Authors: Carolyn Bigg, Venus Cheung, Fangfang Song China’s Data Security Law (“DSL”) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be …
Authors: Heidi Waem and Simon Verschaeve Recently, the European Center for Digital Rights (better known as noyb), founded by privacy activist Max Schrems, announced a new initiative that focuses on compliance of cookie banners in Europe. Alongside the launch of the campaign, noyb reported that it issued more than 500 draft complaints to the owners …
EU: Second wave of noyb complaints targets cookie banners Read More »
With the publication this week of the new EU Standard Contractual Clauses for data transfers, a great deal of attention is understandably being paid to analysing the differences from the current set of SCCs. However, it shouldn’t be overlooked that another set of standard clauses has been issued by the EU, namely the Article 28 …
Today, the European Commission published the final Implementing Decision on standard contractual clauses (“New SCCs”) for the transfer of personal data to third countries. The New SCCs repeal the existing SCCs (dating from 2001, 2004 and 2010) and aim to address the entry into force of the General Data Protection Regulation (“GDPR”) and the decision of the …
Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation The Chinese cybersecurity authorities have published new draft rules clarifying data and cyber compliance obligations for the automobile industry, including a push towards most personal information and important data being …
As the scientific response to the COVID-19 pandemic develops, many employers are considering what their approach should be to the issues around vaccination for their workforce, with a view to accelerating a return to some kind of normality. This is an area where law, guidance and best practice is likely to develop rapidly and there …
Authors: Heidi Waem and Gert-Jan Fraeyman On 22 April 2021, the Belgian Constitutional Court annulled the Act of 29 May 2016 on the collection and storage of data in the electronic communications sector (the Data Retention Act). This judgment, which follows a decision of the Court of Justice of the European Union (CJEU) pursuant to …
The Belgian Constitutional Court annuls Data Retention Act Read More »
Authors: Lael Bellamy and Emily Maus Georgia’s governor has signed into law House Bill 156, creating specific notice requirements for state agencies and utilities that experience cybersecurity attacks, data breaches or malware and requiring notice to the state director of emergency management in Georgia within two hours of notifying the federal emergency management agencies. In …
By: Samata Masagee, Komson Suntheeraporn, Nahsinee Luengrattanakorn, Thawalkorn Pattanachote The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May …
Thailand postpones the implementation of the data protection act until 1 June 2022 Read More »
The Department for Culture Media and Sport recently published its annual Cyber Security Breaches Survey (the “Survey”), which aims to capture trends in cyber security incidents and provides a snapshot of the approach of UK businesses to the risks of an incident and the types of incidents seen in the previous 12 months. We have …
In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.
Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Second drafts of the new overarching national personal data protection and data security laws have just been published, and give a clearer picture of the impending new national frameworks in China. 1. Draft Personal Information Protection Law The Draft Personal Information Protection Law (“Draft PIPL”) will – …
Authors: Emily Maus and Anna Spencer HIPAA covered entities and business associates should finalize their comments soon, before the comment period for the 2020 Health Insurance Portability and Accountability Act (HIPAA) Notice of Proposed Rulemaking (NPRM) closes on May 6. The Office for Civil Rights (OCR), which is the federal agency within the US Department …
Deadline to file comments to the HIPAA NPRM is fast approaching Read More »
Authors: Keara M. Gordon, Isabelle Ord, Jeff DeGroot, and Haley Torrey This week, the Second Circuit in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, weighed in on whether data-breach plaintiffs can establish Article III standing based on the theory that the theft or disclosure of their data subjects the plaintiffs to an increased risk …
Second Circuit sets standing threshold for data-breach class actions Read More »
On yet another application of the principles contained in the Schrems II case, on the 27th of April 2021, the Portuguese Data Protection Authority (“CNPD”) issued a decision ordering the suspension, within 12 hours, of any transfer of personal data resulting from the Census 2021 to the US, or to other third countries outside the …
Portuguese CNPD suspends transfers of Census 2021 data to the U.S. Read More »
Click here to view an article about the 2021 Washington Privacy Act legislative developments. DLA Piper follows the evolving state privacy landscape more closely than any other law firm. As of the date of this post, the most likely states to pass an Omnibus privacy bill later this year are Florida, Colorado and Ohio. For …
The Washington Privacy Act fails to pass for the third straight year Read More »
In a significant decision issued on Thursday, April 22, 2021, the US Supreme Court unanimously ruled in an eagerly anticipated case that the Federal Trade Commission (FTC) does not have the legal authority under Section 13(b) of the FTC Act to obtain court-ordered monetary equitable relief (such as restitution or disgorgement). In AMG Capital Management, …
The Supreme Court sharply curtails FTC’s authority to obtain restitution Read More »
Andrew Dyson, Ewa Kurowska-Tober, Heidi Waem On 21 April 2021, the European Commission published the long-awaited proposal for a Regulation on Artificial Intelligence[1](“AI Regulation”). The proposed AI Regulation introduces a first-of-its-kind, comprehensive, harmonized, regulatory framework for Artificial Intelligence. The ambition is to provide the legal certainty needed to facilitate investment and innovation in AI, whilst …
European Commission publishes long-awaited draft Regulation on Artificial Intelligence Read More »
Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. The “Financial Data Lifecycle Guidelines” (金融数据生命周期安全规范) were published by the PBOC (the …
Authors: Heidi Waem, Camille Vermosen Schrems II The CJEU’s long-awaited Schrems II decision of 16 July 2020, raised important questions on the validity of data processing activities involving the transfer of personal data outside the EEA. In its decision, the CJEU did not only invalidate the Privacy Shield, it also concluded that relying on the …
