The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on … Continue Reading
Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US. By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy … Continue Reading
Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR. By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and … Continue Reading
Latham develops new resource to identify considerations for assessing SCC and BCR data transfers in Europe. By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Serrin Turner, Tim Wybitul, and Ulrich Wuermeling Following the Schrems II decision in July 2020, organisations relying on the standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs) to … Continue Reading
Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application. By Myria Saarinen and Charlotte Guérin France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data … Continue Reading
A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses. By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Ulrich Wuermeling, Calum Docherty, and Amy Smyth On 16 July 2020, the Court of … Continue Reading
Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law. By Kieran Donovan COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of … Continue Reading
While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA. By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, … Continue Reading
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime. By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set … Continue Reading
Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR. By Olga Phillips and Elizabeth Purcell Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online … Continue Reading
UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis. By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech … Continue Reading
UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading
Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices. By Brian A. Meenagh On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications … Continue Reading
Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information. By Fiona M. Maclean and Ksenia Koroleva On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. … Continue Reading
Online services have until 31 May to respond to 16 draft standards of age-appropriate design. By Fiona Maclean and Olga M. Phillips The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to … Continue Reading
European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data. By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and … Continue Reading
Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices. By Fiona M. Maclean and Jane Bentham Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event … Continue Reading
The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading
The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”. By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden What Do DIFC-Registered Entities Need to Know? In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing … Continue Reading
The European Commission adopted its adequacy decision for Japan on 23 January 2019, opening the doors for personal data to flow freely between the two major global economies. By Fiona M. Maclean and Laura Holden The Adequacy Decision Following two years of dialogue between the European Union (EU) and Japan, the European Commission (EC) adopted … Continue Reading
The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”. By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden The Complaints Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came … Continue Reading
Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal. By Gail E. Crawford and Jane Bentham “No Deal” Brexit Unless the UK can agree on a deal with the EU that meets the approval of the … Continue Reading
Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them. By Gail Crawford and Frances Stocks Allen Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU … Continue Reading
Germany’s first GDPR fine offers lesson for companies planning a data breach policy. By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company … Continue Reading
