China: New draft national, harmonised data protection law for Mainland China

By Carolyn Bigg, Venus Cheung, Fangfang Song A first national level personal information protection law for Mainland China has been published, reinforcing and heightening existing data protection compliance obligations for organisations doing business in China. Compliance obligations previously considered recommended practice will now become binding law, and new compliance steps – including some registrations with …

China: New draft national, harmonised data protection law for Mainland China Read More »

Romania: Key aspects in the Romanian Data Protection Authority’s annual activity report (2019)

Irina Macovei, Roxana Rosu and Andrei Stoica On 28 September 2020, the Romanian National Supervisory Authority for the Processing of Personal Data (ANSPDCP) published on its website the annual activity report for 2019. The report offers insights on the activity of the authority, its opinion on legislative proposals, points of view on certain data protection …

Romania: Key aspects in the Romanian Data Protection Authority’s annual activity report (2019) Read More »

Singapore: Imminent Changes to the Personal Data Protection Act 2012 (PDPA)

Authors: Carolyn Bigg and Yue Lin Lee Important changes will soon be made to Singapore’s PDPA. On 5 October 2020, the Personal Data Protection (Amendment) Bill (“Bill”) was tabled in Parliament for the first reading. It is expected that the Bill will be passed before the end of the year if not sooner. Unlike when …

Singapore: Imminent Changes to the Personal Data Protection Act 2012 (PDPA) Read More »

Germany: No GDPR damages after data breach

Background: another open legal question One of the many open questions of data protection law in Europe is how compensation for “non-material damage” will be calculated.  In contrast to personal injury claims where lawyers have (hundreds of) years of case law to call upon to help calculate compensation, there is comparatively little case law considering …

Germany: No GDPR damages after data breach Read More »

California: CCPA Employment and B2B Moratoria Extended; Genetic-Testing Bill Vetoed

The changes in California’s privacy laws continue. On Tuesday, September 29, 2020, California Governor Gavin Newsom signed Assembly Bill 1281, which extends the CCPA’s partial moratoria on employment and business-to-business personal information until January 1, 2022. As those following the CCPA’s development last year likely recall, amendments to the CCPA exempted California residents’ employment and …

California: CCPA Employment and B2B Moratoria Extended; Genetic-Testing Bill Vetoed Read More »

Europe: CJEU rules mass surveillance must be brought in line with EU law

The Court of Justice of the European Union (“CJEU”) has handed down its judgment in two landmark decisions (case C-623/17, Privacy International, and in joined cases C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and C-520/18, Ordre des barreaux francophones et germanophone and others), concerning the lawfulness of legislation in …

Europe: CJEU rules mass surveillance must be brought in line with EU law Read More »

Australia: Notifiable Data Breaches – Two years on

Since the mandatory data breach notification requirements were introduced in Australia in February 2018, the Office of the Australian Information Commissioner (OAIC) has published regular statistics on the operation of the scheme. These reports give a useful overview of the trends emerging in Australia over the last two years. The high-level causes of notifiable data …

Australia: Notifiable Data Breaches – Two years on Read More »

France: The CNIL adopts revised guidelines and final recommendations on cookies and other trackers

CONTEXT Following the adoption of the first version of its guidelines on cookies and other trackers on 4 July 2019 (see our alert here), which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, dated 19 June 2020[1], the French supervisory authority (“CNIL”) has adopted a revised version …

France: The CNIL adopts revised guidelines and final recommendations on cookies and other trackers Read More »

France: New guidance for data retention

By Denise Lebeau-Marianna – Partner and  Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …

France: New guidance for data retention Read More »

Brazil: Enforceability of the LGPD

The Brazilian Senate, in the voting of MP 959/20 decided on 26 August 2020, to reject the article of the MP that provided for the extension of the enforceability of the Brazilian General Data Protection Law (LGPD). Based on this decision, the LGPD will be in force within 15 business days (after the approval or …

Brazil: Enforceability of the LGPD Read More »

Germany: Schrems II: And now? First German supervisory authority provides guidance on data transfers

The Commissioner for Data Protection and Freedom of Information for the German State of Baden-Württemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg –  “LfDI BW”) recently published guidance for international transfers of personal data in the post-Schrems II era. Background The Court of Justice of the European Union (“CJEU”) not only invalidated the EU-U.S. Privacy Shield …

Germany: Schrems II: And now? First German supervisory authority provides guidance on data transfers Read More »

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements

On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements Read More »

Thailand: Personal Data Protection Act (PDPA) Amendments on the way: What does this mean for your company?

Thailand’s Personal Data Protection Act (“PDPA“) is in the process of being updated, and full implementation and compliance are expected by 1 June 2021. This comes by way of the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (“Notification“) which was recently released by the Thai …

Thailand: Personal Data Protection Act (PDPA) Amendments on the way: What does this mean for your company? Read More »

Japan: Protection of Personal Information (APPI) Act to be Amended: Is your Business Ready?

The Japanese Diet has recently approved a bill to amend the APPI. This is expected to result in a strengthening of rights for data subjects while making data breach notifications mandatory and increasing penalties for noncompliance. Is your business ready for these upcoming changes?   Overview of the Amendment On 5 June 2020, the Japanese …

Japan: Protection of Personal Information (APPI) Act to be Amended: Is your Business Ready? Read More »

Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten

Until recently, most decisions of the Belgian Data Protection Authority (Belgian DPA) concerned national companies or individuals. However, on 14 July 2020, the Belgian DPA imposed a fine of EUR600,000 on Google Belgium SA/NV (Google Belgium) for not respecting a Belgian resident’s right to be forgotten. This is the highest fine ever imposed by the …

Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten Read More »

Europe: EDPB issues FAQs on Schrems II – No Grace Period for Privacy Shield Transfers; Case-by-Case Assessments Required to Continue with SCCs

On 23 July, the European Data Protection Board issued a set of Frequently Asked Questions with regard to the Schrems II decision of the Court of Justice of the European Union. More information on the Schrems II decision can be found in our Privacy Matters blogpost of 16 July 2020. The main takeaways from these …

Europe: EDPB issues FAQs on Schrems II – No Grace Period for Privacy Shield Transfers; Case-by-Case Assessments Required to Continue with SCCs Read More »

Webcast – Covid-19: Contact Tracing, Data Privacy and Public Trust

As the world moves into the next phase of the fight against Covid-19, governments are loosening lockdown measures and assessing strategies intended to contain new spikes and control the rate of infection. Contact tracing has been touted as a potential game-changer, with several countries around the world releasing apps that alert those who have come …

Webcast – Covid-19: Contact Tracing, Data Privacy and Public Trust Read More »

Ireland: Irish Court of Appeal Clarifies Boundaries of Concept of Personal Data

Summary The Irish Court of Appeal has clarified the scope of the definition of personal data – noting that, while the definition is deliberately very broad, it does not facilitate access by an individual to reports stemming from a complaint for the sole reason that the complaint was made by that individual. On 1 July …

Ireland: Irish Court of Appeal Clarifies Boundaries of Concept of Personal Data Read More »

European Court decision: EU-US Privacy Shield declared invalid; standard contractual clauses remain valid subject to conditions

Today, the EU’s highest court, the Court of Justice of the European Union (CJEU), handed down its judgment on the long-awaited case Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, commonly referred to as “Schrems II”).  In one of the most  anticipated judgments of the year, the CJEU declared the EU-U.S. Privacy Shield …

European Court decision: EU-US Privacy Shield declared invalid; standard contractual clauses remain valid subject to conditions Read More »