CHINA: Draft Rules on Privacy Policies Released – Is Your Privacy Policy Compliant?

On 26 May 2022, the TC260 released the Draft Requirements on Privacy Agreements for Internet Platforms, Products and Services (“Draft Requirements”) for public consultation. The Draft Requirements flesh out the regulatory scheme regarding privacy policies as put forward in the Personal Information Protection Law (“PIPL”) and Personal Information Specification (“PIS Specification”), reiterating many of the …

CHINA: Draft Rules on Privacy Policies Released – Is Your Privacy Policy Compliant? Read More »

India: Government withdraws long-awaited Personal Data Protection Bill

On 3 August, the Indian Central Government withdrew the Personal Data Protection Bill, 2019 (PDP Bill). The PDP Bill, which has drawn criticism from both privacy advocates and industry stakeholders, was first published in 2018 and was to be India’s first law on the protection of personal data. A government notice stated that the decision came …

India: Government withdraws long-awaited Personal Data Protection Bill Read More »

NETHERLANDS: Highest court side-steps determining whether legitimate interests may be purely commercial

On 27 July 2022, the highest administrative court in the Netherlands, published its highly anticipated judgment involving the Dutch Data Protection Authority’s assessment of “legitimate interest” under Article 6(1)(f) GDPR. It was expected that the court would provide some clarification on whether “purely commercial interests” can qualify as legitimate interests within the meaning of Article …

NETHERLANDS: Highest court side-steps determining whether legitimate interests may be purely commercial Read More »

Australia: ACCC launches CDR sandbox

Authors: Alex Horder, Anthony Lloyd and Edmond Lau  What is the CDR Sandbox? Following the expansion of the Consumer Data Right (CDR) regime last year to a wider range of organisations, the ACCC has now released the ‘CDR Sandbox’, a free tool that lets CDR participants test their proposed CDR compliance solutions in a virtual environment that …

Australia: ACCC launches CDR sandbox Read More »

China: Enforcement of data protection – 5% of annual local revenue

On Thursday 21 July 2022, the Cyberspace Administration of China (“CAC”) fined Didi Global Inc, an online ride-hailing business a total of RMB 8.026 billion (approximately USD 1.2 billion). The CAC explained that the reasons for the fines were due to Didi’s: illegal collection of over 11.9 million screenshots from users’ mobile phone photo albums; …

China: Enforcement of data protection – 5% of annual local revenue Read More »

Australia: Collection of biometric information via CCTV

Authors: Sarah Birkett and Alex Moore  The use of CCTV systems to collect biometric information from individuals in Australia is attracting headlines.  The issue relates not to the use of CCTV itself, but rather the collection of biometric information (i.e. electronic copies of faces, fingerprints, voices) via CCTV.  Organisations, including retailers, may collect biometric information …

Australia: Collection of biometric information via CCTV Read More »

UK: New Data Protection and Digital Information Bill

Authors: Alexa Smith, James Clark, Robyn Palmer, Jamie Sanderson The UK Government has published its long-awaited ‘Data Protection and Digital Information Bill’. The Bill will reform areas of UK data protection and electronic privacy law, and will also introduce new regulatory frameworks, most notably in the field of digital identity verification. By amending the UK …

UK: New Data Protection and Digital Information Bill Read More »

UK: New National Strategy for Health Data

Author: James Clark The UK’s Department for Health and Social Care (“DHSC”) has published a major strategy document (‘Data saves lives: reshaping health and social care with data’) outlining the government’s plans for the regulation and use of data in healthcare. In this post, we look at some of the most interesting proposals outlined in …

UK: New National Strategy for Health Data Read More »

CHINA: Cross-border data transfers – what are your options?

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song, Gwyneth To We have all been waiting for a confirmed approach on legitimising overseas transfers. Finally, we have a clear answer on what organisations need to do to transfer or access for personal data and “important data” outside of Mainland China; and the message is clear – all …

CHINA: Cross-border data transfers – what are your options? Read More »

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song The China draft SCCs have been published, but may not provide the easy approach to cross border transfers of Mainland China personal data we have hoped to. Requirements to file the SCCs or PIIA for each transfer with the regulator, to undertake mini transfer impact assessments upon changes …

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers Read More »

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data

The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling. In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data to the …

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data Read More »

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics

Authors: Denise Lebeau-Marianna, Tess Muckensturm and Divya Shanmugathas Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators. Lessons to be drawn from …

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics Read More »

UK: ICO publishes AI and Data Protection risk Toolkit

The UK ICO has published its AI and data protection risk toolkit (the “Toolkit“). The Toolkit is designed to provide practical support to organisations using AI systems which may involve the processing of personal data. It builds on the ICO’s earlier guidance on AI and data protection, published in July 2020. The ICO recognises there can be significant …

UK: ICO publishes AI and Data Protection risk Toolkit Read More »

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health data) and …

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers Read More »

Europe: One step closer towards the adoption of NIS2

The European Council and the European Parliament have agreed on measures for a high common level of cybersecurity across the EU (the “NIS2”). Once adopted, NIS2 will replace the current Directive on Security of Network and Information Systems (“NIS Directive”). NIS2 will introduce a number of changes, including bringing more sectors and services under the …

Europe: One step closer towards the adoption of NIS2 Read More »

Hong Kong: Newly published Model Contractual Clauses

Organisations engaging in cross border transfers of personal data may now rely on the Recommended Model Contractual Clauses (RMCs), recently published by the Privacy Commissioner for Personal Data (PCPD). The two sets of RMCs are intended for controller to controller transfers, and controller to processor transfers. The RMCs may be used in: cross border transfers …

Hong Kong: Newly published Model Contractual Clauses Read More »

The European Health Data Space – 5 Things You Need to Know

What is the European Health Data Space? On 3 May 2022, the EU Commission published a draft Regulation on the European Health Data Space (“HDS”).  The Regulation is the first sector-specific proposal in the Commission’s “European Strategy for Data”, which aims at creating a ‘single market for data’.  In so doing, the Commission intends to …

The European Health Data Space – 5 Things You Need to Know Read More »

NOYB open letter on the new EU – US data deal

Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“noyb.eu”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“letter”). The letter coincides with a visit to Washington, D.C. by a delegation of several members of the European Parliament’s …

NOYB open letter on the new EU – US data deal Read More »

Europe: EDPB Guidelines on calculation of fines under GDPR – a case of evolution, not revolution?

A draft set of EDPB guidelines on the calculation of administrative fines under the GDPR is likely to lead to some further consistency among supervisory authorities on how fines are calculated – however, if adopted, the guidance leaves clear room for the current divergent approaches to continue. On 12 May 2022, the European Data Protection …

Europe: EDPB Guidelines on calculation of fines under GDPR – a case of evolution, not revolution? Read More »