China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. The “Financial Data Lifecycle Guidelines” (金融数据生命周期安全规范) were published by the PBOC (the …

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced Read More »

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS’s Joint Opinion on Draft SCCs

Authors: Heidi Waem, Camille Vermosen Schrems II The CJEU’s long-awaited Schrems II decision of 16 July 2020, raised important questions on the validity of data processing activities involving the transfer of personal data outside the EEA. In its decision, the CJEU did not only invalidate the Privacy Shield, it also concluded that relying on the …

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS’s Joint Opinion on Draft SCCs Read More »

EDPB Opinion on UK Adequacy: Strong Alignment but Challenges Remain

During its 48th plenary session, the European Data Protection Board (EDPB) has adopted two opinions on the European Commission’s draft U.K. adequacy decision. Background The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an adequacy decision; (ii) appropriate safeguards (e.g. standard contractual clauses (SCCs)); …

EDPB Opinion on UK Adequacy: Strong Alignment but Challenges Remain Read More »

The CNIL’s key priorities for upcoming dawn-raids in 2021

Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies. 1. Websites cybersecurity Website security incidents are among the most common non-compliances identified by the CNIL during its …

The CNIL’s key priorities for upcoming dawn-raids in 2021 Read More »

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced

Authors: Carolyn Bigg, Venus Cheung Operators of e-commerce platforms, websites and apps in China, and those using third party e-commerce, social media or livestreaming platforms to sell their products and services in China, must update their operations, services and systems in advance of wide-ranging new rules. The Measures for the Supervision and Administration of Online …

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced Read More »

France : The cookies transition period will end in a few days – starting April 1st, organizations must comply with the CNIL’s revised guidelines on cookies and trackers!

What is the context? As described in more details in our previous post, the French supervisory authority (“CNIL”) has published on October 2020 a revised version of its guidelines (“Revised Guidelines”) and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers (“Recommendations”). As a reminder, the Revised …

France : The cookies transition period will end in a few days – starting April 1st, organizations must comply with the CNIL’s revised guidelines on cookies and trackers! Read More »

Trial Court Examines Stored Communications Act Applicability to Offline Mobile Phone

The Electronic Communications Privacy Act (ECPA) is a law noted for its complexity, and the second portion of it, the Stored Communications Act (SCA) is no exception.  In a recent case in the Seventh Circuit, the District Court for the Northern District of Illinois examined the scope of the SCA and what it was, and …

Trial Court Examines Stored Communications Act Applicability to Offline Mobile Phone Read More »

Out with the old, in with the new: Five members join California Privacy Protection Agency Board; California AG Xavier Becerra moves to HHS

The California Privacy Rights Act 2020 Initiative (CPRA) both amends the California Consumer Privacy Act (CCPA) and establishes the first administrative privacy agency in the US, the California Privacy Protection Agency (CPPA). The Agency is charged with protecting the fundamental privacy rights of Californians with respect to their personal information. It is responsible for issuing …

Out with the old, in with the new: Five members join California Privacy Protection Agency Board; California AG Xavier Becerra moves to HHS Read More »

US: Virginia passes comprehensive consumer data protection law

Author: Jim Halpert Virginia’s Governor signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021.  The VCDPA takes effect January 1, 2023 and is a broad, multi-rights privacy law that, in some ways, resembles the CCPA, GDPR, and other recently proposed state privacy legislation.  A study committee will review the VCDPA …

US: Virginia passes comprehensive consumer data protection law Read More »

US: CA AG announces approval of further amendments to CCPA Regs

Authors: Kate Lucente and Lea Lurquin On March 15, 2021, the California Attorney General (CA AG) announced the approval of additional CCPA regulations. According to the CA AG, the additional amendments are intended to clarify how businesses should implement the Do Not Sell requirements and the permissible methods for verifying CCPA requests submitted on behalf …

US: CA AG announces approval of further amendments to CCPA Regs Read More »

