UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws

Authors: James Clark and David Cook The UK government has published its plans to amend the Network and Information Systems Regulations 2018.  The reforms will lead to many more IT companies falling within the scope of the Regulations as ‘Digital Service Providers’ and will expand incident reporting obligations.  A two-tiered regime for Digital Service Providers …

UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws Read More »

CJEU rules that Privacy Rights Outweigh AML Requirements

Authors: Ewa Kurowska-Tober, Andrew Serwin,  John N Gevertz and Piotr Czulak The CJEU recently ruled that a Luxembourg law adopted in 2019 in accordance with the amended anti-money-laundering directive[1] (“AML Directive”), which required the disclosure and publication of certain information on the beneficial owners of entities registered in the Register of Beneficial Ownership, was invalid …

CJEU rules that Privacy Rights Outweigh AML Requirements Read More »

Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion)

Authors: David Cook, Benjamin Fellows and Heba Khalid On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG (Case C‑300/21) on the interpretation of Article 82 of the General Data Protection Regulation, holding that: A “mere breach” of the GDPR is not sufficient to warrant an award of compensation if the infringement in …

Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion) Read More »

HONG KONG: Increased Enforcement Action?

Are we seeing a return of proactive enforcement of Hong Kong’s data protection laws, after a lull in recent years? On 14 November 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports for non-compliance of the Personal Data (Privacy) Ordinance (“PDPO”): EC Healthcare’s failure to obtain consent for the …

HONG KONG: Increased Enforcement Action? Read More »

The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA has been …

The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach Read More »

Belgium: First Settlement Decisions by Belgian Data Protection Authority

Authors: Heidi Waem, Nicolas Becker On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first decision of …

Belgium: First Settlement Decisions by Belgian Data Protection Authority Read More »

Keeping an ‘AI’ on your data: UK data regulator recommends lawful methods of using personal information and artificial intelligence

Authors: Jules Toynton, Coran Darling Data is often the fuel that powers AI used by organisations. It tailors search parameters, spots behavioural trends, and predicts future possible outcomes (to highlight a just a few uses). In response, many of these organisations seek to accumulate and use as much data as possible, in order to make …

Keeping an ‘AI’ on your data: UK data regulator recommends lawful methods of using personal information and artificial intelligence Read More »

AUSTRALIA: Likely increase in maximum penalties for privacy breaches

Author: Sarah Birkett Anyone with a passing interest in Australian privacy laws will no doubt have heard about the Optus data breach. The incident, which was made public in late September 2022, is thought to have affected around 9 million individuals (almost 40% of the Australian population), with identity documents relating to approximately 2.22 million …

AUSTRALIA: Likely increase in maximum penalties for privacy breaches Read More »

ICO issue fine of £4.4m to Interserve for security failings

Authors: Ross McKean, Henry Pelling On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit). The ICO found that Interserve had failed to put appropriate technical and organisational measures in place to secure personal data …

ICO issue fine of £4.4m to Interserve for security failings Read More »

INDONESIA: Personal Data Protection Law PDPL Now in Force

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia. Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority. The law is …

INDONESIA: Personal Data Protection Law PDPL Now in Force Read More »

Ireland / Europe: DPC’s Record Fine Raises Expectations on Standards Applicable for Processing Children’s Data

A recent decision by the Irish Data Protection Commission (“DPC“) imposing a record €405 million fine provides clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’. On 2 September 2022, the DPC imposed a record €405 million GDPR fine on Instagram (Meta …

Ireland / Europe: DPC’s Record Fine Raises Expectations on Standards Applicable for Processing Children’s Data Read More »

President Biden orders surveillance reforms two years after Schrems II

Long-awaited executive order strives to enhance and revive the invalidated Privacy Shield Framework Author: Jim Sullivan On 7 October 2022, President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the EO), aimed at addressing the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the Schrems II decision by …

President Biden orders surveillance reforms two years after Schrems II Read More »

EUROPE: Data protection regulators publish myth-busting guidance on machine learning

Authors: Coran Darling, James Clark In its proposed AI Regulation (“AI Act”), the EU recognises AI as one of the most important technologies of the 21st century. It is often forgotten, however, that AI is not one specific type of technology. Instead, it is an umbrella term for a range of technologies capable of imitating certain aspects of …

EUROPE: Data protection regulators publish myth-busting guidance on machine learning Read More »

SINGAPORE: Increased financial penalties under the PDPA now in effect

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force. There is now an increased risk for organisations contravening the PDPA in Singapore. This means that in relation to any intentional or negligent contravention of: the data protection provisions, organisations may now have to pay …

SINGAPORE: Increased financial penalties under the PDPA now in effect Read More »

CHINA: Clarifications of data classification and grading requirements

Under the Data Security Law, organisations are required to classify the data they process according to their level of significance. Albeit a draft, the recent Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (“Draft”) highlights the principles and methods for different industries, fields, localities, departments, and data processors to classify and …

CHINA: Clarifications of data classification and grading requirements Read More »

SINGAPORE: Right of private action under the Personal Data Protection Act 2012 – scope explained

Introduction The Singapore Court of Appeal has recently clarified that ‘emotional distress’ is an actionable loss and damage under the existing right of private action of Personal Data Protection Act 2012 (“PDPA“). Decision Section 32 (now section 48O) of the Personal Data Protection Act 2012 (“PDPA”) provides individuals who have suffered “loss or damage” as …

SINGAPORE: Right of private action under the Personal Data Protection Act 2012 – scope explained Read More »

Genetic information – global privacy considerations – an Australian and UK perspective

Authors: Eliza Saunders, Sarah Birkett, James Clark, Senal Premarathna Introduction The benefits of using genetic information for research purposes are clear, especially as the technology underpinning medical research continues to advance at such a rapid pace. Outside of research and clinical development, the number of organisations which use blood and saliva samples and other genetic …

Genetic information – global privacy considerations – an Australian and UK perspective Read More »

CHINA: connected vehicle and automobile industry – new licences now required to enable/continue (i) surveying and mapping activities, (ii) overseas transfer of mapping data

Following the first automobile industry-specific data and cyber compliance rules, published late last year (see our alert here), regulators have issued guidelines on the licensing of surveying and mapping activities and use of mapping data within connected vehicles, through the new Regulations on Promoting the Development of Intelligent and Connected Vehicles and Maintaining the Security …

CHINA: connected vehicle and automobile industry – new licences now required to enable/continue (i) surveying and mapping activities, (ii) overseas transfer of mapping data Read More »

CHINA: major developments on CAC assessment for cross-border data transfers – the task is now clear, but the urgency remains

If your organisation must follow the CAC assessment route to continue your cross-border flows of personal information or important data, we now know the full extent of the self-assessment, application and supporting documents to be filed with the CAC for approval. It remains a significant task, so action must be taken as soon as possible …

CHINA: major developments on CAC assessment for cross-border data transfers – the task is now clear, but the urgency remains Read More »

Australia: Google agrees to pay AUD 60 million for misleading consumers regarding the collection of location data

Google LLC has agreed to pay AUD 60 million to Australia’s competition regulator, the Australian Competition and Consumer Commission (ACCC), after it was held that Google breached the Australian Consumer Law (ACL) regarding its collection of location data. In October 2019, the ACCC commenced proceedings alleging that Google had engaged in misleading and deceptive conduct …

Australia: Google agrees to pay AUD 60 million for misleading consumers regarding the collection of location data Read More »