DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

• physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• misuse of personal data for illegal purposes;
• compromise of sensitive personal data;
• combination of personal data with other personal information that could potentially enable identity fraud; or
• (for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

• Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
• Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

• DPA:  contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
• Management and response plans: put in place adequate data breach management and response plans;
• Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
• Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
• Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

• personal data of more than 20,000 data subjects;
• sensitive personal data including financial information of more than 10,000 data subjects; or
• activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

• Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
• Language: be proficient in both Malay and English languages; and
• Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

• Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
• Publication: publish the business contact information of its DPO through:

• its website and other official media;
• its personal data protection notices; or
• its security policies and guidelines; and
• Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.

Data Breach Risk Assessment

Under the PDPA, data controllers are required to notify the office of PDPC of a data breach incident without delay and within 72 hours of becoming aware of the breach, unless the breach has no risk on individuals’ rights and freedoms.

The PDPC clarified that data controllers should assess the risk to individuals’ rights and freedoms by considering the factors outlined in Section 12 of the Notification of the Personal Data Protection Committee on Criteria and Procedures for Personal Data Breach Notification B.E. 2565 (2022) (“Notification“).

These factors include:

1. The nature and category of the personal data breach.
2. The type and volume of affected personal data, and the status of the affected data subjects (e.g., minors, disabled persons, vulnerable individuals).
3. The severity of the impact and potential damage to the affected data subjects, including the effectiveness of the preventive or remedial measures.
4. The broad-ranging effects on the data controller’s business or public due to the breach.
5. The nature of the relevant data storage system and associated security measures, including organizational, technical, and physical measures.
6. The legal status of the data controller.

If data controllers determine that the breach poses no risk to individuals’ rights and freedoms by considering these factors, they are not obligated to notify the PDPC. However, the PDPC advised that data controllers retain all information, documents, and records related to the risk assessment as evidence in case of future complaints, regulatory inquiries, or inspections.

Starting the 72-Hour Period

The PDPC advised that the 72-hour notification period begins when the data controller reasonably believes a breach has occurred or is likely to occur, based on a preliminary assessment and verification as specified in Section 5 of the Notification.

According to Section 5 of the Notification, upon data controllers being informed of a data breach incident, data controllers must first verify the credibility of the information, promptly investigate the relevant facts, and review the security measures in place (for both themselves and their data processors), including investigate the data controllers’ and their processors’ personnels, to determine whether there are reasonable grounds to believe a breach has occurred.

The PDPC further clarified that the precise commencement of this 72-hour period must be evaluated individually for each case. In certain situations, breaches may be immediately evident, such as when personal data is mistakenly sent to an incorrect email recipient. Conversely, other cases may necessitate additional time to verify the breach, such as when investigating a reported data leak resulting from a cyberattack. Data controllers should exercise its judgment to ascertain when there are sufficient grounds to suspect a breach has occurred.

Phased Notification and Late Notification of Data Breaches

The PDPC explained that in cases where a personal data breach poses a risk to the rights and freedoms of individuals, data controllers may consider notifying the PDPC in phases. Initially, data controllers should report the breach as soon as possible, providing preliminary information. Additional details can be submitted later once further investigation has been conducted and more information is available.

If a data controller is unable to notify the PDPC within the 72-hour timeframe, they must do so as soon as possible, but no later than 15 days from becoming aware of the breach. The data controller must provide a valid explanation and relevant details to the PDPC, demonstrating that the delay was due to unavoidable circumstances.

This approach provide flexibility and allows data controllers to manage the breaches effectively while ensuring compliance with the legal requirements.

Conclusion

The clarifications provided by the PDPC on data breach notification requirements are essential for organizations striving to comply with the PDPA. Data controllers can now make informed decisions about whether to report a data breach using the outlined criteria for assessing the risk to individuals’ rights and freedoms. The emphasis on timely notification given by the PDPC further allows data controllers to manage data breaches effectively. Additionally, the guidance on phased notifications and allowances for delayed reporting provides flexibility for data controllers in dealing with breaches, ensuring they can meet legal requirements. By adhering to these clarifications, business operations can protect individuals’ rights and freedoms while maintaining compliance with the PDPA.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since May 2018, more than four times the value of fines issued by the second placed Luxembourg Data Protection Authority which has issued EUR746.38 million (USD784 million/GBP619 million) in fines over the same period.