US: Cyber Risk: Facing Off Against Employee Monitoring Requirements

Authors: Carol A.F. Umhoefer and Alaa Salaheldin Global companies face increased pressure to adopt strong cyber risk mitigation measures in today’s rapidly evolving cyber threat-heavy business environment. According to security company PurpleSec LLC, in 2020 alone, cybercrime is reported to have increased by up to 600% as a result of new incentives and opportunities for …

US: Cyber Risk: Facing Off Against Employee Monitoring Requirements Read More »

Hong Kong: Right to be Forgotten is declared “not a thing” in Hong Kong

Author: Carolyn Bigg Unlike Europe, the Personal Data (Privacy) Ordinance (“PDPO”) in Hong Kong does not have a stand-alone “right to be forgotten” (“RTBF”). However, over the past few years, there were commentaries suggesting that there is some basis under Hong Kong law that RTBF exists. This uncertainty has finally been resolved recently in a …

Hong Kong: Right to be Forgotten is declared “not a thing” in Hong Kong Read More »

Ireland: DPC Annual Report 2020: Enforcement & Transfers Dominate Agenda

In its second full year overseeing and regulating the GDPR in Ireland, the Data Protection Commission  (DPC) has published its 2020 Annual Report, highlighting key observations, emerging guidance, and large scale inquiries and decisions of 2020. Primary areas of focus for the DPC in 2020 included enforcement (under both GDPR & ePrivacy), breach notifications, data …

Ireland: DPC Annual Report 2020: Enforcement & Transfers Dominate Agenda Read More »

Europe: Interim EDPB guidance on the application of GDPR to health research

In response to a set of questions from the European Commission, the European Data Protection Board (“EDPB”) has published some high level guidance on the application of the GDPR to health research (“Guidance”).  This article summarises the key takeaway points from that guidance.    For obvious reasons, the past year has done much to highlight …

Europe: Interim EDPB guidance on the application of GDPR to health research Read More »

Belgium: EU takes another step towards strengthening the cybersecurity of 5G networks

Authors: Kristof De Vulder, Heidi Waem, Gilles Hachez The EU has been steadily ramping up its cybersecurity efforts over the last few years. This has been previously evidenced by its adoption of a new Cybersecurity strategy (the ‘Cybersecurity Strategy for the Digital Decade’ part of its Shaping Europe’s Digital Future strategy, its Recovery Plan for Europe …

Belgium: EU takes another step towards strengthening the cybersecurity of 5G networks Read More »

UK Information Commissioner issues letter on transfers of personal data to the U.S. Securities and Exchange Commission

The UK’s Information Commissioner (“ICO”) has recently issued a letter to the U.S. Securities and Exchange Commission (“SEC”) confirming that SEC-regulated UK domiciled firms (“UK Regulated Firms”) can share personal data with the SEC when seeking to comply with regulatory obligations, in compliance with the UK GDPR. After a long delay, the ICO’s letter has …

UK Information Commissioner issues letter on transfers of personal data to the U.S. Securities and Exchange Commission Read More »

Belgium: ePrivacy proposal in progress: Council agrees on its position to start off ‘trilogue’ negotiations

Authors: Heidi Waem, Alizée Stappers and Simon Verschaeve With the ultimate purpose of enacting specific rules regarding electronic communications, the ePrivacy Regulation aims, in particular, to replace the 2002 ePrivacy Directive, detail and complement the GDPR’s general rules, and implement important changes in areas such as metadata processing on end-user devices and obtaining cookie consent …

Belgium: ePrivacy proposal in progress: Council agrees on its position to start off ‘trilogue’ negotiations Read More »

The Netherlands: 440,000 EUR fine for hospital re. unauthorised access to medical records

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam  hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel. After complaints, the Dutch DPA conducted an investigation, and carried out an audit of …

The Netherlands: 440,000 EUR fine for hospital re. unauthorised access to medical records Read More »