Show-me: Spanish Data Protection laws shaken by the Supreme Court

By the end of the 2018, the Spanish Parliament belatedly completed the framework provided by EU’s GDPR approving a new Data Protection Act. Following a local tradition dated in 1992, the Spanish legislators deviated themselves from the mainstream position in the EU. The new Spanish law included, among other deviations, new digital rights unknown by …

Show-me: Spanish Data Protection laws shaken by the Supreme Court Read More »

Australia: Consumer Data Right pipeline to cast a wide net

Authors: Anthony Lloyd, Alex Horder Background With the implementation of the Consumer Data Right (CDR) in the banking sector (known as ‘Open Banking’) well under way, the release of draft amendments to the CDR rules for the energy sector, and the continuing development of the framework for implementing the CDR in the telecommunications sector, the …

Australia: Consumer Data Right pipeline to cast a wide net Read More »

Government publishes consultation on post-Brexit data reforms

The government has today published its eagerly awaited Consultation Paper on Reforms to the UK Data Protection Regime – ‘Data: A New Direction’ (“Consultation Paper”), setting out the specific areas for regulatory reform of the UK’s data protection regime. It follows a spate of activity from the government in relation to plans for its post-Brexit global …

Government publishes consultation on post-Brexit data reforms Read More »

Ireland / Europe: DPC’s record GDPR fine has implications for calculation of GDPR fines and regulatory expectations around transparency rules

On 2 September 2021, the Data Protection Commission (DPC) announced it has imposed a €225 million administrative fine against WhatsApp Ireland Limited , as well as a reprimand and an order to bring its processing into compliance. This comes following a lengthy background including the EDPB’s first urgent binding decision in relation to the investigation …

Ireland / Europe: DPC’s record GDPR fine has implications for calculation of GDPR fines and regulatory expectations around transparency rules Read More »

UK: ICO rules regarding the online privacy of children enter into force

By James Clark and Anna Ward, DLA Piper UK LLP The Age Appropriate Design Code (“Code”), a new statutory Code of Practice published by the UK Information Commissioner’s Office (“ICO”), enters into force today (2 September 2021) following a one year transition period.  The Code seeks to regulate the provision of online services to children, …

UK: ICO rules regarding the online privacy of children enter into force Read More »

Government unveils plans for post-Brexit global data transfer regime

Following Brexit, the UK now has the ability to adopt its own decisions in relation to adequacy for personal data transfers. Today, the government has set out the first territories which it will prioritise for its data transfer adequacy decisions. These territories will include the United States, Australia, the Republic of Korea, Singapore, the Dubai …

Government unveils plans for post-Brexit global data transfer regime Read More »

Navigating China Episode 20: PIPL has finally arrived, bringing helpful clarification (rather than substantial change) to China’s data privacy framework

In good news for organisations handling personal information, China’s Personal Information Protection Law (“PIPL”) was finalised on 20 August 2021, and will come into force on 1 November 2021. Rather than bringing substantial changes to the existing China data privacy framework, the PIPL helpfully consolidates and clarifies obligations on processing of personal information at a …

Navigating China Episode 20: PIPL has finally arrived, bringing helpful clarification (rather than substantial change) to China’s data privacy framework Read More »

UK: First-Tier Tribunal considers first fine imposed by the ICO under the GDPR and slashes the amount by two thirds

On 17 December 2019, the ICO issued the first administrative fine under the GDPR (known as a monetary penalty notice in the UK), alongside an Enforcement Notice, against Doorstep Disparensee Limited (“DDL”). DDL appealed against both elements of the  enforcement action taken by the ICO which has recently been decided and provides useful guidance from …

UK: First-Tier Tribunal considers first fine imposed by the ICO under the GDPR and slashes the amount by two thirds Read More »

UK: ICO opens consultation on its updated international data transfer guidance and tools

