This is a collection of laws, case law, guidelines, authors that I personally rely on during my daily work and when writing Digital Agora. Feel free to use it or share it!

Share

European data protection laws and regulations

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

ePrivacy Directive: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

• aka “Cookie Directive”

Law Enforcement Directive (LED): Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

“EUDPR”: Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC

• Note: applies to EU institutions only. 99% same text as the GDPR.

“Non-personal data regulation”: Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union

Pending proposals

GDPR Procedural Regulation: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679

ePrivacy Regulation: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

Previous laws & regulations

Data Protection Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Guidelines

European Data Protection Board’s (EDPB) Guidelines. Most notable ones:

• Guidelines 05/2020 on consent under Regulation 2016/679

• Guidelines 01/2022 on data subject rights - Right of access

• Guidelines 9/2022 on personal data breach notification

  under GDPR

• Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them

Most notable Article 29 Working Party Guidelines (predecessor of EDPB):

• Guidelines on transparency under Regulation 2016/679

• Guidelines on Data Protection Officers (‘DPOs’)

• Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

European Data Protection Supervisor Guidelines (note: applicable in the context of EU institutions only)

Digital Agora and this page are free to inform readers on privacy, AI and digital laws. Every subscription motivates to improve this page to offer you more.

Case law

European Court of Justice search form

Some notable cases:

• “Schrems I”, Case C‑362/14, EU-US data transfers

• “Schrems II”, Case C‑311/18, EU-US data transfers (Digital Agora post here)

• “Wirtschaftsakademie”, Case C‑210/16, joint controllers

• “Bundeskartellamt”, Case C‑252/21, cooperation between data protection authorities and competition authorities (Digital Agora post here)

• “Bindl v. Commission”, Case T‑354/22, damages

Data protection authorities’ (DPA) decisions overview

• GDPR enforcement tracker: great for comparing DPA decisions in a structured format for a high-level overview. You can check decisions e.g. per amount of fine.

• EDPB News shows the latest GDPR fines across Europe.

• GDPRhub by the NGO none of your business (noyb) is good if you want to find decisions on specific articles of the GDPR.

Specific DPAs

It really depends where you reside, but national DPA decisions and guidelines are often more practical than European ones. To highlight a few:

• The UK Information Commissioner’s Office (ICO) has in my opinion the most practical guidelines for English-speakers. As long as the UK does not modify its inherited GDPR, it remains a reliable source on most topics for EU professionals too.

• The French CNIL has more and more decisions in English, but even its French guidelines are often referred across Europe. Notable guidance on AI for example.

• The Irish Data Protection Commission (DPC) (though often criticized) is also essential as most Big Tech’s European subsidiaries are in Dublin.

Depending on your language and country, this list can be extended of course.

Newsletters

• PrivacyPerfect’s weekly newsletter is a good overview of global trends for free

• Noyb’s newsletter itself is a good source to stay on top on the latest enforcement decisions or Big Tech scandals

Networking & certifications

• The International Association for Privacy Professionals (IAPP) is a good start to get certified, gain access to conferences and to a community.

Notable authors

• Professor Solove’s work inspired many ideas on Digital Agora: https://teachprivacy.com/

Missed anything?

If you’d like to add anything else, or to promote yourself or your Substack on the list of notable authors, send me a DM: