The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.
By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.
The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data.
By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte
On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).
The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.
By Brian A. Meenagh and Lucy Tucker
An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.
The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.
The stringent law introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.
By Clayton Northouse, Michael H. Rubin, and Robert Brown
On June 18, 2023, Texas enacted the Texas Data Privacy & Security Act (TDPSA), which will largely take effect in just over a year on July 1, 2024. The TDPSA follows in the footsteps of 10 other comprehensive US state privacy laws but sits decisively on the more stringent end of the spectrum.
While the TDPSA is generally modeled after the Virginia Consumer Data Protection Act (VCDPA), it adopts many of the more consumer-friendly components of more recently enacted laws. It also introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.
In light of these factors and considering the size of the Texas economy and population, the TDPSA may prove to be the most impactful state privacy law since the California Consumer Privacy Act (CCPA), which was enacted in 2020.
The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.
By Kieran Donovan and Jacqueline Van
On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.
The amendment proposes business-friendly changes regarding data localization and legitimate interests.
By Brian Meenagh and Lucy Tucker
On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.
The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.
By Oliver Mobasser and Gail Crawford
On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.
Among other goals
The CJEU’s decision is likely to have significant implications for ongoing and future proceedings for damages claims under Art. 82 GDPR.
By Tim Wybitul, Christoph Baus, Stefan Patzer, and Isabelle Brams
On April 15, 2021, the Austrian Supreme Court (OGH) referred key questions regarding non-material damages for data protection infringements under Art. 82 GDPR to the European Court of Justice (CJEU) for a preliminary ruling under Art. 267 TFEU. So far, a number of claims for non-material damages based on violations of the GDPR have been dismissed by the courts in Austria and Germany because the plaintiffs did not allege or prove any noticeable immaterial impairment. The OGH makes reference to a decision of the German Federal Constitutional Court (BVerfG) dated January 14, 2021 in which the court overturned a decision by the Goslar Local Court (AG). The BVerfG ruled that the AG would have had submit significant questions about damages to the CJEU before making a decision in the final instance. Whilst the OGH disagreed with the finding of the BVerfG, it considered it helpful to refer question to the CJEU in order to ensure a harmonized application of the law within the EU.
The decision means the CJEU will need to clarify the framework for GDPR damages claims.
By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams
The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a materiality threshold for GDPR damage claims. The decision overturns a judgment of the Goslar Local Court of 27 September 2019 regarding the unlawful sending of an advertising email.