The total fines reported since the application of GDPR in 2018 now stand at EUR5.88 billion (USD 6.17 billion/GBP 4.88 billion). The largest fine ever imposed under the GDPR remains the EUR1.2 billion (USD1.26 billion/GBP996 million) penalty issued by the Irish DPC against Meta Platforms Ireland Limited in 2023.

Trends and Insights

In the year from 28 January 2024, EUR1.2 billion fines were imposed. This was a 33% decrease compared to the aggregate fines imposed in the previous year, bucking the 7-year trend of increasing enforcement. This does not represent a shift in focus from personal data enforcement; the clear year on year trend remains upwards. This year’s reduction is almost entirely due to the record breaking EUR 1.2 billion fine against Meta falling in 2023 which skewed the 2023 figures. There was no record breaking fine in 2024.

Big tech companies and social media giants continue to be the primary targets for record fines, with nearly all of the top 10 largest fines since 2018 imposed on this sector. This year alone the Irish Data Protection Commission issued fines of EUR310 million (USD326 million/GBP257 million) against LinkedIn and EUR251 million (USD264 million/GBP208 million) against Meta.  In August 2024, the Dutch Data Protection Authority issued a fine of EUR290 million (USD305 million/GBP241 million) against a well-known ride-hailing app in relation to transfers of personal data to a third country. 

2024 enforcement expanded notably in other sectors, including financial services and energy. For example, the Spanish Data Protection Authority issued two fines totalling EUR6.2 million  (USD6.5 million/GBP5.1 million) against a large bank for inadequate security measures, and the Italian Data Protection Authority fined a utility provider EUR5 million (USD5.25 million/GBP4.15 million) for using outdated customer data.

The UK was an outlier in 2024, issuing very few fines. The UK Information Commissioner John Edwards was quoted in the British press in November 2024 as saying that he does not agree that fines are likely to have the greatest impact and that they would tie his office up in years of litigation. An approach which is unlikely to catch on in the rest of Europe. 

The dawn of personal liability

Perhaps most significantly, a focus on governance and oversight has led to a number of enforcement decisions citing failings in these areas and specifically calling out failings of management bodies. Most significantly the Dutch Data Protection Commission announced it is investigating whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR, following a EUR30.5 million (USD32.03 million/GBP25.32 million) against the company. This novel investigation into the possibility of holding Clearview AI’s management personally liable for continued failings of the company signals a potentially significant shift in focus by regulators who recognise the power of personal liability to focus minds and drive better compliance. 

Data Breach Notifications

The average number of breach notifications per day increased slightly to 363 from 335 last year, a ‘levelling off’ consistent with previous years, likely indicative of organisations becoming more wary of reporting data breaches given the risk of investigations, enforcement, fines and compensation claims that may follow notification. 

A recurring theme of DLA Piper’s previous annual surveys is that there has been little change at the top of the tables regarding the total number of data breach notifications made since the GDPR came into force on 25 May 2018 and during the most recent full year from 28 January 2024 to 27 January 2025. The Netherlands, Germany, and Poland remain the top three countries for the highest number of data breaches notified, with 33471, 27829 and 14,286 breaches notified respectively. 

AI enforcement

There have been a number of decisions this year signalling the intent of data protection supervisory authorities to closely scrutinise the operation of AI technologies and their alignment with privacy and data protection laws. For businesses, this highlights the need to integrate GDPR compliance into the core design and functionality of their AI systems.

Commenting on the survey findings, Ross McKean, Chair of the UK Data, Privacy and Cybersecurity practice said:

“European regulators have signalled a more assertive approach to enforcement during 2024 to ensure that AI training, deployment and use remains within the guard rails of the GDPR.”

