Data Protection

Ireland & UK: Latest trends in data subject access requests in pending litigation

Authors: Marcus Walsh, David Cook, John Magee As individuals become more aware of their rights under data protection law, data subject access requests (DSARs) are an increasingly frequent concern for organisations both large and small. DSARs remain the single most common cause of regulatory complaints for organisations – the latest annual report from the Irish …

Ireland & UK: Latest trends in data subject access requests in pending litigation Read More »

EU: Second wave of noyb complaints targets cookie banners

Authors: Heidi Waem and Simon Verschaeve Recently, the European Center for Digital Rights (better known as noyb), founded by privacy activist Max Schrems, announced a new initiative that focuses on compliance of cookie banners in Europe. Alongside the launch of the campaign, noyb reported that it issued more than 500 draft complaints to the owners …

EU: Second wave of noyb complaints targets cookie banners Read More »

Thailand postpones the implementation of the data protection act until 1 June 2022

By: Samata Masagee, Komson Suntheeraporn, Nahsinee Luengrattanakorn, Thawalkorn Pattanachote The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May …

Thailand postpones the implementation of the data protection act until 1 June 2022 Read More »

German Federal Labor Court rules on the scope of the right to information under Art. 15 GDPR

In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Second drafts of the new overarching national personal data protection and data security laws have just been published, and give a clearer picture of the impending new national frameworks in China. 1. Draft Personal Information Protection Law The Draft Personal Information Protection Law (“Draft PIPL”) will – …

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses Read More »

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. The “Financial Data Lifecycle Guidelines” (金融数据生命周期安全规范) were published by the PBOC (the …

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced Read More »

The CNIL’s key priorities for upcoming dawn-raids in 2021

Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies. 1. Websites cybersecurity Website security incidents are among the most common non-compliances identified by the CNIL during its …

The CNIL’s key priorities for upcoming dawn-raids in 2021 Read More »

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced

Authors: Carolyn Bigg, Venus Cheung Operators of e-commerce platforms, websites and apps in China, and those using third party e-commerce, social media or livestreaming platforms to sell their products and services in China, must update their operations, services and systems in advance of wide-ranging new rules. The Measures for the Supervision and Administration of Online …

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced Read More »

US: Virginia passes comprehensive consumer data protection law

Author: Jim Halpert Virginia’s Governor signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021.  The VCDPA takes effect January 1, 2023 and is a broad, multi-rights privacy law that, in some ways, resembles the CCPA, GDPR, and other recently proposed state privacy legislation.  A study committee will review the VCDPA …

US: Virginia passes comprehensive consumer data protection law Read More »

France: New guidance for data retention

By Denise Lebeau-Marianna – Partner and  Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …

France: New guidance for data retention Read More »

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements

On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements Read More »

Thailand: Personal Data Protection Act (PDPA) Amendments on the way: What does this mean for your company?

Thailand’s Personal Data Protection Act (“PDPA“) is in the process of being updated, and full implementation and compliance are expected by 1 June 2021. This comes by way of the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (“Notification“) which was recently released by the Thai …

Thailand: Personal Data Protection Act (PDPA) Amendments on the way: What does this mean for your company? Read More »

Europe: New privacy rules for connected vehicles in Europe?

By Anne-Gabrielle Haie Vehicles, drivers and passengers are becoming more and more connected, generating increasing amounts of data. The latest evolution of digital technologies, such as robotics, Internet of Things, Artificial Intelligence, high-performance computers and powerful communication networks leads self-driving cars out of an imaginary world and into our daily lives. While these technologies are …

Europe: New privacy rules for connected vehicles in Europe? Read More »

Global: International Data Protection Day!

International Data Protection Day, which falls annually on January 28, is “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”. We would like to take this opportunity to share a number of data protection resources developed by our global Data Protection, Privacy and Security team to assist …

Global: International Data Protection Day! Read More »

UK: UK Controllers – have you paid the ICO’s data protection fee?

The ICO is taking active enforcement against organisations who are not properly registered to pay the UK data protection fee. In our earlier blog post on the UK’s New Data Protection Fee, we explained that the UK was implementing regulations (which are unique in Europe) to require payment of a registration fee to the Information …

UK: UK Controllers – have you paid the ICO’s data protection fee? Read More »

Europe: ‘Right to be forgotten’, but only in Europe?

In its landmark decision of the 24th of September (C-507/17), the EU Court of Justice in Luxembourg has sided with Google over a claim by the French supervisory authority regarding the application of the so-called ‘right to be forgotten’. This right refers to the ability for individuals in Europe to demand that search engines, such …

Europe: ‘Right to be forgotten’, but only in Europe? Read More »

EUROPE: e-Privacy Regulation – changes regarding electronic communications and digital marketing

Since the European Commission unveiled a proposal for an e-Privacy Regulation in January 2017, this new piece of legislation, aiming to adapt rules on electronic communications and cookies, has undergone many iterations. The European Parliament has left its version untouched since October 2017, and in the meantime the Council of the EU has regularly published …

EUROPE: e-Privacy Regulation – changes regarding electronic communications and digital marketing Read More »

Belgium: DPA updating its Recommendation on Direct Marketing – Provide your input before 31 July 2019!

Updated official guidance on direct marketing appears to be on the horizon: the Belgian Data Protection Authority has launched a public consultation on direct marketing, with a view to updating its Recommendation No. 02/2013 of 30 January 2013 on direct marketing. In its 2013 Recommendation, available in Dutch and French, the Belgian DPA covered several …

Belgium: DPA updating its Recommendation on Direct Marketing – Provide your input before 31 July 2019! Read More »

Belgium: Newly appointed Belgian Data Protection Commissioner declares “I will not hesitate to issue fines to those not playing by the rules”

by Patrick Van Eecke & Gilles Hachez A little less than a month ago, the Belgian House of Representatives appointed the new commissioner and directors of the Belgian Data Protection Authority (DPA), as we explained in our blogpost here. Today, little less than eleven months after the establishment of the DPA, the new commissioner, Mr …

Belgium: Newly appointed Belgian Data Protection Commissioner declares “I will not hesitate to issue fines to those not playing by the rules” Read More »

EU: EDPB provides more clarity on the legal basis for processing data in clinical trials

By Ilias Abassi Since the implementation of the GDPR, there has been much discussion with respect to the appropriate legal basis for the processing of personal data in the context of a clinical trial, in particular how this relates to the Clinical Trials Regulation (CTR) which is expected to enter into force in 2020. There …

EU: EDPB provides more clarity on the legal basis for processing data in clinical trials Read More »