Global Privacy & Security Compliance Law Blog

European Data Protection Board Focuses Coordinated Enforcement on Data Protection Officers

By Latham & Watkins on Posted in GDPR, Legislative & Regulatory Developments

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

Continue Reading

Hong Kong Privacy Regulator Highlights Data Security Guidance as Cyberattacks Increase

By Latham & Watkins on Posted in Legislative & Regulatory Developments, Security

The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches.

By Kieran Donovan, Anthony Liu, and Jacqueline Van

On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”. The article discusses the increasing trend of cyberattack incidents, identifies common vulnerabilities based on data incidents the PCPD has investigated, and sets out practical guidance for data security measures.

Continue Reading

Takeaways From Hong Kong PCPD’s 2021-22 Annual Report

By Latham & Watkins on Posted in Legislative & Regulatory Developments, Privacy, Security

The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.

By Kieran Donovan and Jacqueline Van

On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.

Continue Reading

Hong Kong’s Anti-Doxxing Laws — the State of Enforcement One Year On

By Latham & Watkins on Posted in Legislative & Regulatory Developments, Privacy

Amended data privacy legislation enabled Hong Kong courts to convict doxxing offences, though their ability to enforce cessation notices remains unclear.

By Kieran Donovan and Jacqueline Van

In October 2021, Hong Kong amended its data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), to criminalise “doxxing” (generally defined as publicly providing personally identifiable information about an individual or related persons, usually via the internet, and often with malicious intent). The law empowers the Privacy Commissioner for Personal Data (Commissioner) to carry out criminal investigations, institute prosecutions, and issue cessation notices in relation to doxxing. The law is similar in many respects to New Zealand’s Harmful Digital Communications Act and Singapore’s Protection from Harassment Act, each of which were expressly referred to by the Hong Kong SAR’s Legislative Council Research Office in advance of the amendment coming into force.

This blog post reviews doxxing-related enforcement activity in Hong Kong since the amendment came into effect.

Continue Reading

Saudi Arabia Issues Amended Data Protection Law for Consultation

By Latham & Watkins on Posted in Legislative & Regulatory Developments, Privacy, Security

The amendment proposes business-friendly changes regarding data localization and legitimate interests.

By Brian Meenagh and Lucy Tucker

On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.

Continue Reading

The European Health Data Space — Panacea or Poison Pill?

By Latham & Watkins on Posted in GDPR, Privacy

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals, the Regulation aims to facilitate secondary use of clinical data for research purposes by requiring “data holders” to make data available and enabling “data users” to access that data in secure processing environments and based on permits issued by “health data access bodies”.

Read the full article that focuses on secondary processing and the issues that the Commission’s proposals raise.

Advocate General: No Compensation for Mere Upset Caused by GDPR Infringement

By Latham & Watkins on Posted in GDPR, Privacy

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2] Continue Reading

Hong Kong Issues Guidance on Recommended Data Security Measures

By Latham & Watkins on Posted in Privacy, Security

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.

By Kieran Donovan and Malika Sajdik

On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).

The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email. Continue Reading

Privacy Enhancing Technologies — A Panacea for Data Protection Compliance?

By Latham & Watkins on Posted in Privacy, Security

The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements.

By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth

On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing technologies (PETs) are and how organizations can use them to meet privacy-by-design requirements. PETs incorporate data protection principles by (amongst others) minimizing use of personal data, ensuring security, and facilitating data subject rights. Organizations that want to use PETs should first conduct a data protection impact assessment to determine whether such technologies are indeed adequate for their processing activities. Continue Reading

CCPA Will Now Fully Regulate Personnel and B2B Information

By Latham & Watkins on Posted in Legislative & Regulatory Developments, Privacy

Businesses will need to take additional steps to ensure compliance as exemptions under the California Consumer Privacy Act expire at the end of 2022.

By Robert Blamires, Michael H. Rubin, Robert W. Brown, and Jennifer Howes

The California legislature adjourned its 2022 session without extending the exemptions under the California Consumer Privacy Act (CCPA) for personal information collected about California residents in a personnel/HR or business-to-business (B2B) context. Therefore, starting next year all obligations (and rights) in the CCPA, including those introduced under the California Privacy Rights Act (CPRA), will extend to such information. Continue Reading

LexBlog