Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities. By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte Key Takeaways: Washington State and Nevada have now passed health data privacy laws that impose … Continue Reading
The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents. By Kieran Donovan and Jacqueline Van On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling … Continue Reading
A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024. By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act … Continue Reading
The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules. By Myria Saarinen On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions … Continue Reading
The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards. By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson Key Takeaways: (i) Indiana, Montana, and Tennessee have all enacted general … Continue Reading
By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1] The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May … Continue Reading
Organisations must provide individuals with information on the specific recipients of their data upon request. By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to … Continue Reading
The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence. By Brian A. Meenagh, Ksenia Koroleva, and Lucy Tucker On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection … Continue Reading
The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos … Continue Reading
Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws. By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy … Continue Reading
The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches. By Kieran Donovan, Anthony Liu, and Jacqueline Van On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data … Continue Reading
The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance. By Kieran Donovan and Jacqueline Van On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New … Continue Reading
The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading
The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks. By Kieran Donovan and Malika Sajdik On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications … Continue Reading
The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements. By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing … Continue Reading
The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR. By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of … Continue Reading
The evolution of cybersecurity-related representations and warranties in M&A transaction documentation has had an impact on financing transactions. Major M&A transactions and IPOs have become the target of increasingly sophisticated cyberattacks, in some cases affecting thousands of companies along the supply chain. Regulators have responded with stepped-up enforcement, extending their reach not just to victim … Continue Reading
Companies should take steps now to prepare for the new rules and expectations. By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels … Continue Reading
Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward. By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer … Continue Reading
The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading
The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021. By Hui Xu, Kieran Donovan, and Bianca Lee On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic … Continue Reading
The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law. By Hui Xu and Kieran Donovan On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which … Continue Reading
The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC. By Hui Xu and Kieran Donovan On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of … Continue Reading
Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent. By Christian F. McDermott, Calum Docherty, and Victoria Wan Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases … Continue Reading
