Global Privacy & Security Compliance Law Blog

Takeaways From Hong Kong PCPD’s 2021-22 Annual Report

Posted in Legislative & Regulatory Developments, Privacy, Security

The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.

By Kieran Donovan and Jacqueline Van

On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.

Continue Reading

Hong Kong’s Anti-Doxxing Laws — the State of Enforcement One Year On

Posted in Legislative & Regulatory Developments, Privacy

Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear.

By Kieran Donovan and Jacqueline Van

In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable information about an individual or related persons, usually via the internet, and often with malicious intent). The law empowers the Privacy Commissioner for Personal Data (Commissioner) to carry out criminal investigations, institute prosecutions, and issue cessation notices in relation to doxxing. The law is similar in many respects to New Zealand’s Harmful Digital Communications Act and Singapore’s Protection from Harassment Act, each of which were expressly referred to by the Hong Kong SAR’s Legislative Council Research Office in advance of the amendment coming into force.

This blog post reviews doxxing-related enforcement activity in Hong Kong since the amendment came into effect.

Continue Reading

Saudi Arabia Issues Amended Data Protection Law for Consultation

Posted in Legislative & Regulatory Developments, Privacy, Security

The amendment proposes business-friendly changes regarding data localization and legitimate interests.

By Brian Meenagh and Lucy Tucker

On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.

Continue Reading

The European Health Data Space — Panacea or Poison Pill?

Posted in GDPR, Privacy

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals, the Regulation aims to facilitate secondary use of clinical data for research purposes by requiring “data holders” to make data available and enabling “data users” to access that data in secure processing environments and based on permits issued by “health data access bodies”.

Read the full article that focuses on secondary processing and the issues that the Commission’s proposals raise.

Advocate General: No Compensation for Mere Upset Caused by GDPR Infringement

Posted in GDPR, Privacy

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2] Continue Reading

Hong Kong Issues Guidance on Recommended Data Security Measures

Posted in Privacy, Security

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.

By Kieran Donovan and Malika Sajdik

On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).

The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email. Continue Reading

Privacy Enhancing Technologies — A Panacea for Data Protection Compliance?

Posted in Privacy, Security

The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements.

By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth

On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing technologies (PETs) are and how organizations can use them to meet privacy-by-design requirements. PETs incorporate data protection principles by (amongst others) minimizing use of personal data, ensuring security, and facilitating data subject rights. Organizations that want to use PETs should first conduct a data protection impact assessment to determine whether such technologies are indeed adequate for their processing activities. Continue Reading

CCPA Will Now Fully Regulate Personnel and B2B Information

Posted in Legislative & Regulatory Developments, Privacy

Businesses will need to take additional steps to ensure compliance as exemptions under the California Consumer Privacy Act expire at the end of 2022.

By Robert Blamires, Michael H. Rubin, Robert W. Brown, and Jennifer Howes

The California legislature adjourned its 2022 session without extending the exemptions under the California Consumer Privacy Act (CCPA) for personal information collected about California residents in a personnel/HR or business-to-business (B2B) context. Therefore, starting next year all obligations (and rights) in the CCPA, including those introduced under the California Privacy Rights Act (CPRA), will extend to such information. Continue Reading

California Attorney General’s Office Announces First Public CCPA Enforcement Action

Posted in Privacy

Aggressive enforcement may be on the horizon now that businesses have had more than two years to comply with California’s landmark privacy law.

By Michael Rubin, Joseph Hansen, Robert Brown, Max Mazzelli, and Wesley Tiu

On August 25, 2022, the California Office of the Attorney General (OAG) announced that it had settled a complaint against Sephora alleging violations of the California Consumer Privacy Act (CCPA). The public settlement was the first since the CCPA became enforceable more than two years ago. Continue Reading

UK Data Protection Bill: Overview of Proposed Changes (Part 1)

Posted in GDPR, Legislative & Regulatory Developments

The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)

The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).

This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.

In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing. Continue Reading

LexBlog