CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song The China draft SCCs have been published, but may not provide the easy approach to cross border transfers of Mainland China personal data we have hoped to. Requirements to file the SCCs or PIIA for each transfer with the regulator, to undertake mini transfer impact assessments upon changes …

CHINA: Draft SCCs Released – Time to Focus on Overseas Data Transfers Read More »

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data

The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling. In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data to the …

ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data Read More »

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics

Authors: Denise Lebeau-Marianna, Tess Muckensturm and Divya Shanmugathas Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators. Lessons to be drawn from …

FRANCE: The CNIL provides further insights following its formal notices against the use of Google Analytics Read More »

UK: ICO publishes AI and Data Protection risk Toolkit

The UK ICO has published its AI and data protection risk toolkit (the “Toolkit“). The Toolkit is designed to provide practical support to organisations using AI systems which may involve the processing of personal data. It builds on the ICO’s earlier guidance on AI and data protection, published in July 2020. The ICO recognises there can be significant …

UK: ICO publishes AI and Data Protection risk Toolkit Read More »

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health data) and …

Ireland: Employers can now process Data Subject Access Requests without advice of health service providers Read More »

Europe: One step closer towards the adoption of NIS2

The European Council and the European Parliament have agreed on measures for a high common level of cybersecurity across the EU (the “NIS2”). Once adopted, NIS2 will replace the current Directive on Security of Network and Information Systems (“NIS Directive”). NIS2 will introduce a number of changes, including bringing more sectors and services under the …

Europe: One step closer towards the adoption of NIS2 Read More »

Hong Kong: Newly published Model Contractual Clauses

Organisations engaging in cross border transfers of personal data may now rely on the Recommended Model Contractual Clauses (RMCs), recently published by the Privacy Commissioner for Personal Data (PCPD). The two sets of RMCs are intended for controller to controller transfers, and controller to processor transfers. The RMCs may be used in: cross border transfers …

Hong Kong: Newly published Model Contractual Clauses Read More »

The European Health Data Space – 5 Things You Need to Know

What is the European Health Data Space? On 3 May 2022, the EU Commission published a draft Regulation on the European Health Data Space (“HDS”).  The Regulation is the first sector-specific proposal in the Commission’s “European Strategy for Data”, which aims at creating a ‘single market for data’.  In so doing, the Commission intends to …

The European Health Data Space – 5 Things You Need to Know Read More »

NOYB open letter on the new EU – US data deal

Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“noyb.eu”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“letter”). The letter coincides with a visit to Washington, D.C. by a delegation of several members of the European Parliament’s …

NOYB open letter on the new EU – US data deal Read More »

Europe: EDPB Guidelines on calculation of fines under GDPR – a case of evolution, not revolution?

A draft set of EDPB guidelines on the calculation of administrative fines under the GDPR is likely to lead to some further consistency among supervisory authorities on how fines are calculated – however, if adopted, the guidance leaves clear room for the current divergent approaches to continue. On 12 May 2022, the European Data Protection …

Europe: EDPB Guidelines on calculation of fines under GDPR – a case of evolution, not revolution? Read More »

Singapore: Cybersecurity service providers’ mandatory licensing by October 2022

Authors: Carolyn Bigg, Yue Lin Lee, Gwyneth To and Jing Qin Cho Companies providing cybersecurity services (“CSPs“) in Singapore will now have to obtain a licence for the provision of such services by 11 October 2022. The licensing framework took effect from 11 April 2022. The licensing framework is part of the Cybersecurity Act and …

Singapore: Cybersecurity service providers’ mandatory licensing by October 2022 Read More »

Hungary: Record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of artificial intelligence

Authors: Zoltán Kozma, Mark Almasy The Hungarian Data Protection Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) has recently published its annual report in which it presented a case where the Authority imposed the highest fine to date of ca. EUR 670,000 (HUF 250 million). The case involved the personal data processing of a bank (acting …

Hungary: Record GDPR fine by the Hungarian Data Protection Authority for the unlawful use of artificial intelligence Read More »

Singapore: Higher Fines for Breach of Personal Data Protection Act 2012 (PDPA) – up to 10% of Singapore Turnover

Authors: Carolyn Bigg, Yue Lin Lee, Gwyneth To Increased financial penalties From 1 October 2022, companies that breach the PDPA may face fines of up to: SGD 1 million; or where the organisation’s annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation’s Singapore turnover. Penalties imposed under the PDPA could potentially be …

Singapore: Higher Fines for Breach of Personal Data Protection Act 2012 (PDPA) – up to 10% of Singapore Turnover Read More »

Privacy Shield 2.0? EU and US announce potential new data transfer framework

What has happened? The European Union has today announced ‘agreement in principle’ with the United States on a new data transfer framework, intended to replace the Privacy Shield framework that was struck down in the 2020 Schrems II decision of the Court of Justice of the European Union. The agreement was announced in a joint …

Privacy Shield 2.0? EU and US announce potential new data transfer framework Read More »

UK: Draft Telecoms Security Regulations and Code of Practice released for consultation

On 1 March 2022, the Department for Digital, Culture, Media & Sport (“DCMS”) released their most recent draft Telecommunications Security Regulations (“Regulations”) and an associated draft Code of Practice (“Code of Practice”) for consultation. The Regulations and Code of Practice form part of several new security measures introduced by the Government specifically to address the security …

UK: Draft Telecoms Security Regulations and Code of Practice released for consultation Read More »

Belgian DPA decision on IAB Transparency and Consent Framework

By: Heidi Waem and Verena Grentzenberg On 2 February 2022, the Belgian Data Protection Authority (Belgian DPA) rendered its long-awaited decision against IAB Europe with regard to the IAB Transparency and Consent Framework (TCF). In this blogpost we will discuss: The procedure TCF, RTB and the TC String The findings of the Inspection Service The …

Belgian DPA decision on IAB Transparency and Consent Framework Read More »

UK: New guidance on processing personal data for scientific research purposes

Experiencing a global pandemic has provided us with many examples of the importance of scientific research to our lives.  Meanwhile, a sometimes popular (mis)conception is that data protection laws – and particularly the GDPR – are a barrier to the effective use of personal data for research. Consequently, new guidance from the UK’s Information Commissioner’s …

UK: New guidance on processing personal data for scientific research purposes Read More »

Ireland: Large-scale inquiries progress as DPC budget and staff numbers ramp up

By John Magee, Eilis McDonald, Nicole Fitzpatrick, Sarah Dunne & Laoise McMahon The Data Protection Commission (DPC) has published its 2021 Annual Report, highlighting key observations, emerging guidance, and large-scale inquiries and decisions of 2021. Primary areas of focus for the DPC in 2021 included the safeguarding of children’s data protection rights, progressing ongoing large-scale …

Ireland: Large-scale inquiries progress as DPC budget and staff numbers ramp up Read More »

Ukraine Crisis – Heightened Cyber Threat – Be Prepared

By: Andy Serwin ‖ Ross McKean ‖ Carolyn Bigg In response to the heightened geo-political tensions resulting from Russia’s invasion of Ukraine and the package of economic sanctions imposed by the West, the risk of cyber-attacks by Russia and her proxies is high.  We may see an increase in economic extortion to generate revenue to …

Ukraine Crisis – Heightened Cyber Threat – Be Prepared Read More »