The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC. By Hui Xu and Kieran Donovan On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of … Continue Reading
Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent. By Christian F. McDermott, Calum Docherty, and Victoria Wan Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases … Continue Reading
Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements. By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses … Continue Reading
The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers. By Brian A. Meenagh and Avinash Balendran With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation … Continue Reading
The Act represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA. By Jennifer C. Archie, Michael H. Rubin, Marissa R. Boynton, and Alexander L. Stout On March 2, 2021, Virginia Governor Ralph Northam signed comprehensive state privacy legislation titled the Consumer Data Protection Act … Continue Reading
Amendments to the PDPA significantly change Singapore’s data protection landscape, including mandatory data breach notification and criminal offences for mishandling of personal data. By Farhana Sharmeen, Esther Franks, and Gen Huong Tan On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 (the Act) took effect, implementing the following changes to … Continue Reading
Slaughter discusses the FTC’s priorities under the new administration, including ed-tech, health apps, and racial equity. By Jennifer Archie, Michael Rubin, Marissa Boynton, and Jimmy Smith On February 10, 2021, in her first major speech as acting chair of the Federal Trade Commission (the Commission, or the FTC), Rebecca Slaughter discussed the Commission’s enforcement priorities under … Continue Reading
As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes. By Gail Crawford, Fiona Maclean, and Amy Smyth The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one … Continue Reading
The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan, and Amy Smyth On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual … Continue Reading
The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on … Continue Reading
Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US. By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy … Continue Reading
Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR. By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and … Continue Reading
Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application. By Myria Saarinen and Charlotte Guérin France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data … Continue Reading
A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses. By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Ulrich Wuermeling, Calum Docherty, and Amy Smyth On 16 July 2020, the Court of … Continue Reading
Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law. By Kieran Donovan COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of … Continue Reading
While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA. By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, … Continue Reading
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime. By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set … Continue Reading
Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR. By Olga Phillips and Elizabeth Purcell Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online … Continue Reading
UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis. By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech … Continue Reading
UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading
Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices. By Brian A. Meenagh On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications … Continue Reading
Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information. By Fiona M. Maclean and Ksenia Koroleva On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. … Continue Reading
Online services have until 31 May to respond to 16 draft standards of age-appropriate design. By Fiona Maclean and Olga M. Phillips The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to … Continue Reading
European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data. By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and … Continue Reading
