By the end of the 2018, the Spanish Parliament belatedly completed the framework provided by EU’s GDPR approving a new Data Protection Act. Following a local tradition dated in 1992, the Spanish legislators deviated themselves from the mainstream position in the EU. The new Spanish law included, among other deviations, new digital rights unknown by …
Show-me: Spanish Data Protection laws shaken by the Supreme Court Read More »
Authors: Anthony Lloyd, Alex Horder Background With the implementation of the Consumer Data Right (CDR) in the banking sector (known as ‘Open Banking’) well under way, the release of draft amendments to the CDR rules for the energy sector, and the continuing development of the framework for implementing the CDR in the telecommunications sector, the …
Australia: Consumer Data Right pipeline to cast a wide net Read More »
The government has today published its eagerly awaited Consultation Paper on Reforms to the UK Data Protection Regime – ‘Data: A New Direction’ (“Consultation Paper”), setting out the specific areas for regulatory reform of the UK’s data protection regime. It follows a spate of activity from the government in relation to plans for its post-Brexit global …
Government publishes consultation on post-Brexit data reforms Read More »
On 2 September 2021, the Data Protection Commission (DPC) announced it has imposed a €225 million administrative fine against WhatsApp Ireland Limited , as well as a reprimand and an order to bring its processing into compliance. This comes following a lengthy background including the EDPB’s first urgent binding decision in relation to the investigation …
By James Clark and Anna Ward, DLA Piper UK LLP The Age Appropriate Design Code (“Code”), a new statutory Code of Practice published by the UK Information Commissioner’s Office (“ICO”), enters into force today (2 September 2021) following a one year transition period. The Code seeks to regulate the provision of online services to children, …
UK: ICO rules regarding the online privacy of children enter into force Read More »
Following Brexit, the UK now has the ability to adopt its own decisions in relation to adequacy for personal data transfers. Today, the government has set out the first territories which it will prioritise for its data transfer adequacy decisions. These territories will include the United States, Australia, the Republic of Korea, Singapore, the Dubai …
Government unveils plans for post-Brexit global data transfer regime Read More »
In good news for organisations handling personal information, China’s Personal Information Protection Law (“PIPL”) was finalised on 20 August 2021, and will come into force on 1 November 2021. Rather than bringing substantial changes to the existing China data privacy framework, the PIPL helpfully consolidates and clarifies obligations on processing of personal information at a …
On 17 December 2019, the ICO issued the first administrative fine under the GDPR (known as a monetary penalty notice in the UK), alongside an Enforcement Notice, against Doorstep Disparensee Limited (“DDL”). DDL appealed against both elements of the enforcement action taken by the ICO which has recently been decided and provides useful guidance from …
On 11 August 2021, the Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement (IDTA) and guidance on data transfers. These updates have been expected for some time to address the UK regulatory position, following exit from the EU, in relation to the Schrems II decision of the CJEU …
UK: ICO opens consultation on its updated international data transfer guidance and tools Read More »
Authors: Heidi Waem and Nicolas Becker On 4 June 2021, the European Commission released the final version of the new Standard Contractual Clauses (new SCCs) (see our blogpost here). This new set of clauses was launched in the aftermath of the CJEU’s Schrems II decision and includes specific wording to address certain concerns raised by the …
Considerations on embedding the new standard contractual clauses in IT contracts Read More »
Authors: Marcus Walsh, David Cook, John Magee As individuals become more aware of their rights under data protection law, data subject access requests (DSARs) are an increasingly frequent concern for organisations both large and small. DSARs remain the single most common cause of regulatory complaints for organisations – the latest annual report from the Irish …
Ireland & UK: Latest trends in data subject access requests in pending litigation Read More »
Followers of Privacy Matters will be familiar with the case of Lloyd v Google LLC, which raises important issues as to the recoverability of compensation for breaches of data protection law, and is likely to be pivotal to the mass claims landscape in the UK. The case went before the UK’s Supreme Court in April …
UK: Lloyd v Google LLC – data protection class action claims Read More »
Authors: Kristof De Vulder, Florian De Rouck, Emma Stockman On 3 June 2021, the EU Commission proposed the long-awaited framework for a European Digital Identity (EUid). The proposal stems from the regulatory review of Regulation 910/2014/EU (eIDAS Regulation), and constitutes a complete overhaul of the European digital identification framework. The EU Commissions plans to introduce a new …
Taking back control: The European Digital Identity Read More »
Authors: Heidi Waem, Simon Verschaeve When the GDPR was adopted back in 2016, its new cooperation and consistency mechanism, coined as the one-stop-shop, was marketed as one of the major advancements that the GDPR would bring to organisations. Instead of having to engage with multiple local data protection authorities, controllers and processors established in the EU …
Authors: Monique Jefferson and Justine Katz The Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020 but was subject to a 12-month grace period, which ended yesterday (30 June 2021). Therefore, from today (1 July 2021) POPIA is fully in effect, save for certain provisions. In this regard, we point …
The new Standard Contractual Clauses (SCCs) issued by the European Commission came into force on 27 June 2021. The SCCs allow parties to choose the governing law of one of the EU Member States, provided that such law allows for third party beneficiary rights. As privity of contract rules apply in Ireland, there had been …
Author: Sarah Birkett A private member’s bill has been introduced in Australia that would require the mandatory reporting of ransomware payments by applicable Australian entities. The Ransomware Payments Bill would require any business or Commonwealth Government entity which makes a ransomware payment to notify the Australian Cyber Security Centre (ACSC) with details of: the identity …
Australia takes steps towards the mandatory reporting of ransomware payments Read More »
Today, the European Commission has adopted two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and the other for the Law Enforcement Directive (“LED”). The GDPR and LED impose restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an …
On 21 June 2021, the European Data Protection Board (“EDPB”) published the final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These long-awaited Recommendations are an extremely important step for the consideration of data transfer related risks and GDPR compliance management within an …
EDPB adopts final Recommendations on Supplementary Measures Read More »
Authors: Carolyn Bigg, Venus Cheung, Fangfang Song China’s Data Security Law (“DSL”) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be …
