Ireland & UK: Latest trends in data subject access requests in pending litigation

Authors: Marcus Walsh, David Cook, John Magee As individuals become more aware of their rights under data protection law, data subject access requests (DSARs) are an increasingly frequent concern for organisations both large and small. DSARs remain the single most common cause of regulatory complaints for organisations – the latest annual report from the Irish …

Ireland & UK: Latest trends in data subject access requests in pending litigation Read More »

Taking back control: The European Digital Identity

Authors: Kristof De Vulder, Florian De Rouck, Emma Stockman On 3 June 2021, the EU Commission proposed the long-awaited framework for a European Digital Identity (EUid). The proposal stems from the regulatory review of Regulation 910/2014/EU (eIDAS Regulation), and constitutes a complete overhaul of the European digital identification framework. The EU Commissions plans to introduce a new …

Taking back control: The European Digital Identity Read More »

EU: What’s left of the GDPR’s one-stop-shop? CJEU clarifies the competences of non-lead data protection authorities

Authors: Heidi Waem, Simon Verschaeve When the GDPR was adopted back in 2016, its new cooperation and consistency mechanism, coined as the one-stop-shop, was marketed as one of the major advancements that the GDPR would bring to organisations. Instead of having to engage with multiple local data protection authorities, controllers and processors established in the EU …

EU: What’s left of the GDPR’s one-stop-shop? CJEU clarifies the competences of non-lead data protection authorities Read More »

POPIA: The long wait is over

Authors: Monique Jefferson and Justine Katz The Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020 but was subject to a 12-month grace period, which ended yesterday (30 June 2021). Therefore, from today (1 July 2021) POPIA is fully in effect, save for certain provisions. In this regard, we point …

POPIA: The long wait is over Read More »

Ireland: Ireland legislates for third party rights – removing SCCs governing law concerns

The new Standard Contractual Clauses (SCCs) issued by the European Commission came into force on 27 June 2021. The SCCs allow parties to choose the governing law of one of the EU Member States, provided that such law allows for third party beneficiary rights. As privity of contract rules apply in Ireland, there had been …

Ireland: Ireland legislates for third party rights – removing SCCs governing law concerns Read More »

Australia takes steps towards the mandatory reporting of ransomware payments

Author: Sarah Birkett A private member’s bill has been introduced in Australia that would require the mandatory reporting of ransomware payments by applicable Australian entities. The Ransomware Payments Bill would require any business or Commonwealth Government entity which makes a ransomware payment to notify the Australian Cyber Security Centre (ACSC) with details of: the identity …

Australia takes steps towards the mandatory reporting of ransomware payments Read More »

European Commission adopts UK Adequacy Decision

Today, the European Commission has adopted two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and the other for the Law Enforcement Directive (“LED”). The GDPR and LED impose restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an …

European Commission adopts UK Adequacy Decision Read More »

EDPB adopts final Recommendations on Supplementary Measures

On 21 June 2021, the European Data Protection Board (“EDPB”) published the final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These long-awaited Recommendations are an extremely important step for the consideration of data transfer related risks and GDPR compliance management within an …

EDPB adopts final Recommendations on Supplementary Measures Read More »

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song China’s Data Security Law (“DSL”) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be …

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know Read More »

EU: Second wave of noyb complaints targets cookie banners

Authors: Heidi Waem and Simon Verschaeve Recently, the European Center for Digital Rights (better known as noyb), founded by privacy activist Max Schrems, announced a new initiative that focuses on compliance of cookie banners in Europe. Alongside the launch of the campaign, noyb reported that it issued more than 500 draft complaints to the owners …

EU: Second wave of noyb complaints targets cookie banners Read More »

EU : New SCCs published

Today, the European Commission published the final Implementing Decision on standard contractual clauses (“New SCCs”) for the transfer of personal data to third countries.  The New SCCs repeal the existing SCCs (dating from 2001, 2004 and 2010) and aim to address the entry into force of the General Data Protection Regulation (“GDPR”) and the decision of the …

EU : New SCCs published Read More »

China: Navigating China episode 18: Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation The Chinese cybersecurity authorities have published new draft rules clarifying data and cyber compliance obligations for the automobile industry, including a push towards most personal information and important data being …

China: Navigating China episode 18: Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation Read More »

DLA Piper Global Vaccine Guide

As the scientific response to the COVID-19 pandemic develops, many employers are considering what their approach should be to the issues around vaccination for their workforce, with a view to accelerating a return to some kind of normality. This is an area where law, guidance and best practice is likely to develop rapidly and there …

DLA Piper Global Vaccine Guide Read More »

Georgia’s HB 156, requiring state notice for utility cybersecurity incidents, is now in effect

Authors: Lael Bellamy and Emily Maus Georgia’s governor has signed into law House Bill 156, creating specific notice requirements for state agencies and utilities that experience cybersecurity attacks, data breaches or malware and requiring notice to the state director of emergency management in Georgia within two hours of notifying the federal emergency management agencies. In …

Georgia’s HB 156, requiring state notice for utility cybersecurity incidents, is now in effect Read More »

Thailand postpones the implementation of the data protection act until 1 June 2022

By: Samata Masagee, Komson Suntheeraporn, Nahsinee Luengrattanakorn, Thawalkorn Pattanachote The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May …

Thailand postpones the implementation of the data protection act until 1 June 2022 Read More »

DCMS Cyber Security Breaches Survey 2021 highlights more still to be done by the majority of businesses

The Department for Culture Media and Sport recently published its annual Cyber Security Breaches Survey (the “Survey”), which aims to capture trends in cyber security incidents and provides a snapshot of the approach of UK businesses to the risks of an incident and the types of incidents seen in the previous 12 months. We have …

DCMS Cyber Security Breaches Survey 2021 highlights more still to be done by the majority of businesses Read More »

German Federal Labor Court rules on the scope of the right to information under Art. 15 GDPR

In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.