We expect for this trend to continue during 2025 as US AI technology comes up against European data protection laws.

John Magee, Global Co-Chair of DLA Piper’s Data, Privacy and Cybersecurity practice commented:

“The headline figures in this year’s survey have, for the first time ever, not broken any records so you may be forgiven for assuming a cooling of interest and enforcement by Europe’s data regulators. This couldn’t be further from the truth. From growing enforcement in sectors away from big tech and social media, to the use of the GDPR as an incumbent guardrail for AI enforcement as AI specific regulation falls into place, to significant fines across the likes of Germany, Italy and the Netherlands, and the UK’s shift away from fine-first enforcement – GDPR enforcement remains a dynamic and evolving arena.”

Ross McKean added:

“For me, I will mostly remember 2024 as the year that GDPR enforcement got personal.”

“As the Dutch DPA champions personal liability for the management of Clearview AI, 2025 may well be the year that regulators pivot more to naming and shaming and personal liability to drive data compliance.”

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The Data Protection Commission (DPC) has published its 2023 Annual Report, highlighting a record year with DPC fines accounting for 87% of all GDPR fines issued across the EU. A busy year for the DPC also saw a 20% increase in reported personal data breaches as Helen Dixon steps down after 10 years in the job, with Dr. Des Hogan and Dale Sunderland taking over the reins.

The past year has seen the DPC progress ongoing large-scale inquiries in particular against social media platforms, defend cross-border decisions in legal proceedings brought forward by appealing regulated entities and increase its interaction with the European Data Protection Board (EDPB). As a result, the DPC fines account for 87% of the GDPR fines issued by EU data protection authorities last year.

The DPC received a total of 6,991 valid notifications of personal data breaches in 2023, an increase of 20% against the previous year. The DPC also handled 43 complaints relating to alleged personal data breaches which were not notified to the DPC in line with Article 33.

Unauthorised disclosure of personal data continues to be the leading reason for breach notifications, accounting for 52% of the overall total in 2023. 146 of thevalid data breach notifications were received under the ePrivacy Regulations, an increase of 42% and 59 notifications in relation to the Law Enforcement Directive. In line with previous years, most incidents reported originate from the private sector (3,766), followed by the public sector (2968), with the remaining coming from the voluntary and charity sector (275).  

Complaints Handling

The Annual Report notes another year of extensive enforcement work by the DPC. In total, 11,147 cases were concluded by the DPC in 2023. As of 31 December 2023, the DPC had 89 statutory inquiries on-hand, including 51 cross-border inquiries. In addition to its cases and inquiries, the DPC also handled over 25,130 electronic contacts, 7,085 phone calls and 1,253 postal contacts. 

The Annual Report highlights that once again the most frequent GDPR topics for queries and complaints in 2023 were access requests; fair-processing; disclosure; direct marketing and right to erasure (delisting and/or removal requests).

Administrative Fines and Large-Scale Inquiries

The Annual Report highlights 19 inquiries that concluded in 2023 resulting in fines totaling €1.55 billion. From the tables below, what we see is a consistent enforcement strategy being implemented by the DPC focusing on international and domestic companies and their compliance with core principles of the GPDR (e.g. transparency, lawful basis, security measures) as well as targeted thematic focuses (e.g. children’s personal data and video surveillance).

Since the implementation of the GDPR, the DPC has been established as the Lead Supervisory Authority for 87% of cross-border complaints.

Notable large scale cross border inquiries that concluded in 2023 were:

Notable domestic inquires that concluded in 2023 were:

Ongoing Inquiries

The breadth and scale of the inquiries being undertaken by the DPC shows no signs of abating in its report. Notable inquires that have been progressed by the DPC include:

Litigation  

At the outset of its Annual Report, the DPC recognizes the continued focus on domestic litigation before the Irish Courts. The DPC was awarded a considerable number of legal costs orders in 2023. The threat of a legal cost order may act as a deterrent to those considering challenging the DPC in the future.

