Privacy

Subscribe to Privacy via RSS

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. MeenaghKsenia Koroleva, and Lucy Tucker 

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected

Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws.

By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert

On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy law (SF 262) (Iowa Privacy Law) was passed unanimously by the state House and Senate, and signed by Governor Kim Reynolds.

The Iowa Privacy Law imposes requirements similar to those already required by other state privacy laws—most notably, Utah. The key task for companies subject to the law will be to ensure that their existing measures cover personal data collected about Iowa residents, for example, by extending their privacy notices, contracts, and user rights mechanisms to include Iowa consumer personal data.

The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.

By Kieran Donovan and Jacqueline Van

On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.

Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear.

By Kieran Donovan and Jacqueline Van

In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable information about an individual or related persons, usually via the internet, and often with malicious intent). The law empowers the Privacy Commissioner for Personal Data (Commissioner) to carry out criminal investigations, institute prosecutions, and issue cessation notices in relation to doxxing. The law is similar in many respects to New Zealand’s Harmful Digital Communications Act and Singapore’s Protection from Harassment Act, each of which were expressly referred to by the Hong Kong SAR’s Legislative Council Research Office in advance of the amendment coming into force.

This blog post reviews doxxing-related enforcement activity in Hong Kong since the amendment came into effect.

The amendment proposes business-friendly changes regarding data localization and legitimate interests.

By Brian Meenagh and Lucy Tucker

On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.

By Kieran Donovan and Malika Sajdik

On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).

The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email.