Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.

By Brian A. Meenagh and Lucy Tucker

The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.  

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

UK government sets out ambitious proposal for reforming the UK data protection landscape.

By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth

On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.

These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.

This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.

By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth

Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU.

Companies should take steps now to prepare for the new rules and expectations.

By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith

The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels of high-profile ransomware attacks on US companies and critical infrastructure, such as the Colonial Pipeline hack that caused gas shortages in the eastern United States last summer.

Announced shared cybersecurity priorities across the Executive Branch include:

  • Cyber hygiene in the public and private sector, especially where critical infrastructure is involved
  • Operational collaboration between the public and private sector for tier one events
  • Disruption of the flow of cryptocurrency or other consideration to attackers
  • Fulsome, accurate, timely disclosure to investors and other stakeholders
  • Comprehensive reporting of incidents

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

By Hui Xu, Kieran Donovan, and Bianca Lee

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (PIPL), the first legislation dedicated to protecting personal information in China. PIPL will take effect on November 1, 2021. PIPL previously

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security

The decision will likely provide comfort to businesses operating in the healthcare sector both in the UAE and globally.

By Brian A. Meenagh and Avinash Balendran

On 28 April 2021 the United Arab Emirates (UAE) federal government issued Ministerial Decision No. 51 of 2021 (the Decision) to clarify when health information may be stored or transferred outside of the UAE. The Decision should pave the way for many domestic and overseas healthcare service providers to continue processing, storing, and transferring

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.