The European Data Protection Board (EDPB) is an independent advisory body, established by the GDPR, that issues guidelines, recommendations, and best practices for the application of the GDPR.

At its Third Plenary on September 26, the EDPB adopted new draft guidelines on the GDPR’s territorial scope.

These guidelines should help provide a common interpretation of

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as

China seems to have found a reliable legal tool for suppressing dissent.  A prominent Chinese human rights lawyer, Pu Zhiqiang, has been arrested after a meeting in a private home to commemorate the 25th anniversary of the killings at Tiananmen Square.  The charge?  “Illegal access to the personal information of citizens,” a crime punishable by

Here we go again.  A prominent company suffers a data breach.  The company publicly alerts its customers.  The company almost immediately finds itself the subject of inquiries from Congress and the target of investigations by regulators.  Before long, class action lawyers will crank out complaints as if they’re Mad Libs, filling in the name of

The third-party doctrine of Smith v. Maryland, 442 U.S. 735 (1979), is getting a bad rap from libertarians of the left and the right.  Smith holds that the police don’t need a search warrant to get information about me from a third party.  If I keep a diary in my desk drawer, the police

We used to talk about the “borderless” environment of the Internet.  These days, that view is looking increasingly outmoded and utopian, in large part because of the intersection of law enforcement and privacy concerns.  Steady increases in regulation (and enforcement of existing regulation) in these areas is increasingly prompting two types of responses by global

Depending on the new Commission’s level of ambition when it takes office in the Autumn, this week’s European Court of Justice preliminary ruling (Cases C-293/12 and C-594/12), which found a 2006 Directive invalid, could prove an opportunity to re-think the EU approach to privacy and protecting personal data.

When we think about the EU and