Genetic information – global privacy considerations – an Australian and UK perspective

Authors: Eliza Saunders, Sarah Birkett, James Clark, Senal Premarathna Introduction The benefits of using genetic information for research purposes are clear, especially as the technology underpinning medical research continues to advance at such a rapid pace. Outside of research and clinical development, the number of organisations which use blood and saliva samples and other genetic …

Genetic information – global privacy considerations – an Australian and UK perspective Read More »

CHINA: connected vehicle and automobile industry – new licences now required to enable/continue (i) surveying and mapping activities, (ii) overseas transfer of mapping data

Following the first automobile industry-specific data and cyber compliance rules, published late last year (see our alert here), regulators have issued guidelines on the licensing of surveying and mapping activities and use of mapping data within connected vehicles, through the new Regulations on Promoting the Development of Intelligent and Connected Vehicles and Maintaining the Security …

CHINA: connected vehicle and automobile industry – new licences now required to enable/continue (i) surveying and mapping activities, (ii) overseas transfer of mapping data Read More »

CHINA: major developments on CAC assessment for cross-border data transfers – the task is now clear, but the urgency remains

If your organisation must follow the CAC assessment route to continue your cross-border flows of personal information or important data, we now know the full extent of the self-assessment, application and supporting documents to be filed with the CAC for approval. It remains a significant task, so action must be taken as soon as possible …

CHINA: major developments on CAC assessment for cross-border data transfers – the task is now clear, but the urgency remains Read More »

Australia: Google agrees to pay AUD 60 million for misleading consumers regarding the collection of location data

Google LLC has agreed to pay AUD 60 million to Australia’s competition regulator, the Australian Competition and Consumer Commission (ACCC), after it was held that Google breached the Australian Consumer Law (ACL) regarding its collection of location data. In October 2019, the ACCC commenced proceedings alleging that Google had engaged in misleading and deceptive conduct …

Australia: Google agrees to pay AUD 60 million for misleading consumers regarding the collection of location data Read More »

CHINA: mobile apps remain a high privacy risk, and face stringent requirements

Mobile apps pervade all aspects of life in Mainland China, and in turn remain a high enforcement priority for data privacy regulators in China. For the past couple of years, operators of mobile apps in China have had to comply with over thirty additional, specific privacy compliance obligations (i.e. over and above those applicable to …

CHINA: mobile apps remain a high privacy risk, and face stringent requirements Read More »

EU: Who’s who under the DMA, DSA, DGA and Data Act?

As part of its data strategy, the European Commission has presented a number of legislative instruments, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the Data Governance Act (DGA) and the Data Act. Our article analysing these four new instruments in more detail – in particular, who these legal instruments apply to …

EU: Who’s who under the DMA, DSA, DGA and Data Act? Read More »

CHINA: Draft Rules on Privacy Policies Released – Is Your Privacy Policy Compliant?

On 26 May 2022, the TC260 released the Draft Requirements on Privacy Agreements for Internet Platforms, Products and Services (“Draft Requirements”) for public consultation. The Draft Requirements flesh out the regulatory scheme regarding privacy policies as put forward in the Personal Information Protection Law (“PIPL”) and Personal Information Specification (“PIS Specification”), reiterating many of the …

CHINA: Draft Rules on Privacy Policies Released – Is Your Privacy Policy Compliant? Read More »

India: Government withdraws long-awaited Personal Data Protection Bill

On 3 August, the Indian Central Government withdrew the Personal Data Protection Bill, 2019 (PDP Bill). The PDP Bill, which has drawn criticism from both privacy advocates and industry stakeholders, was first published in 2018 and was to be India’s first law on the protection of personal data. A government notice stated that the decision came …

India: Government withdraws long-awaited Personal Data Protection Bill Read More »

NETHERLANDS: Highest court side-steps determining whether legitimate interests may be purely commercial

On 27 July 2022, the highest administrative court in the Netherlands, published its highly anticipated judgment involving the Dutch Data Protection Authority’s assessment of “legitimate interest” under Article 6(1)(f) GDPR. It was expected that the court would provide some clarification on whether “purely commercial interests” can qualify as legitimate interests within the meaning of Article …

NETHERLANDS: Highest court side-steps determining whether legitimate interests may be purely commercial Read More »

Australia: ACCC launches CDR sandbox

Authors: Alex Horder, Anthony Lloyd and Edmond Lau  What is the CDR Sandbox? Following the expansion of the Consumer Data Right (CDR) regime last year to a wider range of organisations, the ACCC has now released the ‘CDR Sandbox’, a free tool that lets CDR participants test their proposed CDR compliance solutions in a virtual environment that …

Australia: ACCC launches CDR sandbox Read More »

China: Enforcement of data protection – 5% of annual local revenue

On Thursday 21 July 2022, the Cyberspace Administration of China (“CAC”) fined Didi Global Inc, an online ride-hailing business a total of RMB 8.026 billion (approximately USD 1.2 billion). The CAC explained that the reasons for the fines were due to Didi’s: illegal collection of over 11.9 million screenshots from users’ mobile phone photo albums; …

China: Enforcement of data protection – 5% of annual local revenue Read More »

Australia: Collection of biometric information via CCTV

Authors: Sarah Birkett and Alex Moore  The use of CCTV systems to collect biometric information from individuals in Australia is attracting headlines.  The issue relates not to the use of CCTV itself, but rather the collection of biometric information (i.e. electronic copies of faces, fingerprints, voices) via CCTV.  Organisations, including retailers, may collect biometric information …

Australia: Collection of biometric information via CCTV Read More »

UK: New Data Protection and Digital Information Bill

Authors: Alexa Smith, James Clark, Robyn Palmer, Jamie Sanderson The UK Government has published its long-awaited ‘Data Protection and Digital Information Bill’. The Bill will reform areas of UK data protection and electronic privacy law, and will also introduce new regulatory frameworks, most notably in the field of digital identity verification. By amending the UK …

UK: New Data Protection and Digital Information Bill Read More »

UK: New National Strategy for Health Data

Author: James Clark The UK’s Department for Health and Social Care (“DHSC”) has published a major strategy document (‘Data saves lives: reshaping health and social care with data’) outlining the government’s plans for the regulation and use of data in healthcare. In this post, we look at some of the most interesting proposals outlined in …

UK: New National Strategy for Health Data Read More »

CHINA: Cross-border data transfers – what are your options?

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song, Gwyneth To We have all been waiting for a confirmed approach on legitimising overseas transfers. Finally, we have a clear answer on what organisations need to do to transfer or access for personal data and “important data” outside of Mainland China; and the message is clear – all …

CHINA: Cross-border data transfers – what are your options? Read More »

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song The China draft SCCs have been published, but may not provide the easy approach to cross border transfers of Mainland China personal data we have hoped to. Requirements to file the SCCs or PIIA for each transfer with the regulator, to undertake mini transfer impact assessments upon changes …

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers Read More »

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data

The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling. In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data to the …

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data Read More »

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics

Authors: Denise Lebeau-Marianna, Tess Muckensturm and Divya Shanmugathas Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators. Lessons to be drawn from …

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics Read More »

UK: ICO publishes AI and Data Protection risk Toolkit

The UK ICO has published its AI and data protection risk toolkit (the “Toolkit“). The Toolkit is designed to provide practical support to organisations using AI systems which may involve the processing of personal data. It builds on the ICO’s earlier guidance on AI and data protection, published in July 2020. The ICO recognises there can be significant …

UK: ICO publishes AI and Data Protection risk Toolkit Read More »

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health data) and …

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers Read More »