France: The CNIL publishes a practical guide on Data Protection Officers

On 16 November 2021, the French data protection supervisory authority (the “CNIL”) published a practical guide (“Guide”) on Data Protection Officers (“DPOs”). The Guide provides a reminder of the applicable obligations regarding the designation, tasks and missions of DPOs as well as good practices to help organizations comply with their obligation to designate a DPO …

France: The CNIL publishes a practical guide on Data Protection Officers Read More »

US – Federal banking regulators issue computer-security incident notification final rule

US – Federal banking regulators issue computer-security incident notification final rule Rule takes effect April 1, 2022   The Federal Deposit Insurance Corporation, Federal Reserve, and Office of the Comptroller of the Currency (collectively the federal banking regulators) have issued a final rule requiring banking organizations and bank service providers to make certain notifications in …

US – Federal banking regulators issue computer-security incident notification final rule Read More »

Europe: EDPB issues guidelines on interplay between Article 3 and Chapter V of GDPR

On 19 November, the European Data Protection Board (‘EDPB‘) published, its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”). The Guidelines aim to clarify the interplay between Article 3 and the provisions of the GDPR on international …

Europe: EDPB issues guidelines on interplay between Article 3 and Chapter V of GDPR Read More »

TechLaw Australia podcast: The shifting landscape of privacy and data governance in the Asia Pacific region

Author: Sinead Lynch At DLA Piper we advise clients that develop or create technology, are enabled by technology, or whose business model is fundamentally based on technology. From start-ups, to fast growing and mid-market businesses, to mature global enterprises, DLA Piper supports innovative businesses and new ventures. It is at the heart of what we …

TechLaw Australia podcast: The shifting landscape of privacy and data governance in the Asia Pacific region Read More »

UK – Another important judgment on the de minimis threshold, and other key takeaways

On 16 November 2021, the English High Court declined to strike-out a claim for damages for distress following an isolated one-off data incident which was quickly remedied. In doing so, however, the Court: confirmed that the de minimis concept is equally applicable to claims under the GDPR and Data Protection Act 2018, as it was …

UK – Another important judgment on the de minimis threshold, and other key takeaways Read More »

CHINA: Important new risks and practical guidance on China data protection, data security, e-commerce and online platform compliance

In the most significant development this year (arguably more so than the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) coming into force), draft detailed guidance on how organisations can in practice comply with China’s strict data, e-commerce and online platform rules – including new compliance obligations – has been published. The …

CHINA: Important new risks and practical guidance on China data protection, data security, e-commerce and online platform compliance Read More »

US: FTC adopts updated Safeguards Rule and seeks comment on security event notification requirement

US: FTC adopts updated Safeguards Rule and seeks comment on security event notification requirement On October 27, 2021, the Federal Trade Commission (FTC) issued a final rule updating its information security rules for financial institutions’ protection of consumers’ financial information (the “Final Rule”).  This is the first significant update to the FTC’s Safeguards Rule since …

US: FTC adopts updated Safeguards Rule and seeks comment on security event notification requirement Read More »

UK: Lloyd v Google – Supreme Court Judgment – report and impacts on data protection and mass claims in the UK

On 10 November 2021, the UK Supreme Court, in a unanimous judgment, allowed Google’s appeal against the Court of Appeal decision granting Mr Lloyd permission to continue his representative claim (i.e. a US-style opt-out “class action”) against Google. The judgment brings very welcome clarification in a rapidly evolving area of English law relating to representative “class” actions in general, and in the context of data protection …

UK: Lloyd v Google – Supreme Court Judgment – report and impacts on data protection and mass claims in the UK Read More »

Australia: Increased privacy penalties and binding social media code tabled

On 25 September 2021, the Australian Commonwealth Government published a consultation draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) which, if passed, will introduce the following significant changes into the Privacy Act 1988 (Cth) (Privacy Act): an increase in the maximum penalties payable for serious or …