There were 7 national judgments or final orders in 2023 split almost evenly between the Irish Circuit Court and the Irish High Court. The cases involved: 1 plenary matter, 5 appeals (with 4 statutory appeals and 1 appeal on a point of law) and 1 judicial review. 2 cases issued against the DPC were discontinued and a further 5 were concluded. The legal costs of 5 proceedings were awarded in favour of the DPC, with no reference to costs made in the reports for the other 2 proceedings. These awards enable the DPC to seek the legal costs it incurred in defending the proceedings against the claimant(s).

The DPC uses the Annual Report to showcase its supervisory and enforcement functions in relation to the processing of personal data in the context of electronic communications under the e-Privacy Regulations. The Annual Report highlights 4 successful prosecutions involving unsolicited marketing messages. In all 4 cases, the DPC had the legal costs of the prosecution discharged by the defendants, two of whom were companies in the telecommunications and insurance sectors.  

Children  

Prioritising the protection of children and other vulnerable groups forms one of the five core pillars to the DPC’s Regulatory Strategy 2022 – 2027, so it was no surprise that the DPC continued to be proactive in safeguarding children’s data protection rights this year. This is reflected in the list of matters that were prioritised for direct intervention by the DPC during 2023, which included CCTV in school toilets and posting of images of children online. The DPC issued a Final Decision and imposed a large fine of €345 million against a major social media company for infringements of GDPR related to the processing of personal data relating to children.

The DPC also produced guidance for organisations and civil society to enhance the protection of children’s personal data. An example of this is the data protection toolkit for schools, which was devised by the DPC after it noticed in the course of supervisory and engagement activities that the sectors was finding certain aspects of data protection compliance challenging.

Interestingly, the DPC has been nominated to represent the EDPB on the newly formed Task Force on Age Verification under the Digital Services Act and act as co-rapporteur in the preparation at EDPB level of guidance on children’s data protection issues. This leadership role follows the DPC’s publication of a guidance note on the Fundamentals of children’s data protection and the DPC’s enforcement activity in this area over recent years.

Data Protection Officers  

The DPC has continued its efforts to bring together the DPO community in Ireland, recognising the importance of the DPO’s role in data protection compliance for organisations. As at the end of 2023, the DPC has been notified of 3,520 DPOs. The DPC is actively engaging with DPO networks across a number of key sectors and has contributed to several events aimed at DPOs including a new course run by the Institute of Public Administration, ‘GDPR and Data Protection Programme for DPOs in the Public Service’.

Importantly, the DPC participated in the 2023 Coordinated Enforcement Framework (CEF) Topic ‘The Designation and Position of Data Protection Officers’. The DPC contacted 100 DPOs and identified three substantive issues in its national report:

• Resources available to DPOs – a third of respondents noted they do not have sufficient resources to fulfill their role;
• Conflicts of interests – over a third indicated their role is split with other core governance roles within their organisations; and
• Tasks of the DPO – it was noted that many tasks of the DPO do not actually compliment the role of the DPO within many organisations.

Supervision  

A sectoral breakdown notes that of the 751 supervision engagements during 2023, 391 were from multinational technology companies. The DPC also provided guidance and observations on 37 proposed legislative measures.

Supervisory engagements undertaken by the DPC in 2023 included identifying data protection issues arising in the context of adult safeguarding and service provision to at-risk adults and an examination of the use of technology in sport and the processing of health data for performance monitoring (questionnaire due to issue to voluntary and professional sports).

The DPC also engaged with the Local Government Management Authority in relation to three draft codes of practice prepared in relation to the use of CCTV and mobile recording devices to investigate and prosecute certain waste and litter pollution related offences. Separately, given the significant increase in use of CCTV in areas of an increased expectation of privacy the DPC published a detailed update of its  CCTV Guidance in November 2023.

In February 2024, Helen Dixon stepped down from her role as Data Protection Commissioner and Dr. Des Hogan, who serves as Chairperson, and Mr. Dale Sunderland commenced their new roles.

