The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading
The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions. By Oliver Mobasser and Gail Crawford On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of … Continue Reading
The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation. By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result … Continue Reading
The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication … Continue Reading
Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK … Continue Reading
UK government sets out ambitious proposal for reforming the UK data protection landscape. By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out … Continue Reading
The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data. By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation … Continue Reading
The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR. By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of … Continue Reading
The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading
Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements. By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses … Continue Reading
The decision means the CJEU will need to clarify the framework for GDPR damages claims. By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a … Continue Reading
As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes. By Gail Crawford, Fiona Maclean, and Amy Smyth The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one … Continue Reading
The French data protection authority’s decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent. By Gail Crawford, Myria Saarinen, Tim Wybitul, and Wolf-Tassilo Böhm Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before … Continue Reading
As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2. By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter … Continue Reading
Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR. By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and … Continue Reading
Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application. By Myria Saarinen and Charlotte Guérin France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data … Continue Reading
The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising. By Myria Saarinen and Camille Dorval On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision … Continue Reading
After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to? By Gail Crawford, Ulrich Wuermeling, and Calum Docherty Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look … Continue Reading
Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions. By Ian Felstead and Calum Docherty The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data … Continue Reading
Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR. By Frances Stocks Allen and Mihail Krepchev The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds … Continue Reading
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime. By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set … Continue Reading
China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading
Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe. By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated … Continue Reading
Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR. By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the … Continue Reading