Privacy Matters

On 26 May 2022, the TC260 released the Draft Requirements on Privacy Agreements for Internet Platforms, Products and Services (“Draft Requirements”) for public consultation. The Draft Requirements flesh out the regulatory scheme regarding privacy policies as put forward in the Personal Information Protection Law (“PIPL”) and Personal Information Specification (“PIS Specification”), reiterating many of the …

CHINA: Draft Rules on Privacy Policies Released – Is Your Privacy Policy Compliant? Read More »

On 3 August, the Indian Central Government withdrew the Personal Data Protection Bill, 2019 (PDP Bill). The PDP Bill, which has drawn criticism from both privacy advocates and industry stakeholders, was first published in 2018 and was to be India’s first law on the protection of personal data. A government notice stated that the decision came …

India: Government withdraws long-awaited Personal Data Protection Bill Read More »

Authors: Alex Horder, Anthony Lloyd and Edmond Lau  What is the CDR Sandbox? Following the expansion of the Consumer Data Right (CDR) regime last year to a wider range of organisations, the ACCC has now released the ‘CDR Sandbox’, a free tool that lets CDR participants test their proposed CDR compliance solutions in a virtual environment that …

Australia: ACCC launches CDR sandbox Read More »

On Thursday 21 July 2022, the Cyberspace Administration of China (“CAC”) fined Didi Global Inc, an online ride-hailing business a total of RMB 8.026 billion (approximately USD 1.2 billion). The CAC explained that the reasons for the fines were due to Didi’s: illegal collection of over 11.9 million screenshots from users’ mobile phone photo albums; …

China: Enforcement of data protection – 5% of annual local revenue Read More »

Authors: Sarah Birkett and Alex Moore  The use of CCTV systems to collect biometric information from individuals in Australia is attracting headlines.  The issue relates not to the use of CCTV itself, but rather the collection of biometric information (i.e. electronic copies of faces, fingerprints, voices) via CCTV.  Organisations, including retailers, may collect biometric information …

Australia: Collection of biometric information via CCTV Read More »

The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling. In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data to the …

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data Read More »

The UK ICO has published its AI and data protection risk toolkit (the “Toolkit“). The Toolkit is designed to provide practical support to organisations using AI systems which may involve the processing of personal data. It builds on the ICO’s earlier guidance on AI and data protection, published in July 2020. The ICO recognises there can be significant …

UK: ICO publishes AI and Data Protection risk Toolkit Read More »

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health data) and …

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers Read More »

Organisations engaging in cross border transfers of personal data may now rely on the Recommended Model Contractual Clauses (RMCs), recently published by the Privacy Commissioner for Personal Data (PCPD). The two sets of RMCs are intended for controller to controller transfers, and controller to processor transfers. The RMCs may be used in: cross border transfers …

Hong Kong: Newly published Model Contractual Clauses Read More »

What is the European Health Data Space? On 3 May 2022, the EU Commission published a draft Regulation on the European Health Data Space (“HDS”).  The Regulation is the first sector-specific proposal in the Commission’s “European Strategy for Data”, which aims at creating a ‘single market for data’.  In so doing, the Commission intends to …

The European Health Data Space – 5 Things You Need to Know Read More »

Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“noyb.eu”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“letter”). The letter coincides with a visit to Washington, D.C. by a delegation of several members of the European Parliament’s …

NOYB open letter on the new EU – US data deal Read More »

A draft set of EDPB guidelines on the calculation of administrative fines under the GDPR is likely to lead to some further consistency among supervisory authorities on how fines are calculated – however, if adopted, the guidance leaves clear room for the current divergent approaches to continue. On 12 May 2022, the European Data Protection …

Europe: EDPB Guidelines on calculation of fines under GDPR – a case of evolution, not revolution? Read More »

Today, through the Queen’s Speech, the UK Government has set out its legislative program for the next Parliamentary term. The speech outlined 38 proposed laws, including the Data Reform Bill. The introduction of the Data Reform Bill will reform the UK’s current data protection framework, bringing in potentially significant changes to the UK GDPR and …

UK: Data Reform Bill: post-Brexit data reforms Read More »