The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws. By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes Key Takeaways: Oregon and Delaware have become the seventh and eighth US states this year to enact general data privacy legislation — growing the US … Continue Reading
The new framework provides an additional route for personal data transfers from the EEA to the US. By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new … Continue Reading
Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities. By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte Key Takeaways: Washington State and Nevada have now passed health data privacy laws that impose … Continue Reading
The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data. By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance … Continue Reading
Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old. By Marissa R. Boynton, Serrin Turner, Joseph C. Hansen, Jennifer Howes, and Dyllan Brown-Bramble On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill … Continue Reading
A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024. By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act … Continue Reading
The French Data Protection Authority has imposed a €40 million fine for GDPR infringements. By Myria Saarinen and Charlotte Guerin On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo … Continue Reading
The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification. By Brian A. Meenagh and Lucy Tucker An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, … Continue Reading
The stringent law introduces several novel obligations and a unique approach to determining applicability that may broaden its reach. By Clayton Northouse, Michael H. Rubin, and Robert Brown On June 18, 2023, Texas enacted the Texas Data Privacy & Security Act (TDPSA), which will largely take effect in just over a year on July 1, … Continue Reading
The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules. By Myria Saarinen On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions … Continue Reading
The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards. By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson Key Takeaways: (i) Indiana, Montana, and Tennessee have all enacted general … Continue Reading
By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1] The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May … Continue Reading
The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey In a recent judgment (Case C-300/21), the Court of Justice of the … Continue Reading
Organisations must provide individuals with information on the specific recipients of their data upon request. By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to … Continue Reading
The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence. By Brian A. Meenagh, Ksenia Koroleva, and Lucy Tucker On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection … Continue Reading
The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos … Continue Reading
Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws. By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy … Continue Reading
The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance. By Kieran Donovan and Jacqueline Van On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New … Continue Reading
Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear. By Kieran Donovan and Jacqueline Van In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable … Continue Reading
The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading
The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions. By Oliver Mobasser and Gail Crawford On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of … Continue Reading
The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation. By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result … Continue Reading
The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks. By Kieran Donovan and Malika Sajdik On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications … Continue Reading
The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements. By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing … Continue Reading
