France: Changes to insurability of cyber losses

Authors: Luc Bigel and Hamza Akli  On 24 January 2023, France’s Orientation and Programming Law (“LOPMI“) was enacted and published the next day in the Official Journal. LOPMI introduces amendments to the insurability of losses and damages paid in response to cyber-attacks, including in relation to ransom payments – requiring that the payment of insurance …

France: Changes to insurability of cyber losses Read More »

CHINA: CBDT routes now all clear – Draft guidelines for CAC Certification route published

Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To It’s now the time to focus on the steps that data controllers need to take to legitimize overseas processing of China personal information via the CAC certification route. Background: While most PRC data controllers should have already identified whether to follow the CAC assessment/approval route …

CHINA: CBDT routes now all clear – Draft guidelines for CAC Certification route published Read More »

UK: ICO issues updated Guidance on Artificial Intelligence and Data Protection

On 15th March 2023, the UK Information Commissioner’s Office (“ICO”) issued updated Guidance on Artificial Intelligence and Data Protection. The updated Guidance follows ‘requests from UK industry to clarify requirements for fairness in AI” and aims to support the UK government’s vision of a “pro-innovation approach to AI regulation” and more specifically its intention to “embed considerations …

UK: ICO issues updated Guidance on Artificial Intelligence and Data Protection Read More »

France: the CNIL has released its annual dawn raid Program for 2023: four national priorities and one priority coming from the EDPB!

Authors: Denise Lebeau-Marianna, Divya Shanmugathas and Lucie Dubecq-Princeteau On 15 March 2023, the French Supervisory Authority (the “CNIL”) unveiled in a post its four key priorities regarding its upcoming investigations for 2023 targeting specific sectors (I), to which it added another topic related to DPO in line with the coordinated enforcement framework of the European …

France: the CNIL has released its annual dawn raid Program for 2023: four national priorities and one priority coming from the EDPB! Read More »

EU: Final version of the EDPB-Guidelines 05/2021 on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V of the GDPR

Authors: Andreas Rüdiger, Philipp Adelberg  On 14 February 2023, the European Data Protection Board (“EDPB”) published the updated and final version of its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (EDPB Guidelines 05/2021). In comparison to the first …

EU: Final version of the EDPB-Guidelines 05/2021 on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V of the GDPR Read More »

SINGAPORE: First decision on the Legitimate Interest Exception under the Personal Data Protection Act (PDPA) issued

Authors: Carolyn Bigg, Yue Lin Lee and Daisy Wong Singapore’s Personal Data Protection Commission (“PDPC”) has issued its first decision on the Legitimate Interests Exception under the PDPA. While the PDPA remains largely a consent-based regime, the Legitimate Interests Exception is one of the exceptions from consent available under the PDPA. This RedMart decision illustrates …

SINGAPORE: First decision on the Legitimate Interest Exception under the Personal Data Protection Act (PDPA) issued Read More »

Belgium: Belgian data protection authority clarifies the public interest legal basis in the context of decision on a vehicle tracking system

Authors:  Heidi Waem and Simon Verschaeve On 21 February 2023, the Litigation Chamber of the Belgian Data Protection Authority ruled on a case relating to the lawfulness of a geolocation tracking system for employee vehicles used by a public authority. The decision not only sets out the conditions for the use of such systems, but …

Belgium: Belgian data protection authority clarifies the public interest legal basis in the context of decision on a vehicle tracking system Read More »

EU/US: EDPB Welcomes Improvements in the EU-US Data Privacy Framework, but Challenges Remain

Authors: Jim Sullivan, John Magee, Rachel De Souza & Christopher Connell The European Data Protection Board (“EDPB” or the “Board”) on 28 February 2023, released its non-binding opinion on the draft adequacy decision underlying the EU-US Data Privacy Framework (“DPF”). The Board welcomed the “substantial improvements” to US law concerning signals intelligence gathering of data, …

EU/US: EDPB Welcomes Improvements in the EU-US Data Privacy Framework, but Challenges Remain Read More »

Australia: Cyber security round-up – new Cyber Security Strategy, data breach stats and more

