Global Privacy & Security Compliance Law Blog

Category Archives: Privacy

Subscribe to Privacy RSS Feed

Oregon and Delaware Join the Surge of US States Enacting General Privacy Legislation

The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws. By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes Key Takeaways: Oregon and Delaware have become the seventh and eighth US states this year to enact general data privacy legislation — growing the US … Continue Reading

EU-US Data Privacy Framework Goes Live: What Are the Practical Implications?

The new framework provides an additional route for personal data transfers from the EEA to the US. By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new … Continue Reading

Recently Enacted Health Data Privacy Laws in Washington and Nevada Pose Challenges for Businesses

Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities. By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte Key Takeaways: Washington State and Nevada have now passed health data privacy laws that impose … Continue Reading

Employee Data Increasingly in the Crosshairs of Data Privacy Enforcement

The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data. By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance … Continue Reading

Connecticut Passes Significant Amendments to the Connecticut Data Privacy Act

Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old. By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill … Continue Reading

Enforcement of New CCPA Regulations Stayed Until March 2024

A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024. By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act … Continue Reading

CNIL Fines Adtech Giant for Unlawful Data Processing

The French Data Protection Authority has imposed a €40 million fine for GDPR infringements. By Myria Saarinen and Charlotte Guerin On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo … Continue Reading

Saudi Arabia: Overview of the Amended PDPL and Key Differences to the GDPR

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification. By Brian A. Meenagh and Lucy Tucker An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, … Continue Reading

CNIL Fines Health Website for Unlawful Data Processing

The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules. By Myria Saarinen On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions … Continue Reading

Indiana, Montana, and Tennessee Enact General Data Privacy Laws, Bringing the Total to Nine and Counting

The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards. By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson Key Takeaways: (i) Indiana, Montana, and Tennessee have all enacted general … Continue Reading

Irish Data Protection Commission Orders Meta Ireland to Suspend Facebook Data Transfers to the US and Imposes Record GDPR Fine of €1.2 Billion

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1] The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May … Continue Reading

CJEU Rejects Minimum Threshold for GDPR Claims

The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey In a recent judgment (Case C-300/21), the Court of Justice of the … Continue Reading

CJEU Sets High Bar for Responses to Data Subject Access Requests

Organisations must provide individuals with information on the specific recipients of their data upon request. By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to … Continue Reading

DIFC Proposes to Amend Data Protection Rules to Regulate Use of AI

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence. By Brian A. Meenagh, Ksenia Koroleva, and Lucy Tucker  On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection … Continue Reading

CJEU Advocate General Rejects Strict Liability for GDPR Fines

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos … Continue Reading

And Now There Are Six: Iowa Passes New Privacy Law

Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws. By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy … Continue Reading

Takeaways From Hong Kong PCPD’s 2021-22 Annual Report

The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance. By Kieran Donovan and Jacqueline Van On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New … Continue Reading

Hong Kong’s Anti-Doxxing Laws — the State of Enforcement One Year On

Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear. By Kieran Donovan and Jacqueline Van In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable … Continue Reading

Saudi Arabia Issues Amended Data Protection Law for Consultation

The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading

The European Health Data Space — Panacea or Poison Pill?

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions. By Oliver Mobasser and Gail Crawford On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of … Continue Reading

Advocate General: No Compensation for Mere Upset Caused by GDPR Infringement

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation. By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result … Continue Reading

Hong Kong Issues Guidance on Recommended Data Security Measures

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks. By Kieran Donovan and Malika Sajdik On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications … Continue Reading

Privacy Enhancing Technologies — A Panacea for Data Protection Compliance?

The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements. By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing … Continue Reading
LexBlog