Irina Macovei, Roxana Rosu and Andrei Stoica On 28 September 2020, the Romanian National Supervisory Authority for the Processing of Personal Data (ANSPDCP) published on its website the annual activity report for 2019. The report offers insights on the activity of the authority, its opinion on legislative proposals, points of view on certain data protection …
Louise McErlean, Eilis McDonald & John Magee Following the landmark decision during the summer which rendered the Privacy Shield invalid, our team takes a look at recent developments in connection with the ongoing Schrems saga. Schrems Judicial Review Max Schrems, who raised the complaint against Facebook which resulted in two rulings by the CJEU striking …
Authors: Carolyn Bigg and Yue Lin Lee Important changes will soon be made to Singapore’s PDPA. On 5 October 2020, the Personal Data Protection (Amendment) Bill (“Bill”) was tabled in Parliament for the first reading. It is expected that the Bill will be passed before the end of the year if not sooner. Unlike when …
Singapore: Imminent Changes to the Personal Data Protection Act 2012 (PDPA) Read More »
Background: another open legal question One of the many open questions of data protection law in Europe is how compensation for “non-material damage” will be calculated. In contrast to personal injury claims where lawyers have (hundreds of) years of case law to call upon to help calculate compensation, there is comparatively little case law considering …
The changes in California’s privacy laws continue. On Tuesday, September 29, 2020, California Governor Gavin Newsom signed Assembly Bill 1281, which extends the CCPA’s partial moratoria on employment and business-to-business personal information until January 1, 2022. As those following the CCPA’s development last year likely recall, amendments to the CCPA exempted California residents’ employment and …
California: CCPA Employment and B2B Moratoria Extended; Genetic-Testing Bill Vetoed Read More »
The Court of Justice of the European Union (“CJEU”) has handed down its judgment in two landmark decisions (case C-623/17, Privacy International, and in joined cases C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and C-520/18, Ordre des barreaux francophones et germanophone and others), concerning the lawfulness of legislation in …
Europe: CJEU rules mass surveillance must be brought in line with EU law Read More »
Since the mandatory data breach notification requirements were introduced in Australia in February 2018, the Office of the Australian Information Commissioner (OAIC) has published regular statistics on the operation of the scheme. These reports give a useful overview of the trends emerging in Australia over the last two years. The high-level causes of notifiable data …
Australia: Notifiable Data Breaches – Two years on Read More »
CONTEXT Following the adoption of the first version of its guidelines on cookies and other trackers on 4 July 2019 (see our alert here), which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, dated 19 June 2020[1], the French supervisory authority (“CNIL”) has adopted a revised version …
By Denise Lebeau-Marianna – Partner and Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …
The Brazilian Senate, in the voting of MP 959/20 decided on 26 August 2020, to reject the article of the MP that provided for the extension of the enforceability of the Brazilian General Data Protection Law (LGPD). Based on this decision, the LGPD will be in force within 15 business days (after the approval or …
The Commissioner for Data Protection and Freedom of Information for the German State of Baden-Württemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg – “LfDI BW”) recently published guidance for international transfers of personal data in the post-Schrems II era. Background The Court of Justice of the European Union (“CJEU”) not only invalidated the EU-U.S. Privacy Shield …
On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …
Thailand’s Personal Data Protection Act (“PDPA“) is in the process of being updated, and full implementation and compliance are expected by 1 June 2021. This comes by way of the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (“Notification“) which was recently released by the Thai …
The Japanese Diet has recently approved a bill to amend the APPI. This is expected to result in a strengthening of rights for data subjects while making data breach notifications mandatory and increasing penalties for noncompliance. Is your business ready for these upcoming changes? Overview of the Amendment On 5 June 2020, the Japanese …
Until recently, most decisions of the Belgian Data Protection Authority (Belgian DPA) concerned national companies or individuals. However, on 14 July 2020, the Belgian DPA imposed a fine of EUR600,000 on Google Belgium SA/NV (Google Belgium) for not respecting a Belgian resident’s right to be forgotten. This is the highest fine ever imposed by the …
On 23 July, the European Data Protection Board issued a set of Frequently Asked Questions with regard to the Schrems II decision of the Court of Justice of the European Union. More information on the Schrems II decision can be found in our Privacy Matters blogpost of 16 July 2020. The main takeaways from these …
As the world moves into the next phase of the fight against Covid-19, governments are loosening lockdown measures and assessing strategies intended to contain new spikes and control the rate of infection. Contact tracing has been touted as a potential game-changer, with several countries around the world releasing apps that alert those who have come …
Webcast – Covid-19: Contact Tracing, Data Privacy and Public Trust Read More »
Summary The Irish Court of Appeal has clarified the scope of the definition of personal data – noting that, while the definition is deliberately very broad, it does not facilitate access by an individual to reports stemming from a complaint for the sole reason that the complaint was made by that individual. On 1 July …
Ireland: Irish Court of Appeal Clarifies Boundaries of Concept of Personal Data Read More »
Today, the EU’s highest court, the Court of Justice of the European Union (CJEU), handed down its judgment on the long-awaited case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, commonly referred to as “Schrems II”). In one of the most anticipated judgments of the year, the CJEU declared the EU-U.S. Privacy Shield …
On the 6th of July 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) published its decision to impose a fine of 830,000 EUR on Stichting Bureau Krediet Registratie (BKR). BKR keeps an electronic file of the loans and debts people have in the Netherlands, stored in a central database. Companies like financial institutions …
The Netherlands: DPA imposes EUR 830,00 fine for access request fees Read More »
