European Commission adopts UK Adequacy Decision

Today, the European Commission has adopted two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and the other for the Law Enforcement Directive (“LED”). The GDPR and LED impose restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an …

European Commission adopts UK Adequacy Decision Read More »

EDPB adopts final Recommendations on Supplementary Measures

On 21 June 2021, the European Data Protection Board (“EDPB”) published the final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations”). These long-awaited Recommendations are an extremely important step for the consideration of data transfer related risks and GDPR compliance management within an …

EDPB adopts final Recommendations on Supplementary Measures Read More »

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song China’s Data Security Law (“DSL”) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be …

China: Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know Read More »

EU: Second wave of noyb complaints targets cookie banners

Authors: Heidi Waem and Simon Verschaeve Recently, the European Center for Digital Rights (better known as noyb), founded by privacy activist Max Schrems, announced a new initiative that focuses on compliance of cookie banners in Europe. Alongside the launch of the campaign, noyb reported that it issued more than 500 draft complaints to the owners …

EU: Second wave of noyb complaints targets cookie banners Read More »

EU : New SCCs published

Today, the European Commission published the final Implementing Decision on standard contractual clauses (“New SCCs”) for the transfer of personal data to third countries.  The New SCCs repeal the existing SCCs (dating from 2001, 2004 and 2010) and aim to address the entry into force of the General Data Protection Regulation (“GDPR”) and the decision of the …

EU : New SCCs published Read More »

China: Navigating China episode 18: Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation The Chinese cybersecurity authorities have published new draft rules clarifying data and cyber compliance obligations for the automobile industry, including a push towards most personal information and important data being …

China: Navigating China episode 18: Increased scrutiny over connected car and automobile industry data from Chinese regulators, including push towards data localisation Read More »

DLA Piper Global Vaccine Guide

As the scientific response to the COVID-19 pandemic develops, many employers are considering what their approach should be to the issues around vaccination for their workforce, with a view to accelerating a return to some kind of normality. This is an area where law, guidance and best practice is likely to develop rapidly and there …

DLA Piper Global Vaccine Guide Read More »

Georgia’s HB 156, requiring state notice for utility cybersecurity incidents, is now in effect

Authors: Lael Bellamy and Emily Maus Georgia’s governor has signed into law House Bill 156, creating specific notice requirements for state agencies and utilities that experience cybersecurity attacks, data breaches or malware and requiring notice to the state director of emergency management in Georgia within two hours of notifying the federal emergency management agencies. In …

Georgia’s HB 156, requiring state notice for utility cybersecurity incidents, is now in effect Read More »

Thailand postpones the implementation of the data protection act until 1 June 2022

By: Samata Masagee, Komson Suntheeraporn, Nahsinee Luengrattanakorn, Thawalkorn Pattanachote The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May …

Thailand postpones the implementation of the data protection act until 1 June 2022 Read More »

DCMS Cyber Security Breaches Survey 2021 highlights more still to be done by the majority of businesses

The Department for Culture Media and Sport recently published its annual Cyber Security Breaches Survey (the “Survey”), which aims to capture trends in cyber security incidents and provides a snapshot of the approach of UK businesses to the risks of an incident and the types of incidents seen in the previous 12 months. We have …

DCMS Cyber Security Breaches Survey 2021 highlights more still to be done by the majority of businesses Read More »

German Federal Labor Court rules on the scope of the right to information under Art. 15 GDPR

In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Second drafts of the new overarching national personal data protection and data security laws have just been published, and give a clearer picture of the impending new national frameworks in China. 1. Draft Personal Information Protection Law The Draft Personal Information Protection Law (“Draft PIPL”) will – …

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses Read More »

Deadline to file comments to the HIPAA NPRM is fast approaching

Authors: Emily Maus and Anna Spencer HIPAA covered entities and business associates should finalize their comments soon, before the comment period for the 2020 Health Insurance Portability and Accountability Act (HIPAA) Notice of Proposed Rulemaking (NPRM) closes on May 6.  The Office for Civil Rights (OCR), which is the federal agency within the US Department …

Deadline to file comments to the HIPAA NPRM is fast approaching Read More »

Second Circuit sets standing threshold for data-breach class actions

Authors: Keara M. Gordon, Isabelle Ord, Jeff DeGroot, and Haley Torrey This week, the Second Circuit in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, weighed in on whether data-breach plaintiffs can establish Article III standing based on the theory that the theft or disclosure of their data subjects the plaintiffs to an increased risk …

Second Circuit sets standing threshold for data-breach class actions Read More »

Portuguese CNPD suspends transfers of Census 2021 data to the U.S.

On yet another application of the principles contained in the Schrems II case, on the 27th of April 2021, the Portuguese Data Protection Authority (“CNPD”) issued a decision ordering the suspension, within 12 hours, of any transfer of personal data resulting from the Census 2021 to the US, or to other third countries outside the …

Portuguese CNPD suspends transfers of Census 2021 data to the U.S. Read More »

The Washington Privacy Act fails to pass for the third straight year

Click here to view an article about the 2021 Washington Privacy Act legislative developments. DLA Piper follows the evolving state privacy landscape more closely than any other law firm. As of the date of this post, the most likely states to pass an Omnibus privacy bill later this year are Florida, Colorado and Ohio. For …

The Washington Privacy Act fails to pass for the third straight year Read More »

The Supreme Court sharply curtails FTC’s authority to obtain restitution

In a significant decision issued on Thursday, April 22, 2021, the US Supreme Court unanimously ruled in an eagerly anticipated case that the Federal Trade Commission (FTC) does not have the legal authority under Section 13(b) of the FTC Act to obtain court-ordered monetary equitable relief (such as restitution or disgorgement). In AMG Capital Management, …

The Supreme Court sharply curtails FTC’s authority to obtain restitution Read More »

European Commission publishes long-awaited draft Regulation on Artificial Intelligence

Andrew Dyson, Ewa Kurowska-Tober, Heidi Waem On 21 April 2021, the European Commission published the long-awaited proposal for a Regulation on Artificial Intelligence[1](“AI Regulation”). The proposed AI Regulation introduces a first-of-its-kind, comprehensive, harmonized, regulatory framework for Artificial Intelligence. The ambition is to provide the legal certainty needed to facilitate investment and innovation in AI, whilst …

European Commission publishes long-awaited draft Regulation on Artificial Intelligence Read More »