Issue 6 / 2023

In the current CRi issue 6 (publication on: 15. Dezember 2023) you find the following articles and case law:



Radtke, Tristan, Mandatory Age Verification for Online Services under GDPR, CRi 2023, 161-168

An age verification requirement has so far been more of a child protection issue than a data protection issue. While it may seem paradoxical how data protection law could require controllers to carry out more data processing, this article argues that the GDPR obliges information society service controllers to implement effective age verification measures pursuant to Art. 25(1), Art. 5(1)(a) GDPR. In order to make this argument, the article lays out the necessary background and briefly analyses the concept of ‘state of the art’ before showing the implications of the data subject’s age for the lawfulness of a processing and thus for Art. 25(1) GDPR. Thereby, this article takes the EDPB’s Binding Decision 2/2023 on the age verification measures implemented by TikTok as an opportunity to take an in-depth look at the interplay between the data subject’s age, the lawfulness and privacy by design under Art. 25(1) GDPR.

Li, Wan, The Super App and Children – China’s Challenges and Answers to Very, Very Large Internet Platforms and Very Small Users, CRi 2023, 168-175

The article first describes the phenomenon of super app adoption within the digital market of China (I.) and then lays out China’s legal framework for protecting children and their personal information from the potential risks posed by online platforms (II.). Finally, WeChat’s strategy for compliance with children protection laws and regulations is outlined as well as its impact on the effectiveness of the legal framework in safeguarding children’s data privacy assessed (III.).

Beardwood, John, Cyberbreaches in Critical Infrastructure: Focus on India, CRi 2023, 175-180

This article continues the previously published two-part series, Cyber-Breaches in Critical Infrastructure: It’s Not Just About Personal Data Breaches Anymore, by expanding its focus to India – specifically, to the India Computer Emergency Response Team and the related Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules.

Winau, Mona, “Complete” Independence of the ICO and Strategic Priorities of the UK Government?, CRi 2023, 180-187

The article discusses the significant changes to the position and function of the ICO proposed by the Data Protection and Digital Information Bill that is currently being debated in the House of Commons focusing on Section 30 of the Bill which incorporates a statement of strategic priorities of the UK Government into the ICO’s performance of its duties and assessing the effects of Section 28 of the Bill on the “complete” independence in the sense of Union law of the ICO.

Case Law

CJEU v. 17 May 2023 - C-97/22, EU: Information obligation and right of withdrawal in case of off-premises contracts, CRi 2023, 187-189

Austrian Federal Administrative Court (BVwG) v. 6 October 2023 - W176 2265088-1, Austria: Full Compliance with Information Obligations No Prerequisite for Lawfulness of Data Processing, CRi 2023, 189-191


Lloyd, Ian, The UK Extension to the EU-U.S. Data Privacy Framework, CRi 2023, 191-192

Verlag Dr. Otto-Schmidt vom 08.12.2023