The DPC continues to focus on systemic non-compliance and children’s data protection rights in 2024 as well as participating in the EDPB’s ongoing coordinated enforcement action on the right of access. With the level of enforcement action taking place as well as the rapid pace of AI and technology development, organisations are advised to review and update their privacy frameworks to ensure compliance with the GDPR. 

On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay a $375,000 civil penalty and comply with specific injunctive terms.

The CA AG’s complaint alleges that DoorDash participated in marketing co-operatives (“co-ops”) that involved the company providing its customers’ personal information (such as names, addresses, and transaction histories) to the co-op without providing its customers with notice or an opportunity to opt-out of the sale. Upon receiving DoorDash’s customer personal information, the co-op would combine DoorDash’s customer data with the customer data of other third-party co-op members, analyze the data, and allow members to send mailed advertisements to potential leads. The CA AG considered such data disclosure a “sale” of personal information under the CCPA’s broad definition of that term. Specifically, DoorDash received “valuable consideration” in exchange for disclosing its customer data to the co-op, namely the “opportunity to advertise its services directly to the customers of the other participating companies.”

The CA AG’s second cause of action invoked CalOPPA, a 20-year-old California privacy law that imposes transparency obligations on companies that operate websites for commercial purposes and collect personally identifiable information from Californians. The complaint alleged violations of CalOPPA by DoorDash due to the company’s failure to disclose in its privacy policy that it would share its customers’ personally identifiable information with other third-party businesses (e.g., marketing co-op members) for those businesses to contact DoorDash customers with ads.

Key Takeaways

This settlement serves as a critical reminder of the importance of compliance with current and emerging state privacy laws, emphasizing the broad definition of “sale” under the CCPA and the strict requirements for transparency and consumer choice. Additionally, we expect the California Privacy Protection Agency, another California privacy regulator (vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA) to ramp up its own investigative and enforcement efforts this year. Thus, businesses should consider the following:

• “Selling” is Broader than Cookies – companies should re-assess how their data disclosure activities may be considered “selling” under the CCPA. Many companies focus on the use of third-party ad and analytics cookies on their websites as the main trigger for “sale” compliance obligations under the law. This settlement makes clear that companies should broaden their review and assessment of their marketing department’s use of personal information to consider non-cookie related data disclosures.
• Review and Update Privacy Policies – an outdated, unfair and deceptive, or misleading privacy policy serves as an online billboard announcing a company’s non-compliance with state privacy laws as well as state unfair competition laws (such as for example California’s Unfair Competition Law (UCL)). As this settlement demonstrates, this can be a magnet for consumer complaints and regulatory scrutiny (including at the federal level under Section 5 of the Federal Trade Commission Act). Companies should continually review and update their privacy policies if they materially change how they handle personal information. Under the CCPA, privacy policies must be updated at least annually.
• Opt-Out Mechanisms. Companies should ensure that compliant opt-out mechanisms, including an interactive webform and a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, are in place. Opt-out mechanisms must also recognize and respond to universal opt-out preferences signals, such as the Global Privacy Control (GPC) signal.   
• Don’t Forget the Apps – the complaint noted that both the DoorDash website and mobile application (App) failed to inform consumers about the sale of their personal information and their right to opt-out. Companies that collect personal information via an App and engage in “backend” selling of personal information should ensure that the App includes sufficient CCPA disclosures and a mechanism for users to easily opt-out of the sale of their personal information (see here for the CA AG’s previous announcements of an investigative sweep focused on violations of CCPA in the App context).
• Marketing Co-Ops – this enforcement action makes clear the California regulators consider a company’s participation in a marketing co-operative to be a “sale” under the CCPA. Companies participating in marketing co-ops and other third-party data sharing engagements should carefully review their agreements with the data recipients to ensure they restrict the recipients’ ability to further disclose or sell consumer personal information.

For more information about these developments and the CCPA in general, contact your DLA relationship Partner, the authors of this blog post, or any member of DLA’s Data, Privacy and Cybersecurity team.

