CIPP/E Study Guide
Ch 17.1 - Internet tech overview

Introduction and scope

Chapter 17 maps how European data protection concepts apply to a range of internet technologies - cloud, cookies, IP addresses, search engines, social media, adtech, apps, IoT and AI. A key framing point: after Brexit, the GDPR became UK GDPR and the ePrivacy Directive was already in UK law, so UK and EU law remain broadly equivalent. References to the EU, GDPR and supervisory authorities can be read as including the UK, UK GDPR and the ICO.

The chapter takes a series of internet technologies in turn and asks how GDPR and the ePrivacy Directive apply to each. A recurring theme is whether data is personal data (so GDPR applies) and, separately, whether storing or reading information on a user's device triggers the ePrivacy Directive consent rule - the two laws are distinct and apply to different acts.

Brexit framing

After Brexit, UK law remains broadly equivalent to EU law. Throughout the chapter, references to the EU, GDPR and European supervisory authorities can be read as including the UK GDPR and the ICO unless stated otherwise.

Key terms - quick answers

What is “GDPR”?
General Data Protection Regulation - the EU's core data protection law (Regulation 2016/679).
What is “UK GDPR”?
The GDPR as incorporated into UK domestic law by the European Union (Withdrawal) Act 2018 after Brexit.
What is “ePrivacy Directive”?
EU Directive 2002/58/EC (as amended) governing privacy in electronic communications, including the cookie consent rule.
What is “ICO”?
Information Commissioner's Office - the UK's data protection supervisory authority.