Author: Sarah Birkett Cyber Security Strategy discussion paper launched This week saw the launch of a discussion paper for the Australian Government’s 2023-2030 Australian Cyber Security Strategy. The discussion paper refers to the lofty aim of making Australia the most cyber secure nation by 2030. The discussion paper, which acknowledges that the Australian Government was …

Australia: Cyber security round-up – new Cyber Security Strategy, data breach stats and more Read More »

EU – US adequacy decision: Update

Authors: Andreas Rüdiger, Philipp Adelberg The debate on transatlantic data transfers, a possible adequacy decision for the US and the EU-US Data Privacy Framework (“DPF“) is gaining new momentum. On 14 February 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs published its draft motion for a resolution regarding the adequacy of …

EU – US adequacy decision: Update Read More »

UK: Data Protection Compensation Claims Webinar

Data protection compensation claims continue to manifest themselves. Understanding a data incident, and how to respond in an appropriate manner, is vital to combatting this growing threat. Judgments through 2022 continued to be largely favourable to those facing such claims. But the threat still exists. On Thursday, 2 March 2023, David Cook and Benjamin Fellows …

UK: Data Protection Compensation Claims Webinar Read More »

CHINA: Final China SCCs for CBDT published – What you need to know

Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To Summary: The final version of the China SCCs has now been published, meaning those organisations that haven’t had to apply for CAC approval for their cross-border transfers of personal information now have until 1 December 2023 to: sign the China SCCs with overseas recipients of …

CHINA: Final China SCCs for CBDT published – What you need to know Read More »

EU Regulatory Data Protection: Online advertising – A regulatory patchwork under construction

Authors: Heidi Waem and Simon Verschaeve The arrival of the internet has revolutionized the advertising landscape, and since the appearance of the first banner ad in 1994, innovative technologies have been developed in the field of online advertising. Since then, new stakeholders, such as online platforms, have emerged and a whole spectrum of new digital …

EU Regulatory Data Protection: Online advertising – A regulatory patchwork under construction Read More »

Australia Privacy Act review – a blueprint for change?

Authors: Sarah Birkett, Nicholas Boyle The Australian Attorney-General has published the (long-awaited) results of the Privacy Act review. The report recommends a number of changes to the Australian privacy framework, including various changes to Australia’s core privacy legislation, the Privacy Act 1988 (Cth). The report does not represent official Government policy and there is no …

Australia Privacy Act review – a blueprint for change? Read More »

Canada: Changes to privacy regulations require BC public bodies to report privacy breaches and develop ‎privacy management program

Author: Keri Bennett As of February 1, 2023, two new sections of the British Columbia Freedom of Information and Protection of Privacy Act (“FIPPA”) and associated regulations are in force. All public bodies governed by FIPPA in the province of British Columbia (generally speaking all government ministries and the broader public sector) are now required to report privacy breaches to individuals …

Canada: Changes to privacy regulations require BC public bodies to report privacy breaches and develop ‎privacy management program Read More »

EU: NIS2 enters into force

On 16 January 2023, the Directive on measures for a high common level of cybersecurity across the Union (“NIS2”) entered into force. NIS2 replaces the Directive on Security of Network and Information Systems (“NIS Directive”) and introduces a number of changes, including bringing more sectors and services under the scope of the NIS rules and introducing an updated …

EU: NIS2 enters into force Read More »

Belgium: Constitutional Court rules that third parties should be able to appeal DPA decisions

Authors: Heidi Waem – Nicolas Becker Following a reference for a preliminary ruling by the Belgian Council of State, the Belgian Constitutional Court ruled that an interested third party should be able to bring an appeal against a decision of the Litigation Chamber (the sanctioning body within the Belgian Data Protection Authority). As article 108, …

Belgium: Constitutional Court rules that third parties should be able to appeal DPA decisions Read More »

Europe: CJEU decision – Right of access to individual recipients of personal data

On 12 January 2023, the European Court of Justice (“CJEU”) delivered its judgment regarding the right of access to personal data under Article 15 GDPR. The CJEU held that when exercising their right of access under the GDPR, data subjects must be provided with the individual data recipients of their personal data. Background Under Article 15 GDPR, …

Europe: CJEU decision – Right of access to individual recipients of personal data Read More »