The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.
By Ian Felstead, Tim Wybitul, Wolf-Tassilo Böhm, Hayley M. Pizzey, Isabelle Brams, and Clarence Cheong
On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy
Proposals grant controllers increased flexibility for automated decision-making, provided suitable safeguards are implemented.
By Fiona Maclean, Gail Crawford, Amy Smyth, and Lorenzo Meusburger
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the Bill) to Parliament, marking a significant step in the evolution of the country’s data protection landscape. It follows previous reform attempts that lapsed after the July 2024 government change. The proposed legislation aims to reform various aspects of UK data protection law while also addressing broader initiatives related to data access and digital identity. Among its many provisions (138 Clauses, 16 Schedules and 251 pages to be precise), the Bill outlines notable changes in the realm of automated decision-making.
The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches.
By Kieran Donovan, Anthony Liu, and Jacqueline Van
On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”. The article discusses the increasing trend of cyberattack incidents, identifies common vulnerabilities based on data incidents the PCPD has investigated, and sets out practical guidance for data security measures.
The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.
By Kieran Donovan and Jacqueline Van
On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.
By Gail Crawford and Ksenia Koroleva
The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.
The Notion of Audiovisual Service Owners
According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):
The following are not regarded an Audiovisual Service:
On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.
In the internal draft, the European Commission suggested
By Fiona Maclean & Calum Docherty
The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).
Data Protection Officers (DPOs) (Guidance & FAQs)
DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR.
An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.
If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.
By Matt Murchison and Alex Stout
Today, the US Federal Communications Commission (FCC) approved far-reaching new information privacy rules that will govern how providers of broadband Internet access service collect, use, protect, and share data from their subscribers. These new rules, which were adopted by a 3 to 2 vote, are intended to fill a consumer protection gap that was created by the FCC’s reclassification of broadband Internet access service (or BIAS) as a Title II common carrier service as part of the 2015 Open Internet Order (the Federal Trade Commission (FTC) does not have jurisdiction over common carriers acting as common carriers). Although the full text of the today’s privacy order (the Order) has not yet been released, the agency provided a general outline of its new rules.
Today’s privacy rules are the result of a process that began in March, when the FCC circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222 was applied to broadband providers as part of the 2015 Open Internet Order, but until today’s Order the precise privacy obligations of broadband providers was not clear. The FCC’s NPRM had initially proposed sweeping new rules that in many ways went beyond the existing privacy framework of the FTC. For example, while the FTC has long embraced a unified, “technology neutral” approach applied equally to ISPs, websites, and all other participants in the Internet ecosystem, the FCC’s proposals focused solely on regulating ISPs. Moreover, whereas the FTC’s approach historically has turned on the sensitivity of the information being collected, used, or shared, the FCC’s initial proposal would have treated all forms of customer information equally, whether the information was a Social Security number or merely the customer’s first and last name. And while the FTC imposes a reasonableness standard for data security practices, the FCC proposed that broadband providers be required to “appropriately calibrate[]” their security practices to the data being collected, without an apparent reasonableness standard. The FTC, in its comments to the FCC in this proceeding, suggested changes to the FCC’s proposal that would bring the two privacy regimes into greater harmony. Although the FCC did not accept all of these changes—and never wavered from its focus on regulating only ISPs—the final product is significantly changed from what we first saw in the NPRM.