The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.* By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes Key Takeaways:… Continue Reading
The new framework provides an additional route for personal data transfers from the EEA to the US. By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new … Continue Reading
Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities. By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte Key Takeaways: Washington State and Nevada have now passed health data privacy laws that impose … Continue Reading
Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old. By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill … Continue Reading
Florida’s law introduces novel provisions that depart from existing US state privacy laws, which businesses will need to carefully consider. By Jennifer C. Archie, Clayton Northouse, Joseph C. Hansen, and Austin L. Anderson Key Takeaways:… Continue Reading
The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification. By Brian A. Meenagh and Lucy Tucker An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, … Continue Reading
The stringent law introduces several novel obligations and a unique approach to determining applicability that may broaden its reach. By Clayton Northouse, Michael H. Rubin, and Robert Brown On June 18, 2023, Texas enacted the Texas Data Privacy & Security Act (TDPSA), which will largely take effect in just over a year on July 1, … Continue Reading
The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards. By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson Key Takeaways: (i) Indiana, Montana, and Tennessee have all enacted general … Continue Reading
Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws. By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy … Continue Reading
The updated reform legislation provides welcome guidance and clarifications on aspects such as legitimate interests and accountability, without substantially shifting the approach proposed under the existing reform bill. By Gail E. Crawford, Fiona M. Maclean, Timothy Neo, Irina Vasile, and Amy Smyth On 8 March 2023, the UK government introduced the second draft of its … Continue Reading
Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year. By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data … Continue Reading
The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches. By Kieran Donovan, Anthony Liu, and Jacqueline Van On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data … Continue Reading
The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance. By Kieran Donovan and Jacqueline Van On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New … Continue Reading
Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear. By Kieran Donovan and Jacqueline Van In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable … Continue Reading
The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading
Businesses will need to take additional steps to ensure compliance as exemptions under the California Consumer Privacy Act expire at the end of 2022. By Robert Blamires, Michael H. Rubin, Robert W. Brown, and Jennifer Howes The California legislature adjourned its 2022 session without extending the exemptions under the California Consumer Privacy Act (CCPA) for … Continue Reading
The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication … Continue Reading
Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK … Continue Reading
UK government sets out ambitious proposal for reforming the UK data protection landscape. By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out … Continue Reading
The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data. By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation … Continue Reading
Under the new rules Chinese NPOs holding more than 1 million individuals’ personal information must apply for a cybersecurity review prior to listing abroad. By Hui Xu, Kieran Donovan, and Bianca Lee On February 15, 2022, the Cybersecurity Review Measures (2021) (CRM 2021, unofficial English text available here) took effect. CRM 2021 was promulgated on … Continue Reading
Organisations subject to the law should carry out a gap analysis of their current compliance position against the new requirements. By Brian A. Meenagh, Alexander Hendry, and Lucy Tucker The United Arab Emirates (UAE) has issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the Data … Continue Reading
The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading
Following recent setbacks, the FTC seeks a foothold for monetary remedies in the online advertising space. By Jennifer C. Archie, Antony “Tony” Kim, Michael H. Rubin, and Marissa R. Boynton On October 13, 2021, the Federal Trade Commission (FTC) sent a Notice of Penalty Offenses Concerning Endorsements and Testimonials to more than 700 businesses (the … Continue Reading