Legislation & Regulation

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.

The updated reform legislation provides welcome guidance and clarifications on aspects such as legitimate interests and accountability, without substantially shifting the approach proposed under the existing reform bill.

By Gail E. Crawford, Fiona M. Maclean, Timothy Neo, Irina Vasile, and Amy Smyth

On 8 March 2023, the UK government introduced the second draft of its UK data protection reform legislation, the Data Protection and Digital Information (No.2) Bill (the No. 2 Bill). The No. 2 Bill supersedes the original Data Protection and Digital Information Bill (the Original Bill), which the government first introduced last summer, following the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post; for more details on the proposed changes in the first version of the Bill, see this Latham overview and deep dive.)

The No. 2 Bill details how the government proposes to reform the current UK data protection regime, which consists primarily of the UK Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.

By Kieran Donovan and Jacqueline Van

On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.

The amendment proposes business-friendly changes regarding data localization and legitimate interests.

By Brian Meenagh and Lucy Tucker

On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic.

By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe

Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). Under Article 3, the GDPR applies to the processing of personal data which meets the “establishment” test (Article 3(1)), or, failing that, meets the “targeting” test (Article 3(2))[i].

“Establishment” Test

The GDPR applies to the processing of personal data by a controller or processor established in the EU in the context of activities of that establishment, regardless of whether the processing itself takes place in the EU. “Establishment” is not defined in the GDPR, but the Guidance refers to pre-GDPR case law to assist with its interpretation.

GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi  and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

By Gail Crawford and Ksenia Koroleva

The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.

The Notion of Audiovisual Service Owners

According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):

  • Used for collating and providing access to audiovisual content
  • By paid subscription and/or funded by advertising
  • To users located in the territory of Russia
  • With more than 100,000 users a day (on average)

The following are not regarded an Audiovisual Service:

  • Information resources registered as online media in accordance with the Federal Law No. 2124-1 of December 27, 1991, on Mass Media (e.g., online media, TV-channels, TV/radio/video programs, etc.)
  • Search engines
  • Information resources which focus on hosting user-generated content under the criteria to be set by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roscomnadzor) (e.g., YouTube, RuTube, Vimeo).

By Steven Croley*, Jennifer Archie and Serrin Turner

The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House Electricity_Pylon_singleColColorwithin prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure.

By Ulrich Wuermeling

Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.

The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following:

By Ulrich Wuermeling

On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.

In the internal draft, the European Commission suggested