European Law on Cookies Guide

A recent focus towards the law on cookies in Europe by the courts regulators has highlighted the different approaches to the interplay between the GDPR and ePrivacy, and indeed the interpretation of the ePrivacy Directive more generally. Two major recent cases (Fashion ID (c-40-17) and Planet49 (c-673/17)) highlight the importance of cookies compliance in  Europe, …

European Law on Cookies Guide Read More »

European Commission proposes new data governance measures for EU data sharing

On 25th November, the European Commission published its proposal for a Regulation on European Data Governance (the Data Governance Act) (“the DGA”). The proposed DGA (which will be directly applicable in all Member States), aims to strengthen data sharing mechanisms across the EU and between sectors. In particular, the European Commission recognises that businesses often …

European Commission proposes new data governance measures for EU data sharing Read More »

Germany: Bonn Regional Court overrules GDPR Fining Guidelines by German Data Protection Authorities

Background: How to calculate GDPR fines? How to properly calculate administrative fines for non-compliance with the EU General Data Protection Regulation (‘GDPR’) is one of the most important questions when applying the GDPR on practical level, e.g. : What is actually meant by the reference to “undertaking” in Article 83 (4) to (6) GDPR? Is …

Germany: Bonn Regional Court overrules GDPR Fining Guidelines by German Data Protection Authorities Read More »

US: As expected, California ballot initiative passes, significantly altering the California Consumer Privacy Act

As the business community takes stock of (and impatiently waits for) 2020 election results, it should place particular significance on the passage of Proposition 24, the California Privacy Rights Act (CPRA) by about a 12 percent margin. The CPRA makes significant changes to the California Consumer Privacy Act (CCPA), which was originally passed by the …

US: As expected, California ballot initiative passes, significantly altering the California Consumer Privacy Act Read More »

International: Data protection compensation claims, Webinar, 2 December 2020

Data protection compensation claims are on the rise. Buoyed by front page press coverage of high profile data incidents, claims management companies and lawyers are looking to develop their practices in this area and are actively seeking out individuals who may have been affected. But it is not just the headline grabbing incidents that challenge …

International: Data protection compensation claims, Webinar, 2 December 2020 Read More »

Europe: European Commission publishes draft updated Standard Contractual Clauses

On 12 November, the European Commission published its long awaited updated draft Implementing Decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries.  The update to the SCCs has been expected for some time to address the entry into force of the General Data Protection Regulation (“GDPR”) in May 2018, …

Europe: European Commission publishes draft updated Standard Contractual Clauses Read More »

Europe: EDPB issues Recommendations on Supplementary Measures and European Essential Guarantees for surveillance measures following Schrems II

On 11 November, the European Data Protection Board (“EDPB”) published recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”) as well as recommendations on the European Essential Guarantees for surveillance measures (“EEGs”). Both documents were adopted during the EDPB’s 41st plenary session and are …

Europe: EDPB issues Recommendations on Supplementary Measures and European Essential Guarantees for surveillance measures following Schrems II Read More »

Australia: Privacy Act Review

The Terms of Reference (ToR) and Issues Paper for the long-awaited review (Review) of the Privacy Act 1988 Cth (Act) has finally been released by the Government (AG’s Department). A commitment to review the Act was first announced by the Government following the ACCC’s Digital Platform Enquiry in 2018/19, and it is good to see …

Australia: Privacy Act Review Read More »

China: New draft national, harmonised data protection law for Mainland China

By Carolyn Bigg, Venus Cheung, Fangfang Song A first national level personal information protection law for Mainland China has been published, reinforcing and heightening existing data protection compliance obligations for organisations doing business in China. Compliance obligations previously considered recommended practice will now become binding law, and new compliance steps – including some registrations with …

China: New draft national, harmonised data protection law for Mainland China Read More »

Romania: Key aspects in the Romanian Data Protection Authority’s annual activity report (2019)

