePrivacy Directive create a new type of creature: a regulation-directive with unknown effects on the digital market.

The EU legislator has been struggling for exactly two years now to make progress on the reform of the ePrivacy Directive and convert it into an updated ePrivacy regulation governing confidentiality of telecommunications. There is yet no light at the end of the tunnel, while reaching the finish line is more urgent than originally thought. One of the many reasons for this?

Gabriela Zanfir-Fortuna

Gabriela is Senior Counsel for the Future of Privacy Forum and former legal officer for the European Data Protection Supervisor. PhD in data protection law.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store