Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful.
After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed:
The General Data Protection Regulation contains one new right for individuals – data portability (Article 20). Some commentators have suggested that this is just a digital form of the existing subject access right, but the Article 29 Working Party's new guidance describes something much more radical.
The European Commission recently published wide proposals to reform copyright law. One particular concern is that the proposals appear to reduce the existing legal protections for sites that host third party content.
Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, and where is it kept.
Many of the requirements of the General Data Protection Regulation (GDPR) point to an extension of this idea: something more like an Information Lifecycle Register. This would add
According to Parliament's website, "outstanding issues on the [Investigatory Powers] Bill were resolved on 16th November". The Bill now passes to its final formal stage, Royal Assent, after which it will be the Investigatory Powers Act.