Irina Macovei, Roxana Rosu and Andrei Stoica On 28 September 2020, the Romanian National Supervisory Authority for the Processing of Personal Data (ANSPDCP) published on its website the annual activity report for 2019. The report offers insights on the activity of the authority, its opinion on legislative proposals, points of view on certain data protection …

Romania: Key aspects in the Romanian Data Protection Authority’s annual activity report (2019) Read More »

Singapore: Imminent Changes to the Personal Data Protection Act 2012 (PDPA)

Authors: Carolyn Bigg and Yue Lin Lee Important changes will soon be made to Singapore’s PDPA. On 5 October 2020, the Personal Data Protection (Amendment) Bill (“Bill”) was tabled in Parliament for the first reading. It is expected that the Bill will be passed before the end of the year if not sooner. Unlike when …

Singapore: Imminent Changes to the Personal Data Protection Act 2012 (PDPA) Read More »

Germany: No GDPR damages after data breach

Background: another open legal question One of the many open questions of data protection law in Europe is how compensation for “non-material damage” will be calculated.  In contrast to personal injury claims where lawyers have (hundreds of) years of case law to call upon to help calculate compensation, there is comparatively little case law considering …

Germany: No GDPR damages after data breach Read More »

California: CCPA Employment and B2B Moratoria Extended; Genetic-Testing Bill Vetoed

The changes in California’s privacy laws continue. On Tuesday, September 29, 2020, California Governor Gavin Newsom signed Assembly Bill 1281, which extends the CCPA’s partial moratoria on employment and business-to-business personal information until January 1, 2022. As those following the CCPA’s development last year likely recall, amendments to the CCPA exempted California residents’ employment and …

California: CCPA Employment and B2B Moratoria Extended; Genetic-Testing Bill Vetoed Read More »

Europe: CJEU rules mass surveillance must be brought in line with EU law

The Court of Justice of the European Union (“CJEU”) has handed down its judgment in two landmark decisions (case C-623/17, Privacy International, and in joined cases C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and C-520/18, Ordre des barreaux francophones et germanophone and others), concerning the lawfulness of legislation in …

Europe: CJEU rules mass surveillance must be brought in line with EU law Read More »

Australia: Notifiable Data Breaches – Two years on

Since the mandatory data breach notification requirements were introduced in Australia in February 2018, the Office of the Australian Information Commissioner (OAIC) has published regular statistics on the operation of the scheme. These reports give a useful overview of the trends emerging in Australia over the last two years. The high-level causes of notifiable data …

Australia: Notifiable Data Breaches – Two years on Read More »

France: The CNIL adopts revised guidelines and final recommendations on cookies and other trackers

CONTEXT Following the adoption of the first version of its guidelines on cookies and other trackers on 4 July 2019 (see our alert here), which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, dated 19 June 2020[1], the French supervisory authority (“CNIL”) has adopted a revised version …

France: The CNIL adopts revised guidelines and final recommendations on cookies and other trackers Read More »

California ready to institute new deidentification requirements and broader research exemptions

The California Legislature has passed Assembly Bill 713, which amends the California Consumer Privacy Act. Although the bill, passed on September 5, has the primary and helpful effect of largely exempting US Health Insurance Portability and Accountability Act deidentified information from the CCPA, AB 713 also regulates deidentified information in a novel way that departs …

California ready to institute new deidentification requirements and broader research exemptions Read More »

France: New guidance for data retention

By Denise Lebeau-Marianna – Partner and  Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …

France: New guidance for data retention Read More »

Brazil: Enforceability of the LGPD

The Brazilian Senate, in the voting of MP 959/20 decided on 26 August 2020, to reject the article of the MP that provided for the extension of the enforceability of the Brazilian General Data Protection Law (LGPD). Based on this decision, the LGPD will be in force within 15 business days (after the approval or …

Brazil: Enforceability of the LGPD Read More »