In our highly connected world, technology and data have become increasingly material to most companies, regardless of industry or sector. As the value and importance of technology and data increases, so too do the risks and obligations associated therewith. On July 26, 2023, the Securities and Exchange Commission (“SEC” or the “Commission”) adopted its much-anticipated enhanced disclosure requirements regarding cybersecurity risks and incidents (the “Final Rules”) for all public companies including foreign private issuers (“FPIs”). The SEC initially proposed cyber rules in March 2022. As we recently reported, the Final Rules require registrants that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “1934 Act” or the “Exchange Act”) to, among other things, (i) disclose a material cybersecurity incident within four (4) business days of making a materiality determination, and (ii) disclose on an annual basis information regarding their risk management, strategy, and governance related to cybersecurity threats.

New Cyber-Specific Reporting Requirements

The Final Rules will explicitly require the filing of a Form 8-K (or Form 6-K for FPIs) to disclose material cybersecurity incidents within four (4) business days from determination that the cybersecurity incident is material. Public companies must make that materiality determination “without unreasonable delay.” The SEC has noted that a public company’s adherence to its normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.

Pursuant to the Final Rules, any such disclosure must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operation” and if any such information is unavailable, the company must make a statement to that effect in its original filing. Furthermore, the Final Rules impose an updating requirement through the filing of an 8-K/A if certain information that was unknown or unavailable at the time of initial filing subsequently becomes available.

The Final Rules also require annual disclosures in the company’s Form 10-K (or Form 20-F for FPIs) regarding:

• The processes in place, if any, for assessing, identifying, and managing material risks from cybersecurity threats;
• Whether and how any such risks have materially affected or are reasonably likely to materially affect the company, its business strategy, results of operations, or financial condition;
• The Board’s oversight of risks from cybersecurity threats; and
• Management’s role in assessing and managing material risks from cybersecurity threats.

It is worth noting that in its adopting release, the Commission clarified that the Final Rules are intended to ensure that appropriate information is provided to investors, not “to influence whether and how companies manage their cybersecurity risk.” Rather than focus narrowly on substantive controls, the Final Rules emphasize the importance of cyber governance: strategy, oversight, implementation of appropriate controls, measurement of impact, and fulsome reporting.

Disclosure Obligations and DCPs

The general focus of such SEC reporting requirements, whether related to cybersecurity or otherwise, is to cause public companies to disclose to the investing public — keeping investors appropriately informed at the initial sale of securities, and on an ongoing basis, certain information.  As SEC Chair Gary Gensler stated in the press release accompanying the Final Rules, “whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” 

The new explicit requirements for cyber-related disclosures sit within the existing SEC disclosure framework. SEC disclosure rules can generally be boiled down to two fundamental obligations: (i) an obligation that public disclosures not contain untrue statements; and (ii) a requirement that public companies not fail to disclose a material fact that, if omitted, would render a disclosure misleading.¹ To help ensure that accurate and complete information is disclosed in reports filed with the SEC, pursuant to Exchange Act Rule 13a-15, public companies are required to maintain disclosure controls and procedures, and management must evaluate their effectiveness on a periodic basis.² 

“Disclosure Controls and Procedures” (“DCPs”) are defined as controls and procedures that are designed to ensure that information that is required to be disclosed is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.³  

The Commission’s 2018 Cybersecurity Guidance clarified that cybersecurity related DCPs should enable public companies to, among other things, identify cybersecurity risks and incidents, assess and analyze their impact on the company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Since the prior guidance was issued, SEC cyber-related enforcement has focused on alleged deficiencies in cybersecurity related DCPs (e.g., failure to escalate information about the scope and impact of an ongoing cyber incident to senior management).

Understanding the Risks – Operational Risk v. Compliance Risk

When evaluating the performance of a business and the risks it faces, there are generally four principles to examine:

• Business strategy;
• Financial performance;
• Operational resiliency; and
• Legal compliance.

Business strategy and financial performance drive value, while operational resiliency and legal compliance are risk controls. 

