Companies subject to India’s new data protection law should assess practical implications.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth

The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:

  1. an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
  2. the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).

The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.

The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

By Myria Saarinen and Charlotte Guerin

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.

The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.

By Myria Saarinen

On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).

Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

The amendment proposes business-friendly changes regarding data localization and legitimate interests.

By Brian Meenagh and Lucy Tucker

On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals