Authors: David Cook, Benjamin Fellows and Heba Khalid

On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG (Case C‑300/21) on the interpretation of Article 82 of the General Data Protection Regulation, holding that:

• A “mere breach” of the GDPR is not sufficient to warrant

…
Continue Reading Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion)

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA…
Continue Reading The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

Authors: Heidi Waem, Nicolas Becker

On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first…
Continue Reading Belgium: First Settlement Decisions by Belgian Data Protection Authority

A recent decision by the Irish Data Protection Commission (“DPC“) imposing a record €405 million fine provides clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’.

On 2 September 2022, the DPC imposed a record €405 million GDPR fine on…
Continue Reading Ireland / Europe: DPC’s Record Fine Raises Expectations on Standards Applicable for Processing Children’s Data

Long-awaited executive order strives to enhance and revive the invalidated Privacy Shield Framework

Author: Jim Sullivan

On 7 October 2022, President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the EO), aimed at addressing the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the …

Continue Reading President Biden orders surveillance reforms two years after Schrems II

Under the Data Security Law, organisations are required to classify the data they process according to their level of significance. Albeit a draft, the recent Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (“Draft”) highlights the principles and methods for different industries, fields, localities, departments, and data processors to…
Continue Reading CHINA: Clarifications of data classification and grading requirements

Introduction

The Singapore Court of Appeal has recently clarified that ‘emotional distress’ is an actionable loss and damage under the existing right of private action of Personal Data Protection Act 2012 (“PDPA“).

Decision

Section 32 (now section 48O) of the Personal Data Protection Act 2012 (“PDPA”) provides individuals who have suffered…
Continue Reading SINGAPORE: Right of private action under the Personal Data Protection Act 2012 – scope explained

Following the first automobile industry-specific data and cyber compliance rules, published late last year (see our alert here), regulators have issued guidelines on the licensing of surveying and mapping activities and use of mapping data within connected vehicles, through the new Regulations on Promoting the Development of Intelligent and Connected Vehicles and Maintaining the …
Continue Reading CHINA: connected vehicle and automobile industry – new licences now required to enable/continue (i) surveying and mapping activities, (ii) overseas transfer of mapping data