What do you think?
Rate this book
European Data Protection: Law and Practice
While the General Data Protection Regulation (GDPR) promises to unify the approaches of the EU member states, it brings forth challenges as organisations work toward compliance with this robust and comprehensive regulation. Based on the body of knowledge for the Certified Information Privacy Professional/Europe (CIPP/E) certification (ANSI accredited under ISO 17024:2012), European Data Protection is the essential text on the GDPR, pan-European, and national data protection laws.
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
Global data protection practitioners and CIPP/E certification candidates will all find this to be an invaluable reference guide.
Official textbook for the CIPP/E program
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
Global data protection practitioners and CIPP/E certification candidates will all find this to be an invaluable reference guide.
Official textbook for the CIPP/E program
- GenresLawTechnology
ebook
First published January 1, 2018
26 people are currently reading
162 people want to read
About the author
Eduardo Ustaran
5 books12 followersData protection lawyer and author of The Future of Privacy
Eduardo advises some of the world's leading companies on the adoption of global privacy strategies and is closely involved in the development of the new EU data protection framework. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading privacy and internet lawyer by prestigious international directories.
Eduardo is member of the Board of Directors of the IAPP and the editor of Data Protection Law & Policy. Eduardo is the author of The Future of Privacy (DataGuidance, 2013), executive editor of European Privacy: Law and Practice for Data Protection Professionals (IAPP, 2011), and co-author of E-Privacy and Online Data Protection (Tottel Publishing, 2007) and of the Law Society’s Data Protection Handbook (2004). Eduardo regularly lectures at the University of Cambridge on data protection law as part of its Masters of Bioscience Enterprise.
Eduardo advises some of the world's leading companies on the adoption of global privacy strategies and is closely involved in the development of the new EU data protection framework. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading privacy and internet lawyer by prestigious international directories.
Eduardo is member of the Board of Directors of the IAPP and the editor of Data Protection Law & Policy. Eduardo is the author of The Future of Privacy (DataGuidance, 2013), executive editor of European Privacy: Law and Practice for Data Protection Professionals (IAPP, 2011), and co-author of E-Privacy and Online Data Protection (Tottel Publishing, 2007) and of the Law Society’s Data Protection Handbook (2004). Eduardo regularly lectures at the University of Cambridge on data protection law as part of its Masters of Bioscience Enterprise.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 13 of 13 reviews
December 26, 2020
Generally speaking, a good introductory book but you can see that different chapters were written by different authors and they repeat some of the elements many times so it is unnecessarily long. It should be proof-read and packed with relevant content as opposed to unnecessary repetitions. Also, it should be updated!
Read
November 17, 2020It's not an easy read (expected!) but it is thorough and up to date. The earlier chapters spend a fair amount of time describing the history of GDPR, its relation to ePrivacy and the complex web between the various legal bodies.
It also covers scenarios which are less relevant for people like myself who are doing digital marketing, like workplace monitoring. There are some repetitions in the chapters content - but that's expected and allow the reader to jump straight to a topic and get a complete overview.
Those aren't criticism since it's a general and complete overview of the European legal framework around privacy. I recommend it for anyone who really want to take the time to learn & understand. Plus, it is a good reference book to keep.
It also covers scenarios which are less relevant for people like myself who are doing digital marketing, like workplace monitoring. There are some repetitions in the chapters content - but that's expected and allow the reader to jump straight to a topic and get a complete overview.
Those aren't criticism since it's a general and complete overview of the European legal framework around privacy. I recommend it for anyone who really want to take the time to learn & understand. Plus, it is a good reference book to keep.
February 8, 2021
An easy to read data protection basics guide, incredible in its scope - not just data protection in a silo but also related employment, whistleblowing, etc. laws. Also good practical and national examples. Doesn't shy away from tech or political topics - on the contrary, explains them in simple terms (e.g. OBA, cloud, cookies, privacy shield) and can be very ahead of its time.
Cons: tad outdated now and I missed page numbers.
Cons: tad outdated now and I missed page numbers.
February 8, 2024
The textbook is helpful for understanding the ever-evolving history of privacy laws in Europe, covering early laws and regulations to pending legislation including the AI Act. It is a textbook, so the reading is inherently dry. However, a few things made this read more painful than other IAPP textbooks. First, IAPP recently stopped publishing physical copies of their textbooks. The .epub readers are atrocious and this made marking up, highlighting, and note taking extra burdensome. Further, it is painfully obvious that each chapter is written by someone different. By way of example, each chapter defines previously defined terms in order to establish the same acronyms (for which there are plenty). Finally, some chapters truly feel repetitive. For example, while reading chapters that discussed concepts of consent and transparency in detail, I caught myself stopping to ask “haven’t I read this exact paragraph in a different chapter?” Sure enough, on at least two separate occasions, the answer to my question was “yes, there is a section nearly identical to this in an earlier chapter.” In short, the textbook could benefit from an editor who cross references the different chapters.
