Rachel De Souza

Subscribe to Rachel De Souza's Posts

On 3 August, the Indian Central Government withdrew the Personal Data Protection Bill, 2019 (PDP Bill). The PDP Bill, which has drawn criticism from both privacy advocates and industry stakeholders, was first published in 2018 and was to be India’s first law on the protection of personal data. A government notice stated that
Continue Reading India: Government withdraws long-awaited Personal Data Protection Bill

On Thursday 21 July 2022, the Cyberspace Administration of China (“CAC”) fined Didi Global Inc, an online ride-hailing business a total of RMB 8.026 billion (approximately USD 1.2 billion).

The CAC explained that the reasons for the fines were due to Didi’s:

  • illegal collection of over 11.9 million screenshots from users’ mobile phone


Continue Reading China: Enforcement of data protection – 5% of annual local revenue

Authors: Sarah Birkett and Alex Moore 

The use of CCTV systems to collect biometric information from individuals in Australia is attracting headlines. The issue relates not to the use of CCTV itself, but rather the collection of biometric information (i.e. electronic copies of faces, fingerprints, voices) via CCTV. Organisations, including retailers, may collect biometric information
Continue Reading Australia: Collection of biometric information via CCTV

The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling.

In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data
Continue Reading ITALY: the Garante aligns with CNIL and DSB holding that the use of Google Analytics leads to unlawful transfer of Personal Data

The UK ICO has published its AI and data protection risk toolkit (the “Toolkit“). The Toolkit is designed to provide practical support to organisations using AI systems which may involve the processing of personal data. It builds on the ICO’s earlier guidance on AI and data protection, published in July 2020.

The
Continue Reading UK: ICO publishes AI and Data Protection risk Toolkit

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health
Continue Reading Ireland: Employers can now process Data Subject Access Requests without advice of health service providers

The European Council and the European Parliament have agreed on measures for a high common level of cybersecurity across the EU (the “NIS2”).

Once adopted, NIS2 will replace the current Directive on Security of Network and Information Systems (“NIS Directive”). NIS2 will introduce a number of changes, including bringing more sectors
Continue Reading Europe: One step closer towards the adoption of NIS2

Organisations engaging in cross border transfers of personal data may now rely on the Recommended Model Contractual Clauses (RMCs), recently published by the Privacy Commissioner for Personal Data (PCPD).

The two sets of RMCs are intended for controller to controller transfers, and controller to processor transfers. The RMCs may be used in:

  • cross border transfers


Continue Reading Hong Kong: Newly published Model Contractual Clauses

Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“noyb.eu”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“letter”). The letter coincides with a visit to Washington, D.C. by a delegation
Continue Reading NOYB open letter on the new EU – US data deal