Background
March 2023 saw the launch of the European Data Protection Board’s (EDPB’s) second coordinated enforcement action (CEF 2023), which focused on the designation and position of Data Protection Officers (DPOs). Data Protection Authorities (DPAs) across the EEA have launched coordinated investigations into this topic. In particular
Continue Reading Europe: EDPB coordinated enforcement action identifies areas of improvement to promote the role and recognition of DPOsIn 2010, Congress included a provision in the Consumer Financial Protection Act (CFPA) requiring that the Consumer Financial Protection Bureau (CFPB or Bureau) promulgate rules effectuating what is commonly referred to as “Open Banking.” Specifically, the rules would require any entity that engages in offering or providing a consumer financial product or service to make
Continue Reading US: Open Banking Regulation Arrives in the USAfter several failed attempts in recent decades to summarize and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is once again attempting to do so.
Current legal situation in Germany
Currently, employee data protection in Germany is largely determined by case law.
Continue Reading Germany: New legislative procedure for an Employee Data Protection ActAuthor: Carolyn Bigg, Amanda Ge, Venus Cheung, Gwyneth To
With 2023 having come to an end, the fast-paced changes to the China data protection regime throughout the year are continuing well into Q1 2024.
As well as a near finalisation of the different routes to legitimise cross-border data transfers, the Cyberspace
Continue Reading CHINA: data protection regulations – a lookback at 2023 developmentsAuthors: James Clark and Verena Grentzenberg
The Court of Justice of the European Union (CJEU) has delivered an important judgment on the scope and interpretation of the ‘automated decision-making’ framework under the GDPR. It is a decision that could have significant implications for service providers who use algorithms to produce automated scores, profiles
Continue Reading EU: Significant new CJEU decision on automated decision-makingOn 27 November 2023, the Council formally adopted the final version of the regulation on harmonised rules on fair access to and use of data (“Data Act”), after the European Parliament had adopted the Data Act earlier this month.
Drafted with the objective of fostering innovation and facilitating the sharing of data between
Continue Reading EU: EU formally adopts ‘Data Act’Sweeping Amendments to NYDFS Cybersecurity Regulation
On November 1, 2023, the New York Department of Financial Services (NYDFS) announced extensive amendments to its cybersecurity requirements for financial institutions issued under 23 NYCRR Part 500. The amendments are intended to address the evolution in the cybersecurity landscape since the regulation was first enacted in 2017, including
Continue Reading US: Regulators Enhance Information Security Requirements for Financial Services CompaniesAuthors: Heidi Waem, Muhammed Demircan, Nicolas Becker
On 29 September 2023, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand on a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement between the public authority – who
Continue Reading Belgian DPA decides on the (in)validity of retroactive data processing agreementsImplicit within Delaware law, and now explicit in the SEC Cyber Rules, is the concept of adequate governance. It is not what the FTC just said on a particular topic, the latest guidance from a Data Protection Authority, what the NIST framework provides, or a set of controls in any particular subject area regarding privacy
Continue Reading US: Understanding Governance–A Path for Privacy and Security Governance
The arrival of NIS2 is only one year away. With significantly enhanced requirements around cybersecurity management extending across the supply chain, increased reporting obligations in the case of cyber breach, and personal liability for senior management, working out whether or not an organisation will be in scope for NIS2 will be an important question, instigating
Continue Reading EU: The NIS2 Enigma: who will be caught by the EU’s updated cyber requirements?