August 24, 2018
Essential reading for passing the CIPP/E exam. I passed!
December 20, 2023
this counts towards my reading goal for the year lmao
April 27, 2025
My book was the 3rd edition, but it seems that this newer edition is not in Goodreads.
On the back of this book, we're told that this is the book for learning the materials you'll need to pass the CIPP/E exam, which is about European data privacy: its history and especially its workings under the GDPR. The blurb calls this book the "principal reference."
It is all there, so in that respect it is a success.
Yet this book could be so much more. Each chapter is written by a lawyer, and conveys the core and nuances of the various aspects of the laws in sentences and paragraphs. But I feel that the book wasn't designed from the perspective of getting this body of knowledge into the student's head. Here are some things that should be better:
1. It follows the CIPP/E Body of Knowledge almost exactly; but not exactly. The chapter numbering should follow the BoK domains perfectly. But it doesn't (for example, in the BoK some sub-subdomains have subordinate parts a and b, but the book they become chapter subsections).
2. Reference material should be in tables in appendices to facilitate look-ups. For instance, the section listing key events in the Evolution of Data Protection Law in Europe (p. 23) lends itself to a table with columns such as the date issued, date approved, etc. There should be links (ideally, short links) to all key documents. The table on p. 325 (13.8) is great, but again, I'd put it back in a section of reference tables.
3. There should at least be a table of all of the GDPR Articles and Recitals. Indeed, I'd recommend putting them right into the printed book so that students can mark them up. Also, it turns out that the EDPB Guidelines are critical. Some of them should be included with brief abstracts, and at least, once again, a table. Additionally, there should be a table of key law cases (e.g., Google vs Spain) with a brief abstract.
4. The free Certification Examination Blueprint provides a count of questions per domain and subdomain that might be on the exam. While I don't think it makes sense to provide the exact counts in the book, somewhere the book should provide a better sense of what's really critically important (those areas are Data Subjects' Rights and Security of Personal Data).
5. Editing should be absolutely scrupulous. For example, p. 44 refers to a "broader church of forty-seven member states." Seriously, fix these typos everywhere.
6. Things like the Treat on European Union should be referenced with exactly the same name, consistently, everywhere; don't just casually call it the Maastricht Treaty or the EU Treaty if the canonical name is to be the Treaty on European Union. Another example: p. 49 mentions the Council of Europe Convention. Please, call it Convention 108, or the Council of Europe Convention, but do it the same through the whole book. When a treaty is mentioned, always give the year (e.g., if we have decided that the canonical name will be the EU Treat, then say: EU Treaty [1992]).
7. Then there are places where key words simply aren't used and/or aren't in the index: When the book discusses Schrems, unless I missed it, the word "adequacy" is not used.
8. Other little gaps: When data minimization is discussed, we learn that controllers must figure out necessity and proportionality. But this section does not mention doing a DPIA. You see this all over the book: Each author is so within his or her niche that you don't see the interrelations.
9. Much of GDPR exists in a political context. For example, the discussion of the Irish DPC would be enriched by explaining the context of Ireland's positioning of itself as a flexible host for American companies. I'd suggest adding footnotes not only to the case law, but to articles from the various papers of record (such as the UK Guardian).
I am aware of the fact that this would balloon the book to 600 or more pages, but why not? It describes itself as a reference. Well be a reference.
OK, I've whined enough. Is this how all law books are? I feel sorry for my friends and colleagues who went to law school and had to draw up innumerable outlines of the materials (as I did) because of the deficits in the reading.
On the back of this book, we're told that this is the book for learning the materials you'll need to pass the CIPP/E exam, which is about European data privacy: its history and especially its workings under the GDPR. The blurb calls this book the "principal reference."
It is all there, so in that respect it is a success.
Yet this book could be so much more. Each chapter is written by a lawyer, and conveys the core and nuances of the various aspects of the laws in sentences and paragraphs. But I feel that the book wasn't designed from the perspective of getting this body of knowledge into the student's head. Here are some things that should be better:
1. It follows the CIPP/E Body of Knowledge almost exactly; but not exactly. The chapter numbering should follow the BoK domains perfectly. But it doesn't (for example, in the BoK some sub-subdomains have subordinate parts a and b, but the book they become chapter subsections).