Australia: Increased privacy penalties and binding social media code tabled Read More »

US: Cyber Advisory: Feds Warn that Water Facilities Are Targets for Cyber Attacks

US: Cyber Advisory: Feds Warn that Water Facilities Are Targets for Cyber Attacks By Justine Phillips and Garrett Stallins  #DLAPiperCommodities #DLAPiperCyber On October 14, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations, the Environmental Protection Agency, and the National Security Agency issued a joint advisory warning of active cyber threats to …

US: Cyber Advisory: Feds Warn that Water Facilities Are Targets for Cyber Attacks Read More »

CHINA: new draft guidance on overseas data transfers

China’s PIPL came into force today, and to accompany this, the Cyberspace Administration of China (“CAC”, the key data regulator) has published for consultation draft guidelines to assist organisations grappling with overseas data transfers with some practical guidance on some of the compliance steps that must be taken. Under the PIPL, certain organisations – or …

CHINA: new draft guidance on overseas data transfers Read More »

UK: CCTV and surveillance – when things go wrong

The case of Dr Mary Fairhurst -v- Mr Jon Woodard illustrates the risks associated with the installation of security cameras and why it is vital to ensure a lawful basis for capturing and processing such images exists. Our article on this recent English court case is available by clicking here.

UK: Important judgment on de minimis threshold in data protection compensation claims – Rolfe -v- Veale

Authors: David Cook, Benjamin Fellows As organisations face an ever increasing volume of civil claims seeking damages for trivial infringements of data protection law, the High Court in Rolfe & Others -v- Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) has provided a welcome judgment dismissing such a claim in circumstances where it was implausible that …

UK: Important judgment on de minimis threshold in data protection compensation claims – Rolfe -v- Veale Read More »

CDR v3: Australian Treasury moves to expand access to the Consumer Data Right regime

Authors: Anthony Lloyd, Alex Horder, Edmond Lau Background On 30 September, the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) were amended[1] with the aim of lowering barriers of entry to Consumer Data Right regime (CDR) participation, as foreshadowed by the Australian Treasury’s prior proposal in April and related exposure draft legislation released in July. By increasing …

CDR v3: Australian Treasury moves to expand access to the Consumer Data Right regime Read More »

Saudi Arabia’s New Data Protection Law – What you need to know

The Middle East’s data protection regulatory landscape is complex, and continues to develop with Saudi Arabia’s (KSA) newly published Personal Data Protection Law (PDPL). While the PDPL contains the main features of a modern data protection law, it cannot be considered a direct analogue of the GDPR. For example, an unlawful transfer of personal data …

Saudi Arabia’s New Data Protection Law – What you need to know Read More »

UK: ICO’s Data Sharing Code of Practice enters into force

A The data sharing code (“Code”),  published by the UK Information Commissioner’s Office (“ICO”), enters into force today (5 October 2021) following its publication on 14 September 2021.  The Code is a statutory code of practice made under section 121 of the Data Protection Act 2018 and seeks to provide a guide for organisations about …

UK: ICO’s Data Sharing Code of Practice enters into force Read More »

Show-me: Spanish Data Protection laws shaken by the Supreme Court

By the end of the 2018, the Spanish Parliament belatedly completed the framework provided by EU’s GDPR approving a new Data Protection Act. Following a local tradition dated in 1992, the Spanish legislators deviated themselves from the mainstream position in the EU. The new Spanish law included, among other deviations, new digital rights unknown by …

Show-me: Spanish Data Protection laws shaken by the Supreme Court Read More »

Australia: Consumer Data Right pipeline to cast a wide net

Authors: Anthony Lloyd, Alex Horder Background With the implementation of the Consumer Data Right (CDR) in the banking sector (known as ‘Open Banking’) well under way, the release of draft amendments to the CDR rules for the energy sector, and the continuing development of the framework for implementing the CDR in the telecommunications sector, the …

Australia: Consumer Data Right pipeline to cast a wide net Read More »