In assessing a public company’s material cyber threats and risks for disclosure, cyber professionals must not lose sight of operational resiliency risks, in addition to legal compliance risks for escalation to management. For example, the risk of a cyber incident impacting mission critical systems and causing business disruption is an operational resiliency risk that may trigger reporting obligations under the SEC rules, even if the company implements an incident response plan, takes steps to comply with “reasonable security” standards, provides notice in compliance with state data breach laws, and otherwise satisfies its legal compliance obligations.

Key cyber risks to note include a public company’s inability to:

• Identify, evaluate and understand its cyber environment (e.g., shadow IT and a lack of data mapping for critical systems or systems that can create material risks);
• Understand and/or see the risks, for example, due to a lack of visibility into the business processes, inability to understand interdependencies of the systems, and a lack of technology (such as logging and monitoring system activity);
• Understand and/or see the value that is implicated by the process or activity; and
• “Connect the dots.”

Considerations for Implementing More Robust Cyber DCPs

While DCPs, and their supporting cyber processes, will vary from company to company depending on the size of the company’s business, complexity of its data practices, and management structure, creating and documenting an escalation process related to cyber matters is essential for any company.

At the heart of risk governance is the need to get the right information to the right executives, at the right time. Without appropriate channels for escalating material risks, senior management and the board of directors will not know what information or systems their company has that are truly sensitive or material to operations, nor will they be able to evaluate the potential risks associated therewith. In many cases, material information is maintained in stove-piped verticals that do not talk to each other. Documenting thoughtful escalation processes and procedures, including what needs to be escalated and the cadence for these key conversations, will help to ensure that critical information is appropriately and efficiently shared with key stakeholders for making appropriate disclosure decisions.

In working to comply with the Final Rules, companies may wish to evaluate whether:

• Their disclosure committee charters, or in the absence thereof, any internal processes or policies a company has established for assessing its relevant disclosure obligations, are appropriate in scope and, as part of the decision-making process, expressly include those employees actually involved in managing and addressing cybersecurity threats and incidents;
• The cybersecurity risk and incident escalation criteria, timing, and contacts are sufficiently developed within the supporting cyber processes underlying their DCPs;
• Their current cybersecurity-related processes, policies and procedures, governance and risk management support the disclosures required by the Final Rules;
• The company’s information systems produce adequate information to inform decision-makers about the company’s processes and technology that have the potential to create material risks, and whether training around the same is sufficient;
• The current risk assessments provide an understanding of the business’s current risk posture (for both legal compliance risk and operational resiliency risk); and
• Their incident response plans are updated to include the new definitions from the Final Rules, incorporate new roles on the incident response team for a disclosure or similar committee member (if one exists), and align with new escalation criteria and timing for SEC disclosures.

Companies should also consider developing training on the Final Rules for senior management, the board of directors, the disclosure or any similar committee, and relevant cybersecurity / privacy personnel.

For more information on cybersecurity processes, or how public companies can prepare for compliance, please contact your DLA Piper relationship partner, the authors of this blog post, or any member of our Data Protection team.

[1] See, e.g., 15 U.S.C. §§ 78j(b) and 78m(a)(2); 17 C.F.R. § 240.12b-20.

[2] 17 C.F.R. § 240.13a-15.

[3] Id.

Thank you for subscribing and being a part of DLA Piper’s Data Protection, Privacy and Cybersecurity community. We appreciate your continued engagement with our insights and the evolving nature of the landscape.

Our goal for this blog is to help you navigate all aspects of data protection, privacy, and cybersecurity laws, while considering the ever-expanding geographic footprint of businesses. Here at DLA Piper, we understand how compliance across jurisdictions makes it even harder to solve today’s most pressing privacy problems and prepare for future cybersecurity threats.

We’re excited to announce that Privacy Matters will be bringing you more on privacy and cybersecurity issues at home and abroad.

• Find quickly shared updates on relevant topics on global data protection, privacy, and cybersecurity issues 
• Get perspectives from leading DLA Piper professionals from around the world 
• Easily navigate our improved, user-friendly layout 

With this change, you’ll need to add privacymatters@comms.com to your contacts to ensure blog updates make it to your inbox.

