May 24, 2023
The Irish Data Protection Commission (DPC) has evaluated the legality of Facebook’s (now Meta Platforms) data transfer for over 10 years. In those 10 years, we have seen the Irish DPC trying to avoid ruling on the matter multiple times and the European Data Protection Board (EDPB) forcing them to do it. We now have a final ruling on the matter, which is unfavorable to Meta. In fact, in addition to having to stop the data transfer within 5 months and having to move back all data within 6 months, Meta has to pay a € 1.
Read More 
September 26, 2022
In the last few months, we have witnessed multiple European Data Protection offices weigh on the legitimacy of Google Analytics.
Back in January, I’ve published a post that touched on the topic but was not really about Google Analytics. So, let’s start looking at what happened, why Google Analytics seems to be so interesting for the European Privacy authorities, and finish with some guessing on what could happen in the next few months.
Read More 
January 25, 2022
In the last few weeks, there has been a lot of talking about Google Analytics and the GDPR. I think most of the comments around it have missed the whole picture.
A little bit of history Our brief history begins at the end of the ’90s when the EU and the US agreed on the International Safe Harbor Privacy Principles. On the 26th July 2000, the European Commission (EC) formalized it with the Commission Decision 2000/520/EC, where it was defined that data could be freely moved from the EU to the US.
Read More 
January 10, 2022
The CNIL, France’s data regulator, fined Meta (Facebook) and Google for violating the GDPR for a total of 210M€. More specifically:
Google LLC (USA) got fined 90M€ Google Ireland Limited got fined 60M€ Facebook Ireland Limited got fined 60M€ Also, if the companies will not fix the issue within three months, an additional penalty of 100'000€/day will be added.
There are two facts that I think are very interesting about these fines: the reason behind the fines the fines issuer
Read More 
May 31, 2021
Three years passed from the moment the GDPR become binding law in the European Union. On the one hand, I’m happy that it has already been three years, but on the other hand, I’m impatient to see GDPR fully applied.
Cookies Cookies are always a hot theme when we talk about GDPR. I still see websites handing out cookies (first and third parties ones) without a cookie banner or to users who have not pressed the “accept” button on the cookie banner.
Read More 
July 19, 2020
Today I did a big update to this website. The goal of today’s update is the removal of Disqus. I have decided to remove Disqus more than a year ago, with the decision to remove all cookies from this website. The plan was to remove both Google Analytics and Disqus since those were the only two reasons this website was distributing cookies. I removed Google Analytics in June 2019, and now I’ve removed Disqus, so this goal has now been achieved.
Read More 
May 25, 2020
As it is becoming a sort of tradition, here we are, after two years from the enactment of GDPR to see how it performs in the real world.
In our previous yearly check, we analyzed the situation from two points of view: the banners and the fines. Let’s see how those two topics have evolved in the last year.
The Cookie Banners On the 1st of October 2019, with the judgment in case C-673/17, the European Union Court of Justice clarified that pre-ticketed consent checkboxes are not sufficient since the consent has to be expressed actively by the user.
Read More 
July 14, 2019
In the last few days, multiple fines related to privacy have been announced. More specifically:
British Airways €203M/£183M/$230M (CNN, The Verge) Marriott €109M/£99M/$124M (CNN, The Guardian) Facebook ca€4.5B/ca£4B/ca$5B (The Telegraph, NYT) Even if I talk about them “collectively”, I would like to point out that the third one is very different in nature, in nature and in the jurisdiction, and therefore in the amount of the fine from the first two, which are fairly similar among them.
Read More 
May 25, 2019
One year has passed by the 25/05/2018, the day that the GDPR started to be enforced. Today I’d like to see how this first year of GDPR went and what we could be expecting for the future given what we have seen so far.
The first consideration that I think is obvious but interesting is that the Internet did not close down on the 25/05/2018 as many were worried. In fact, not much changed on that day.
Read More 
(Fabio Alessandro Locati|Fale)'s blog