2. Reference material should be in tables in appendices to facilitate look-ups. For instance, the section listing key events in the Evolution of Data Protection Law in Europe (p. 23) lends itself to a table with columns such as the date issued, date approved, etc. There should be links (ideally, short links) to all key documents. The table on p. 325 (13.8) is great, but again, I'd put it back in a section of reference tables.
3. There should at least be a table of all of the GDPR Articles and Recitals. Indeed, I'd recommend putting them right into the printed book so that students can mark them up. Also, it turns out that the EDPB Guidelines are critical. Some of them should be included with brief abstracts, and at least, once again, a table. Additionally, there should be a table of key law cases (e.g., Google vs Spain) with a brief abstract.
4. The free Certification Examination Blueprint provides a count of questions per domain and subdomain that might be on the exam. While I don't think it makes sense to provide the exact counts in the book, somewhere the book should provide a better sense of what's really critically important (those areas are Data Subjects' Rights and Security of Personal Data).
5. Editing should be absolutely scrupulous. For example, p. 44 refers to a "broader church of forty-seven member states." Seriously, fix these typos everywhere.
6. Things like the Treat on European Union should be referenced with exactly the same name, consistently, everywhere; don't just casually call it the Maastricht Treaty or the EU Treaty if the canonical name is to be the Treaty on European Union. Another example: p. 49 mentions the Council of Europe Convention. Please, call it Convention 108, or the Council of Europe Convention, but do it the same through the whole book. When a treaty is mentioned, always give the year (e.g., if we have decided that the canonical name will be the EU Treat, then say: EU Treaty [1992]).
7. Then there are places where key words simply aren't used and/or aren't in the index: When the book discusses Schrems, unless I missed it, the word "adequacy" is not used.
8. Other little gaps: When data minimization is discussed, we learn that controllers must figure out necessity and proportionality. But this section does not mention doing a DPIA. You see this all over the book: Each author is so within his or her niche that you don't see the interrelations.
9. Much of GDPR exists in a political context. For example, the discussion of the Irish DPC would be enriched by explaining the context of Ireland's positioning of itself as a flexible host for American companies. I'd suggest adding footnotes not only to the case law, but to articles from the various papers of record (such as the UK Guardian).
I am aware of the fact that this would balloon the book to 600 or more pages, but why not? It describes itself as a reference. Well be a reference.
OK, I've whined enough. Is this how all law books are? I feel sorry for my friends and colleagues who went to law school and had to draw up innumerable outlines of the materials (as I did) because of the deficits in the reading.
Read
February 28, 2023European data protection laws are crucial in today's digital age where personal data is constantly being collected, processed, and shared. The European Union's General Data Protection Regulation (GDPR) sets out strict rules and guidelines on how personal data should be handled by organizations operating within the EU, as well as those outside the EU that handle the data of EU citizens.
The book "European Data Protection: Law and Practice" is a comprehensive guide to understanding the intricacies of data protection law in Europe. It covers topics such as the legal framework of data protection in Europe, the rights of data subjects, the role of data protection authorities, and the enforcement of data protection laws.
The book provides practical advice on how to comply with GDPR and other data protection laws, including how to implement privacy by design and conduct data protection impact assessments. It also discusses the legal implications of emerging technologies such as artificial intelligence and blockchain, which present unique challenges to data protection https://spin.ai/.
Overall, "European Data Protection: Law and Practice" is an essential resource for anyone involved in the processing of personal data in Europe. It provides a thorough understanding of the legal landscape and practical guidance on how to comply with the law while protecting the privacy rights of individuals.
The book "European Data Protection: Law and Practice" is a comprehensive guide to understanding the intricacies of data protection law in Europe. It covers topics such as the legal framework of data protection in Europe, the rights of data subjects, the role of data protection authorities, and the enforcement of data protection laws.
The book provides practical advice on how to comply with GDPR and other data protection laws, including how to implement privacy by design and conduct data protection impact assessments. It also discusses the legal implications of emerging technologies such as artificial intelligence and blockchain, which present unique challenges to data protection https://spin.ai/.
Overall, "European Data Protection: Law and Practice" is an essential resource for anyone involved in the processing of personal data in Europe. It provides a thorough understanding of the legal landscape and practical guidance on how to comply with the law while protecting the privacy rights of individuals.
November 23, 2025
Content wise it is very helpful for CIPPE but fucking hell this was written by a bunch of deranged lawyers - repetitive, with words that I am confident they didn’t know the meaning of and just… overall traumatic
March 25, 2020
Great materials if you want to pass the CIPP/E test
Read
March 2, 2021Good case examples and works for studying but frankly, I would rather report other books to Goodreads :D
May 3, 2024
The chapters are not written evenly
August 23, 2024
I passed the test so this was a successful book. Very dry.
Displaying 1 - 13 of 13 reviews