Thanks for reading,

The Data Privacy team at DLA Piper 

Are we seeing a return of proactive enforcement of Hong Kong’s data protection laws, after a lull in recent years?

On 14 November 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports for non-compliance of the Personal Data (Privacy) Ordinance (“PDPO”):

• EC Healthcare’s failure to obtain consent for the use, disclosure, and transfer of patient’s personal data across its group entities; and
• Fotomax’s failure to take adequate security measures against a ransomware attack.

Following that, the PCPD served enforcement notices on both EC Healthcare and Fotomax, requiring them to take remedial steps and prevent the recurrence of contravening the PDPO.

Moving on – compliance priorities

The two investigation reports addressed both public facing aspects and internal operations of the businesses’ data protection compliance.

Notice and Consent

Businesses should focus on the external aspects of compliance, such as (i) providing adequate notice which details the use and purpose of data collection, and (ii) obtaining consent prior to the use, disclosure, and transfer of personal data – and obtaining fresh consent where new data processing purposes arise.

In particular, businesses operating multiple brands should take extra care when sharing personal data across its group entities.

Internal Security Measures

With a rise in cyberattacks, businesses should actively monitor and improve their internal security measures through:

• conducting regular risk assessments to understand the IT vulnerabilities and potential risk of data incidents;
• maintaining adequate technical and organisational security measures (e.g., de-identification and/or encryption of personal data, data access rights for staff on a need-to-know basis etc.) to mitigate the potential impact of data incidents;
• implementing a data privacy management programme which sets out key data protection governance responsibilities (e.g. appointment of Data Protection Officer(s)); and
• keeping records of internal communications and procedures to demonstrate compliance with the PDPO.

Enforcement Trends?

The publication of these investigation reports comes as a surprise within the Hong Kong data privacy landscape. Given the PCPD has in recent years taken a more ‘behind the scenes’ approach towards enforcement, this may indicate a more proactive phase for enforcement. Further, this may be a push by the Privacy Commissioner to encourage Hong Kong lawmakers to finally pass the remaining provisions of the PDPO Amendment Bill (i.e., mandatory breach notification and higher fines).

As such, businesses should bear in mind the multi-faceted compliance priorities (i.e. both external and inward facing obligations), as well as the reputational risks of non-compliance, given the publicity generated in investigation reports.

Anyone with a passing interest in Australian privacy laws will no doubt have heard about the Optus data breach. The incident, which was made public in late September 2022, is thought to have affected around 9 million individuals (almost 40% of the Australian population), with identity documents relating to approximately 2.22 million Australians being made available on the dark web. The news was swiftly followed up with an announcement from Medibank, Australia’s largest private health insurer, of a breach affecting all of its 3.9 million customers.

As part of the Australian Government’s response to the public outcry generated by these breaches, a change to the Privacy Act 1988 (Cth) has been introduced into the Australian Parliament.  If passed, this will increase the maximum civil penalties payable under the Act from the current AUD 2.22 million to the greater of:

• AUD 50 million;
• three times the value of the benefit resulting from the breach; or
• 30% of the adjusted turnover of the entity in the 12 months prior to the breach.

The draft Bill (titled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022) also seeks to strengthen the Office of the Australian Information Commissioner’s powers to request information in order to assess actual or suspected data breaches and changes the extraterritorial reach of the Australian privacy regime. Organisations will no longer be required to collect or hold personal information within Australia in order for the Privacy Act 1988 (Cth) to apply. They must however still be carrying on a business in Australia.

The opposition has indicated its broad support of the measures and it is expected that the Bill will pass without significant amendment.

The new Attorney-General, Mark Dreyfuss, has also committed to introduce broader changes to the Privacy Act 1988 (Cth) sooner rather than later, with the Government’s review scheduled to be completed before the end of 2022. This comes after a broad review of the Australian privacy regime was commenced by the previous Federal Government in 2019 but never completed.