Latham & Watkins

Subscribe to Latham & Watkins's Posts

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. MeenaghKsenia Koroleva, and Lucy Tucker 

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected

Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws.

By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert

On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy law (SF 262) (Iowa Privacy Law) was passed unanimously by the state House and Senate, and signed by Governor Kim Reynolds.

The Iowa Privacy Law imposes requirements similar to those already required by other state privacy laws—most notably, Utah. The key task for companies subject to the law will be to ensure that their existing measures cover personal data collected about Iowa residents, for example, by extending their privacy notices, contracts, and user rights mechanisms to include Iowa consumer personal data.

Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear.

By Kieran Donovan and Jacqueline Van

In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable information about an individual or related persons, usually via the internet, and often with malicious intent). The law empowers the Privacy Commissioner for Personal Data (Commissioner) to carry out criminal investigations, institute prosecutions, and issue cessation notices in relation to doxxing. The law is similar in many respects to New Zealand’s Harmful Digital Communications Act and Singapore’s Protection from Harassment Act, each of which were expressly referred to by the Hong Kong SAR’s Legislative Council Research Office in advance of the amendment coming into force.

This blog post reviews doxxing-related enforcement activity in Hong Kong since the amendment came into effect.

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals

As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes.

By Gail Crawford, Fiona Maclean, and Amy Smyth

The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one of the more significant implications — the UK becoming a third country for the purposes of EU-to-UK personal data transfers — has been mitigated by a four to six-month grace period in the EU & UK Trade and Cooperation Agreement (the Trade Agreement).

The Trade Agreement’s grace period states that personal data may be transferred from the EU to the UK as if the UK has not become a third country on 1 January 2021 (Article FINPROV.10A). This provision means that the requirement for a data transfer mechanism to legalise such transfers under the European General Data Protection Regulation (GDPR) will not be triggered on 1 January 2021, and these transfers may continue as during the Brexit transition period.