On 11 August 2021, the Information Commissioner’s Office (ICO) launched a public consultation on its  draft international data transfer agreement (IDTA) and guidance on data transfers. These updates have been expected for some time to address the UK regulatory position, following exit from the EU, in relation to the Schrems II decision of the CJEU …

UK: ICO opens consultation on its updated international data transfer guidance and tools Read More »

Considerations on embedding the new standard contractual clauses in IT contracts

Authors: Heidi Waem and Nicolas Becker On 4 June 2021, the European Commission released the final version of the new Standard Contractual Clauses (new SCCs) (see our blogpost here). This new set of clauses was launched in the aftermath of the CJEU’s Schrems II decision and includes specific wording to address certain concerns raised by the …

Considerations on embedding the new standard contractual clauses in IT contracts Read More »

Ireland & UK: Latest trends in data subject access requests in pending litigation

Authors: Marcus Walsh, David Cook, John Magee As individuals become more aware of their rights under data protection law, data subject access requests (DSARs) are an increasingly frequent concern for organisations both large and small. DSARs remain the single most common cause of regulatory complaints for organisations – the latest annual report from the Irish …

Ireland & UK: Latest trends in data subject access requests in pending litigation Read More »

Taking back control: The European Digital Identity

Authors: Kristof De Vulder, Florian De Rouck, Emma Stockman On 3 June 2021, the EU Commission proposed the long-awaited framework for a European Digital Identity (EUid). The proposal stems from the regulatory review of Regulation 910/2014/EU (eIDAS Regulation), and constitutes a complete overhaul of the European digital identification framework. The EU Commissions plans to introduce a new …

Taking back control: The European Digital Identity Read More »

EU: What’s left of the GDPR’s one-stop-shop? CJEU clarifies the competences of non-lead data protection authorities

Authors: Heidi Waem, Simon Verschaeve When the GDPR was adopted back in 2016, its new cooperation and consistency mechanism, coined as the one-stop-shop, was marketed as one of the major advancements that the GDPR would bring to organisations. Instead of having to engage with multiple local data protection authorities, controllers and processors established in the EU …

EU: What’s left of the GDPR’s one-stop-shop? CJEU clarifies the competences of non-lead data protection authorities Read More »

POPIA: The long wait is over

Authors: Monique Jefferson and Justine Katz The Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020 but was subject to a 12-month grace period, which ended yesterday (30 June 2021). Therefore, from today (1 July 2021) POPIA is fully in effect, save for certain provisions. In this regard, we point …

POPIA: The long wait is over Read More »

Ireland: Ireland legislates for third party rights – removing SCCs governing law concerns

The new Standard Contractual Clauses (SCCs) issued by the European Commission came into force on 27 June 2021. The SCCs allow parties to choose the governing law of one of the EU Member States, provided that such law allows for third party beneficiary rights. As privity of contract rules apply in Ireland, there had been …

Ireland: Ireland legislates for third party rights – removing SCCs governing law concerns Read More »

Australia takes steps towards the mandatory reporting of ransomware payments

Author: Sarah Birkett A private member’s bill has been introduced in Australia that would require the mandatory reporting of ransomware payments by applicable Australian entities. The Ransomware Payments Bill would require any business or Commonwealth Government entity which makes a ransomware payment to notify the Australian Cyber Security Centre (ACSC) with details of: the identity …

Australia takes steps towards the mandatory reporting of ransomware payments Read More »

European Commission adopts UK Adequacy Decision

Today, the European Commission has adopted two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and the other for the Law Enforcement Directive (“LED”). The GDPR and LED impose restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an …

European Commission adopts UK Adequacy Decision Read More »

EDPB adopts final Recommendations on Supplementary Measures

On 21 June 2021, the European Data Protection Board (“EDPB”) published the final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These long-awaited Recommendations are an extremely important step for the consideration of data transfer related risks and GDPR compliance management within an …

EDPB adopts final Recommendations on Supplementary Measures Read More »

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song China’s Data Security Law (“DSL”) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be …

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know Read More »